authorize: add authorization (#59)

* authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58
2025-05-09 23:27:43 +02:00 · 2019-03-07 12:47:07 -08:00 · 2019-03-07 12:47:07 -08:00 · c13459bb88
commit c13459bb88
parent 1187be2bf3
65 changed files with 1683 additions and 879 deletions
--- a/authenticate/authenticate.go
+++ b/authenticate/authenticate.go
@ -31,11 +31,7 @@ type Options struct {
 	SharedKey string `envconfig:"SHARED_SECRET"`

 	// RedirectURL specifies the callback url following third party authentication
-	RedirectURL *url.URL `envconfig:"REDIRECT_URL"`
-
-	// Coarse authorization based on user email domain
-	// todo(bdd) : to be replaced with authorization module
-	AllowedDomains   []string `envconfig:"ALLOWED_DOMAINS"`
+	RedirectURL      *url.URL `envconfig:"REDIRECT_URL"`
 	ProxyRootDomains []string `envconfig:"PROXY_ROOT_DOMAIN"`

 	// Session/Cookie management
@ -84,9 +80,6 @@ func (o *Options) Validate() error {
 	if o.ClientSecret == "" {
 		return errors.New("missing setting: client secret")
 	}
-	if len(o.AllowedDomains) == 0 {
-		return errors.New("missing setting email domain")
-	}
 	if len(o.ProxyRootDomains) == 0 {
 		return errors.New("missing setting: proxy root domain")
 	}
@ -105,14 +98,10 @@ func (o *Options) Validate() error {

 // Authenticate validates a user's identity
 type Authenticate struct {
-	SharedKey string
-
+	SharedKey        string
 	RedirectURL      *url.URL
-	AllowedDomains   []string
 	ProxyRootDomains []string

-	Validator func(string) bool
-
 	templates    *template.Template
 	csrfStore    sessions.CSRFStore
 	sessionStore sessions.SessionStore
@ -122,9 +111,9 @@ type Authenticate struct {
 }

 // New validates and creates a new authenticate service from a set of Options
-func New(opts *Options, optionFuncs ...func(*Authenticate) error) (*Authenticate, error) {
+func New(opts *Options) (*Authenticate, error) {
 	if opts == nil {
-		return nil, errors.New("options cannot be nil")
+		return nil, errors.New("authenticate: options cannot be nil")
 	}
 	if err := opts.Validate(); err != nil {
 		return nil, err
@ -166,7 +155,6 @@ func New(opts *Options, optionFuncs ...func(*Authenticate) error) (*Authenticate
 	p := &Authenticate{
 		SharedKey:        opts.SharedKey,
 		RedirectURL:      opts.RedirectURL,
-		AllowedDomains:   opts.AllowedDomains,
 		ProxyRootDomains: dotPrependDomains(opts.ProxyRootDomains),

 		templates:    templates.New(),
@ -176,14 +164,6 @@ func New(opts *Options, optionFuncs ...func(*Authenticate) error) (*Authenticate
 		provider:     provider,
 	}

-	// validation via dependency injected function
-	for _, optFunc := range optionFuncs {
-		err := optFunc(p)
-		if err != nil {
-			return nil, err
-		}
-	}
-
 	return p, nil
 }