3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-10 15:47:36 +02:00
Code Issues Projects Releases Packages Wiki Activity

jws: remove issuer (#1754)

Browse source
This commit is contained in:
Caleb Doxsey 2021-01-11 07:57:54 -07:00 committed by GitHub
parent e3b4c6d597
commit b16236496b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
12 changed files with 18 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

6
authenticate/handlers_test.go
View file

@ -359,7 +359,7 @@ func TestAuthenticate_OAuthCallback(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
signer, err := jws.NewHS256Signer(nil, "mock") signer, err := jws.NewHS256Signer(nil)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -493,7 +493,7 @@ func TestAuthenticate_SessionValidatorMiddleware(t *testing.T) {
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
signer, err := jws.NewHS256Signer(nil, "mock") signer, err := jws.NewHS256Signer(nil)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
@ -614,7 +614,7 @@ func TestAuthenticate_Dashboard(t *testing.T) {
ctrl := gomock.NewController(t) ctrl := gomock.NewController(t)
defer ctrl.Finish() defer ctrl.Finish()
signer, err := jws.NewHS256Signer(nil, "mock") signer, err := jws.NewHS256Signer(nil)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

2
authenticate/state.go
View file

@ -77,7 +77,7 @@ func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, err
} }
// shared state encoder setup // shared state encoder setup
state.sharedEncoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey), cfg.Options.GetAuthenticateURL().Host) state.sharedEncoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey))
if err != nil { if err != nil {
return nil, err return nil, err
} }

4
authorize/check_response_test.go
View file

@ -36,7 +36,7 @@ func TestAuthorize_okResponse(t *testing.T) {
JWTClaimsHeaders: []string{"email"}, JWTClaimsHeaders: []string{"email"},
} }
a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))} a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "") encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0})
a.state.Load().encoder = encoder a.state.Load().encoder = encoder
a.currentOptions.Store(opt) a.currentOptions.Store(opt)
a.store = evaluator.NewStore() a.store = evaluator.NewStore()
@ -205,7 +205,7 @@ func TestAuthorize_okResponse(t *testing.T) {
func TestAuthorize_deniedResponse(t *testing.T) { func TestAuthorize_deniedResponse(t *testing.T) {
a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))} a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "") encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0})
a.state.Load().encoder = encoder a.state.Load().encoder = encoder
a.currentOptions.Store(&config.Options{ a.currentOptions.Store(&config.Options{
Policies: []config.Policy{{ Policies: []config.Policy{{

4
authorize/grpc_test.go
View file

@ -51,7 +51,7 @@ yE+vPxsiUkvQHdO2fojCkY8jg70jxM+gu59tPDNbw3Uh/2Ij310FgTHsnGQMyA==
func Test_getEvaluatorRequest(t *testing.T) { func Test_getEvaluatorRequest(t *testing.T) {
a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))} a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "") encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0})
a.state.Load().encoder = encoder a.state.Load().encoder = encoder
a.currentOptions.Store(&config.Options{ a.currentOptions.Store(&config.Options{
Policies: []config.Policy{{ Policies: []config.Policy{{
@ -271,7 +271,7 @@ func Test_handleForwardAuth(t *testing.T) {
func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) { func Test_getEvaluatorRequestWithPortInHostHeader(t *testing.T) {
a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))} a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "") encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0})
a.state.Load().encoder = encoder a.state.Load().encoder = encoder
a.currentOptions.Store(&config.Options{ a.currentOptions.Store(&config.Options{
Policies: []config.Policy{{ Policies: []config.Policy{{

4
authorize/session_test.go
View file

@ -20,7 +20,7 @@ import (
func TestLoadSession(t *testing.T) { func TestLoadSession(t *testing.T) {
opts := config.NewDefaultOptions() opts := config.NewDefaultOptions()
encoder, err := jws.NewHS256Signer(nil, "example.com") encoder, err := jws.NewHS256Signer(nil)
if !assert.NoError(t, err) { if !assert.NoError(t, err) {
return return
} }
@ -117,7 +117,7 @@ func TestAuthorize_getJWTClaimHeaders(t *testing.T) {
}}, }},
} }
a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))} a := &Authorize{currentOptions: config.NewAtomicOptions(), state: newAtomicAuthorizeState(new(authorizeState))}
encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0}, "") encoder, _ := jws.NewHS256Signer([]byte{0, 0, 0, 0})
a.state.Load().encoder = encoder a.state.Load().encoder = encoder
a.currentOptions.Store(opt) a.currentOptions.Store(opt)
a.store = evaluator.NewStore() a.store = evaluator.NewStore()

