3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-03 00:40:25 +02:00
Code Issues Projects Releases Packages Wiki Activity

stub out HPKE public key fetch for self-hosted authenticate (#4360)

Browse source 
Fetch the HPKE public key only when configured to use the hosted
authenticate service. Determine whether we are using the hosted
authenticate service by comparing the resolved authenticate domain with
a hard-coded list of hosted authenticate domains.

Extract this list of hosted authenticate domains to the internal/urlutil
package in order to keep a single source of truth for this data.
This commit is contained in:
Kenneth Jenkins 2023-07-13 10:04:34 -07:00 committed by GitHub
parent 4674b98cfb
commit a1388592d8
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 107 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

20
config/config.go
View file

@ -237,10 +237,22 @@ func (cfg *Config) GetAuthenticateKeyFetcher() (hpke.KeyFetcher, error) {
if err != nil {
return nil, err
}
jwksURL := authenticateURL.ResolveReference(&url.URL{
Path: urlutil.HPKEPublicKeyPath,
}).String()
return hpke.NewKeyFetcher(jwksURL, transport), nil
// For hosted authenticate, we need to fetch the HPKE public key.
if urlutil.IsHostedAuthenticateDomain(authenticateURL.Hostname()) {
hpkeURL := authenticateURL.ResolveReference(&url.URL{
Path: urlutil.HPKEPublicKeyPath,
}).String()
return hpke.NewKeyFetcher(hpkeURL, transport), nil
}
// Otherwise we can use our own HPKE public key.
privKey, err := cfg.Options.GetHPKEPrivateKey()
if err != nil {
return nil, err
}
pubKey := privKey.PublicKey()
return hpke.NewStubKeyFetcher(pubKey), nil
}
func (cfg *Config) resolveAuthenticateURL() (*url.URL, *http.Transport, error) {