authorize: add authorization (#59)

* authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58
2025-06-02 02:42:57 +02:00 · 2019-03-07 12:47:07 -08:00 · 2019-03-07 12:47:07 -08:00 · c13459bb88
commit c13459bb88
parent 1187be2bf3
65 changed files with 1683 additions and 879 deletions
--- a/proxy/clients/authorize_client.go
+++ b/proxy/clients/authorize_client.go
@ -0,0 +1,64 @@
+package clients // import "github.com/pomerium/pomerium/proxy/clients"
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	pb "github.com/pomerium/pomerium/proto/authorize"
+	"google.golang.org/grpc"
+
+	"github.com/pomerium/pomerium/internal/sessions"
+)
+
+// Authorizer provides the authorize service interface
+type Authorizer interface {
+	// Authorize takes a code and returns a validated session or an error
+	Authorize(context.Context, string, *sessions.SessionState) (bool, error)
+	// Close closes the auth connection if any.
+	Close() error
+}
+
+// NewAuthorizeClient returns a new authorize service client.
+func NewAuthorizeClient(name string, opts *Options) (a Authorizer, err error) {
+	// Only gRPC is supported and is always returned so name is ignored
+	return NewGRPCAuthorizeClient(opts)
+}
+
+// NewGRPCAuthorizeClient returns a new authorize service client.
+func NewGRPCAuthorizeClient(opts *Options) (p *AuthorizeGRPC, err error) {
+	conn, err := NewGRPCClientConn(opts)
+	if err != nil {
+		return nil, err
+	}
+	client := pb.NewAuthorizerClient(conn)
+	return &AuthorizeGRPC{Conn: conn, client: client}, nil
+}
+
+// AuthorizeGRPC is a gRPC implementation of an authenticator (authenticate client)
+type AuthorizeGRPC struct {
+	Conn   *grpc.ClientConn
+	client pb.AuthorizerClient
+}
+
+// Authorize makes an RPC call to the authorize service to creates a session state
+// from an encrypted code provided as a result of an oauth2 callback process.
+func (a *AuthorizeGRPC) Authorize(ctx context.Context, route string, s *sessions.SessionState) (bool, error) {
+	if s == nil {
+		return false, errors.New("session cannot be nil")
+	}
+	ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+	response, err := a.client.Authorize(ctx, &pb.AuthorizeRequest{
+		Route:  route,
+		User:   s.User,
+		Email:  s.Email,
+		Groups: s.Groups,
+	})
+	return response.GetIsValid(), err
+}
+
+// Close tears down the ClientConn and all underlying connections.
+func (a *AuthorizeGRPC) Close() error {
+	return a.Conn.Close()
+}