6
authorize/state.go
View file

@ -33,11 +33,7 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *evaluator.Store) (*a
return nil, fmt.Errorf("authorize: failed to update policy with options: %w", err) return nil, fmt.Errorf("authorize: failed to update policy with options: %w", err)
} }
var host string state.encoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey))
if cfg.Options.AuthenticateURL != nil {
host = cfg.Options.AuthenticateURL.Host
}
state.encoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey), host)
if err != nil { if err != nil {
return nil, err return nil, err
} }

2
cmd/pomerium-cli/cli.go
View file

@ -160,7 +160,7 @@ var serviceAccountCmd = &cobra.Command{
} }
serviceAccountOptions.serviceAccount.ID = sa.GetId() serviceAccountOptions.serviceAccount.ID = sa.GetId()
encoder, err := jws.NewHS256Signer([]byte(sharedKey), serviceAccountOptions.serviceAccount.Issuer) encoder, err := jws.NewHS256Signer([]byte(sharedKey))
if err != nil { if err != nil {
return fmt.Errorf("bad shared key: %w", err) return fmt.Errorf("bad shared key: %w", err)
} }

5
internal/encoding/jws/jws.go
View file

@ -13,19 +13,18 @@ import (
// https://tools.ietf.org/html/rfc7519 // https://tools.ietf.org/html/rfc7519
type JSONWebSigner struct { type JSONWebSigner struct {
Signer jose.Signer Signer jose.Signer
Issuer string
key interface{} key interface{}
} }
// NewHS256Signer creates a SHA256 JWT signer from a 32 byte key. // NewHS256Signer creates a SHA256 JWT signer from a 32 byte key.
func NewHS256Signer(key []byte, issuer string) (encoding.MarshalUnmarshaler, error) { func NewHS256Signer(key []byte) (encoding.MarshalUnmarshaler, error) {
sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: key}, sig, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.HS256, Key: key},
(&jose.SignerOptions{}).WithType("JWT")) (&jose.SignerOptions{}).WithType("JWT"))
if err != nil { if err != nil {
return nil, err return nil, err
} }
return &JSONWebSigner{Signer: sig, key: key, Issuer: issuer}, nil return &JSONWebSigner{Signer: sig, key: key}, nil
} }
// Marshal signs, and serializes a JWT. // Marshal signs, and serializes a JWT.

2
internal/sessions/middleware_test.go
View file

@ -30,7 +30,7 @@ func TestNewContext(t *testing.T) {
} }
for _, tt := range tests { for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) { t.Run(tt.name, func(t *testing.T) {
signer, err := jws.NewHS256Signer(cryptutil.NewKey(), "issuer") signer, err := jws.NewHS256Signer(cryptutil.NewKey())
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

2
internal/sessions/mock/mock_store.go
View file

@ -32,7 +32,7 @@ func (ms *Store) ClearSession(http.ResponseWriter, *http.Request) {
// LoadSession returns the session and a error // LoadSession returns the session and a error
func (ms Store) LoadSession(*http.Request) (string, error) { func (ms Store) LoadSession(*http.Request) (string, error) {
var signer encoding.MarshalUnmarshaler var signer encoding.MarshalUnmarshaler
signer, _ = jws.NewHS256Signer(ms.Secret, "mock") signer, _ = jws.NewHS256Signer(ms.Secret)
jwt, _ := signer.Marshal(ms.Session) jwt, _ := signer.Marshal(ms.Session)
return string(jwt), ms.LoadError return string(jwt), ms.LoadError
} }

2
proxy/forward_auth_test.go
View file

@ -88,7 +88,7 @@ func TestProxy_ForwardAuth(t *testing.T) {
p.OnConfigChange(&config.Config{Options: tt.options}) p.OnConfigChange(&config.Config{Options: tt.options})
state := p.state.Load() state := p.state.Load()
state.sessionStore = tt.sessionStore state.sessionStore = tt.sessionStore
signer, err := jws.NewHS256Signer(nil, "mock") signer, err := jws.NewHS256Signer(nil)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }

2
proxy/state.go
View file

@ -49,7 +49,7 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
state.cookieSecret, _ = base64.StdEncoding.DecodeString(cfg.Options.CookieSecret) state.cookieSecret, _ = base64.StdEncoding.DecodeString(cfg.Options.CookieSecret)
// used to load and verify JWT tokens signed by the authenticate service // used to load and verify JWT tokens signed by the authenticate service
state.encoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey), cfg.Options.GetAuthenticateURL().Host) state.encoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey))
if err != nil { if err != nil {
return nil, err return nil, err
} }