authorize: add authorization (#59)

* authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58
2025-06-02 19:04:14 +02:00 · 2019-03-07 12:47:07 -08:00 · 2019-03-07 12:47:07 -08:00 · c13459bb88
commit c13459bb88
parent 1187be2bf3
65 changed files with 1683 additions and 879 deletions
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -81,7 +81,6 @@ func (a *Authenticate) authenticate(w http.ResponseWriter, r *http.Request) (*se
 		return nil, err
 	}

-	// check if session refresh period is up
 	if session.RefreshPeriodExpired() {
 		newSession, err := a.provider.Refresh(r.Context(), session)
 		if err != nil {
@ -111,12 +110,6 @@ func (a *Authenticate) authenticate(w http.ResponseWriter, r *http.Request) (*se
 		}
 	}

-	// authenticate really should not be in the business of authorization
-	// todo(bdd) : remove when authorization module added
-	if !a.Validator(session.Email) {
-		log.FromRequest(r).Error().Msg("invalid email user")
-		return nil, httputil.ErrUserNotAuthorized
-	}
 	return session, nil
 }

@ -238,12 +231,7 @@ func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request) {
 // OAuthStart starts the authenticate process by redirecting to the identity provider.
 // https://tools.ietf.org/html/rfc6749#section-4.2.1
 func (a *Authenticate) OAuthStart(w http.ResponseWriter, r *http.Request) {
-	authRedirectURL, err := url.Parse(r.URL.Query().Get("redirect_uri"))
-	if err != nil {
-		httputil.ErrorResponse(w, r, "Invalid redirect parameter", http.StatusBadRequest)
-		return
-	}
-	authRedirectURL = a.RedirectURL.ResolveReference(r.URL)
+	authRedirectURL := a.RedirectURL.ResolveReference(r.URL)

 	nonce := fmt.Sprintf("%x", cryptutil.GenerateKey())
 	a.csrfStore.SetCSRF(w, r, nonce)
@ -345,11 +333,6 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
 		return "", httputil.HTTPError{Code: http.StatusForbidden, Message: "Invalid Redirect URI"}
 	}

-	// Set cookie, or deny: validates the session email and group
-	if !a.Validator(session.Email) {
-		log.FromRequest(r).Error().Err(err).Str("email", session.Email).Msg("invalid email permissions denied")
-		return "", httputil.HTTPError{Code: http.StatusForbidden, Message: "You don't have access"}
-	}
 	err = a.sessionStore.SaveSession(w, r, session)
 	if err != nil {
 		log.Error().Err(err).Msg("internal error")