authenticate: jwks: use local bypass to fetch keys

2025-08-04 01:09:36 +02:00 · 2023-02-17 18:09:59 -05:00 · 2023-02-17 18:09:59 -05:00 · bc25d6fd51
commit bc25d6fd51
parent 6b3e34c39f
3 changed files with 49 additions and 40 deletions
--- a/authorize/state.go
+++ b/authorize/state.go
@ -3,14 +3,12 @@ package authorize
 import (
 	"context"
 	"fmt"
-	"net/url"

 	googlegrpc "google.golang.org/grpc"

 	"github.com/pomerium/pomerium/authorize/evaluator"
 	"github.com/pomerium/pomerium/authorize/internal/store"
 	"github.com/pomerium/pomerium/config"
-	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/pkg/grpc"
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/hpke"
@ -79,28 +77,11 @@ func newAuthorizeStateFromConfig(cfg *config.Config, store *store.Store) (*autho
 		return nil, fmt.Errorf("authorize: invalid session store: %w", err)
 	}

-	authenticateURL, err := cfg.Options.GetAuthenticateURL()
-	if err != nil {
-		return nil, fmt.Errorf("authorize: invalid authenticate service url: %w", err)
-	}
-
 	state.hpkePrivateKey = hpke.DerivePrivateKey(sharedKey)
-
-	jwksURL := authenticateURL.ResolveReference(&url.URL{
-		Path: "/.well-known/pomerium/jwks.json",
-	}).String()
-	transport := httputil.GetInsecureTransport()
-	ok, err := cfg.WillHaveCertificateForServerName(authenticateURL.Hostname())
+	state.authenticateKeyFetcher, err = cfg.GetAuthenticateKeyFetcher()
 	if err != nil {
-		return nil, fmt.Errorf("authorize: error determining if authenticate service will have a certificate name: %w", err)
+		return nil, fmt.Errorf("authorize: get authenticate JWKS key fetcher: %w", err)
 	}
-	if ok {
-		transport, err = config.GetTLSClientTransport(cfg)
-		if err != nil {
-			return nil, fmt.Errorf("authorize: get tls client config: %w", err)
-		}
-	}
-	state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport)

 	return state, nil
 }
--- a/config/config.go
+++ b/config/config.go
@ -6,13 +6,18 @@ import (
 	"crypto/x509"
 	"encoding/base64"
 	"fmt"
+	"net"
+	"net/http"
+	"net/url"

 	"github.com/pomerium/pomerium/internal/fileutil"
 	"github.com/pomerium/pomerium/internal/hashutil"
+	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/telemetry/metrics"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 	"github.com/pomerium/pomerium/pkg/derivecert"
+	"github.com/pomerium/pomerium/pkg/hpke"
 )

 // MetricsScrapeEndpoint defines additional metrics endpoints that would be scraped and exposed by pomerium
@ -236,3 +241,43 @@ func (cfg *Config) GetCertificatePool() (*x509.CertPool, error) {

 	return pool, nil
 }
+
+// GetAuthenticateKeyFetcher returns a key fetcher for the authenticate service
+func (cfg *Config) GetAuthenticateKeyFetcher() (hpke.KeyFetcher, error) {
+	authenticateURL, transport, err := cfg.resolveAuthenticateURL()
+	if err != nil {
+		return nil, err
+	}
+	jwksURL := authenticateURL.ResolveReference(&url.URL{
+		Path: "/.well-known/pomerium/jwks.json",
+	}).String()
+	return hpke.NewKeyFetcher(jwksURL, transport), nil
+}
+
+func (cfg *Config) resolveAuthenticateURL() (*url.URL, *http.Transport, error) {
+	if IsAll(cfg.Options.Services) {
+		return &url.URL{
+			Scheme: "http",
+			Host:   net.JoinHostPort("127.0.0.1", cfg.HTTPPort),
+		}, httputil.GetInsecureTransport(), nil
+	}
+
+	authenticateURL, err := cfg.Options.GetAuthenticateURL()
+	if err != nil {
+		return nil, nil, fmt.Errorf("invalid authenticate service url: %w", err)
+	}
+	ok, err := cfg.WillHaveCertificateForServerName(authenticateURL.Hostname())
+	if err != nil {
+		return nil, nil, fmt.Errorf("error determining if authenticate service will have a certificate name: %w", err)
+	}
+	if !ok {
+		return authenticateURL, httputil.GetInsecureTransport(), nil
+	}
+
+	transport, err := GetTLSClientTransport(cfg)
+	if err != nil {
+		return nil, nil, fmt.Errorf("get tls client config: %w", err)
+	}
+
+	return authenticateURL, transport, nil
+}
--- a/proxy/state.go
+++ b/proxy/state.go
@ -9,7 +9,6 @@ import (
 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/encoding"
 	"github.com/pomerium/pomerium/internal/encoding/jws"
-	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/sessions/cookie"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
@ -49,11 +48,6 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {

 	state := new(proxyState)

-	authenticateURL, err := cfg.Options.GetAuthenticateURL()
-	if err != nil {
-		return nil, err
-	}
-
 	state.sharedKey, err = cfg.Options.GetSharedKey()
 	if err != nil {
 		return nil, err
@ -64,21 +58,10 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 		return nil, err
 	}

-	jwksURL := authenticateURL.ResolveReference(&url.URL{
-		Path: "/.well-known/pomerium/jwks.json",
-	}).String()
-	transport := httputil.GetInsecureTransport()
-	ok, err := cfg.WillHaveCertificateForServerName(authenticateURL.Hostname())
+	state.authenticateKeyFetcher, err = cfg.GetAuthenticateKeyFetcher()
 	if err != nil {
-		return nil, fmt.Errorf("proxy: error determining if authenticate service will have a certificate name: %w", err)
+		return nil, fmt.Errorf("authorize: get authenticate JWKS key fetcher: %w", err)
 	}
-	if ok {
-		transport, err = config.GetTLSClientTransport(cfg)
-		if err != nil {
-			return nil, fmt.Errorf("proxy: get tls client config: %w", err)
-		}
-	}
-	state.authenticateKeyFetcher = hpke.NewKeyFetcher(jwksURL, transport)

 	state.sharedCipher, err = cryptutil.NewAEADCipher(state.sharedKey)
 	if err != nil {