mirror of
https://github.com/pomerium/pomerium.git
synced 2025-06-04 20:03:18 +02:00
authorize: add authorization (#59)
* authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58
This commit is contained in:
Bobby DeSimone
GitHub
parent
1187be2bf3
commit
c13459bb88
65 changed files with 1683 additions and 879 deletions
107
authorize/authorize.go
Normal file
107
authorize/authorize.go
Normal file
|
|
@ -0,0 +1,107 @@
|
|||
package authorize // import "github.com/pomerium/pomerium/authorize"
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"errors"
|
||||
"fmt"
|
||||
|
||||
"github.com/pomerium/envconfig"
|
||||
"github.com/pomerium/pomerium/internal/policy"
|
||||
)
|
||||
|
||||
// Options contains configuration settings for the authorize service.
|
||||
type Options struct {
|
||||
// SharedKey is used to validate requests between services
|
||||
SharedKey string `envconfig:"SHARED_SECRET" required:"true"`
|
||||
|
||||
// Policy is a base64 encoded yaml blob which enumerates
|
||||
// per-route access control policies.
|
||||
Policy string `envconfig:"POLICY"`
|
||||
PolicyFile string `envconfig:"POLICY_FILE"`
|
||||
}
|
||||
|
||||
// OptionsFromEnvConfig creates an authorize service options from environmental
|
||||
// variables.
|
||||
func OptionsFromEnvConfig() (*Options, error) {
|
||||
o := new(Options)
|
||||
if err := envconfig.Process("", o); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return o, nil
|
||||
}
|
||||
|
||||
// Validate checks to see if configuration values are valid for the
|
||||
// authorize service. Returns first error, if found.
|
||||
func (o *Options) Validate() error {
|
||||
decoded, err := base64.StdEncoding.DecodeString(o.SharedKey)
|
||||
if err != nil {
|
||||
return fmt.Errorf("authorize: `SHARED_SECRET` setting is invalid base64: %v", err)
|
||||
}
|
||||
if len(decoded) != 32 {
|
||||
return fmt.Errorf("authorize: `SHARED_SECRET` want 32 but got %d bytes", len(decoded))
|
||||
}
|
||||
if o.Policy == "" && o.PolicyFile == "" {
|
||||
return errors.New("authorize: either `POLICY` or `POLICY_FILE` must be non-nil")
|
||||
}
|
||||
if o.Policy != "" {
|
||||
confBytes, err := base64.StdEncoding.DecodeString(o.Policy)
|
||||
if err != nil {
|
||||
return fmt.Errorf("authorize: `POLICY` is invalid base64 %v", err)
|
||||
}
|
||||
_, err = policy.FromConfig(confBytes)
|
||||
if err != nil {
|
||||
return fmt.Errorf("authorize: `POLICY` %v", err)
|
||||
}
|
||||
}
|
||||
if o.PolicyFile != "" {
|
||||
_, err = policy.FromConfigFile(o.PolicyFile)
|
||||
if err != nil {
|
||||
return fmt.Errorf("authorize: `POLICY_FILE` %v", err)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Authorize struct holds
|
||||
type Authorize struct {
|
||||
SharedKey string
|
||||
|
||||
identityAccess IdentityValidator
|
||||
// contextValidator
|
||||
// deviceValidator
|
||||
}
|
||||
|
||||
// New validates and creates a new Authorize service from a set of Options
|
||||
func New(opts *Options) (*Authorize, error) {
|
||||
if opts == nil {
|
||||
return nil, errors.New("authorize: options cannot be nil")
|
||||
}
|
||||
if err := opts.Validate(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// errors handled by validate
|
||||
sharedKey, _ := base64.StdEncoding.DecodeString(opts.SharedKey)
|
||||
var policies []policy.Policy
|
||||
if opts.Policy != "" {
|
||||
confBytes, _ := base64.StdEncoding.DecodeString(opts.Policy)
|
||||
policies, _ = policy.FromConfig(confBytes)
|
||||
} else {
|
||||
policies, _ = policy.FromConfigFile(opts.PolicyFile)
|
||||
}
|
||||
|
||||
return &Authorize{
|
||||
SharedKey: string(sharedKey),
|
||||
identityAccess: NewIdentityWhitelist(policies),
|
||||
}, nil
|
||||
}
|
||||
|
||||
// ValidIdentity returns if an identity is authorized to access a route resource.
|
||||
func (a *Authorize) ValidIdentity(route string, identity *Identity) bool {
|
||||
return a.identityAccess.Valid(route, identity)
|
||||
}
|
||||
|
||||
// NewIdentityWhitelist returns an indentity validator.
|
||||
// todo(bdd) : a radix-tree implementation is probably more efficient
|
||||
func NewIdentityWhitelist(policies []policy.Policy) IdentityValidator {
|
||||
return newIdentityWhitelistMap(policies)
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue