proxy: add userinfo and webauthn endpoints (#3755)

* proxy: add userinfo and webauthn endpoints * use TLD for RP id * use EffectiveTLDPlusOne * upgrade webauthn * fix test * Update internal/handlers/jwks.go Co-authored-by: bobby <1544881+desimone@users.noreply.github.com> Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2025-05-16 10:37:33 +02:00 · 2022-11-22 10:26:35 -07:00 · 2022-11-22 10:26:35 -07:00 · c1a522cd82
commit c1a522cd82
parent 81053ac8ef
33 changed files with 498 additions and 216 deletions
--- a/proxy/data.go
+++ b/proxy/data.go
@ -0,0 +1,151 @@
+package proxy
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/pomerium/csrf"
+	"github.com/pomerium/datasource/pkg/directory"
+	"github.com/pomerium/pomerium/internal/encoding/jws"
+	"github.com/pomerium/pomerium/internal/handlers"
+	"github.com/pomerium/pomerium/internal/handlers/webauthn"
+	"github.com/pomerium/pomerium/internal/httputil"
+	"github.com/pomerium/pomerium/internal/sessions"
+	"github.com/pomerium/pomerium/internal/urlutil"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
+	"github.com/pomerium/pomerium/pkg/grpc/session"
+	"github.com/pomerium/pomerium/pkg/grpc/user"
+	"github.com/pomerium/pomerium/pkg/webauthnutil"
+)
+
+func (p *Proxy) getSession(ctx context.Context, sessionID string) (s *session.Session, isImpersonated bool, err error) {
+	client := p.state.Load().dataBrokerClient
+
+	isImpersonated = false
+	s, err = session.Get(ctx, client, sessionID)
+	if s.GetImpersonateSessionId() != "" {
+		s, err = session.Get(ctx, client, s.GetImpersonateSessionId())
+		isImpersonated = true
+	}
+
+	return s, isImpersonated, err
+}
+
+func (p *Proxy) getSessionState(r *http.Request) (sessions.State, error) {
+	state := p.state.Load()
+
+	rawJWT, err := state.sessionStore.LoadSession(r)
+	if err != nil {
+		return sessions.State{}, err
+	}
+
+	encoder, err := jws.NewHS256Signer(state.sharedKey)
+	if err != nil {
+		return sessions.State{}, err
+	}
+
+	var sessionState sessions.State
+	if err := encoder.Unmarshal([]byte(rawJWT), &sessionState); err != nil {
+		return sessions.State{}, httputil.NewError(http.StatusBadRequest, err)
+	}
+
+	return sessionState, nil
+}
+
+func (p *Proxy) getUser(ctx context.Context, userID string) (*user.User, error) {
+	client := p.state.Load().dataBrokerClient
+	return user.Get(ctx, client, userID)
+}
+
+func (p *Proxy) getUserInfoData(r *http.Request) (handlers.UserInfoData, error) {
+	options := p.currentOptions.Load()
+	state := p.state.Load()
+
+	data := handlers.UserInfoData{
+		CSRFToken:       csrf.Token(r),
+		BrandingOptions: options.BrandingOptions,
+	}
+
+	ss, err := p.getSessionState(r)
+	if err != nil {
+		return handlers.UserInfoData{}, err
+	}
+
+	data.Session, data.IsImpersonated, err = p.getSession(r.Context(), ss.ID)
+	if err != nil {
+		data.Session = &session.Session{Id: ss.ID}
+	}
+
+	data.User, err = p.getUser(r.Context(), data.Session.GetUserId())
+	if err != nil {
+		data.User = &user.User{Id: data.Session.GetUserId()}
+	}
+
+	data.WebAuthnCreationOptions, data.WebAuthnRequestOptions, _ = p.webauthn.GetOptions(r)
+	data.WebAuthnURL = urlutil.WebAuthnURL(r, urlutil.GetAbsoluteURL(r), state.sharedKey, r.URL.Query())
+	p.fillEnterpriseUserInfoData(r.Context(), &data)
+	return data, nil
+}
+
+func (p *Proxy) fillEnterpriseUserInfoData(ctx context.Context, data *handlers.UserInfoData) {
+	client := p.state.Load().dataBrokerClient
+
+	res, _ := client.Get(ctx, &databroker.GetRequest{Type: "type.googleapis.com/pomerium.config.Config", Id: "dashboard"})
+	data.IsEnterprise = res.GetRecord() != nil
+	if !data.IsEnterprise {
+		return
+	}
+
+	data.DirectoryUser, _ = databroker.GetViaJSON[directory.User](ctx, client, directory.UserRecordType, data.Session.GetUserId())
+	if data.DirectoryUser != nil {
+		for _, groupID := range data.DirectoryUser.GroupIDs {
+			directoryGroup, _ := databroker.GetViaJSON[directory.Group](ctx, client, directory.GroupRecordType, groupID)
+			if directoryGroup != nil {
+				data.DirectoryGroups = append(data.DirectoryGroups, directoryGroup)
+			}
+		}
+	}
+}
+
+func (p *Proxy) getWebauthnState(r *http.Request) (*webauthn.State, error) {
+	options := p.currentOptions.Load()
+	state := p.state.Load()
+
+	ss, err := p.getSessionState(r)
+	if err != nil {
+		return nil, err
+	}
+
+	s, _, err := p.getSession(r.Context(), ss.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	authenticateURL, err := options.GetAuthenticateURL()
+	if err != nil {
+		return nil, err
+	}
+
+	internalAuthenticateURL, err := options.GetInternalAuthenticateURL()
+	if err != nil {
+		return nil, err
+	}
+
+	pomeriumDomains, err := options.GetAllRouteableHTTPDomains()
+	if err != nil {
+		return nil, err
+	}
+
+	return &webauthn.State{
+		AuthenticateURL:         authenticateURL,
+		InternalAuthenticateURL: internalAuthenticateURL,
+		SharedKey:               state.sharedKey,
+		Client:                  state.dataBrokerClient,
+		PomeriumDomains:         pomeriumDomains,
+		Session:                 s,
+		SessionState:            &ss,
+		SessionStore:            state.sessionStore,
+		RelyingParty:            webauthnutil.GetRelyingParty(r, state.dataBrokerClient),
+		BrandingOptions:         options.BrandingOptions,
+	}, nil
+}
--- a/proxy/handlers.go
+++ b/proxy/handlers.go
@ -10,6 +10,7 @@ import (

 	"github.com/gorilla/mux"

+	"github.com/pomerium/pomerium/internal/handlers"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/middleware"
 	"github.com/pomerium/pomerium/internal/urlutil"
@ -22,9 +23,11 @@ func (p *Proxy) registerDashboardHandlers(r *mux.Router) *mux.Router {
 	h.Use(middleware.SetHeaders(httputil.HeadersContentSecurityPolicy))

 	// special pomerium endpoints for users to view their session
-	h.Path("/").HandlerFunc(p.userInfo).Methods(http.MethodGet)
-	h.Path("/sign_out").Handler(httputil.HandlerFunc(p.SignOut)).Methods(http.MethodGet, http.MethodPost)
+	h.Path("/").Handler(httputil.HandlerFunc(p.userInfo)).Methods(http.MethodGet)
+	h.Path("/device-enrolled").Handler(httputil.HandlerFunc(p.deviceEnrolled))
 	h.Path("/jwt").Handler(httputil.HandlerFunc(p.jwtAssertion)).Methods(http.MethodGet)
+	h.Path("/sign_out").Handler(httputil.HandlerFunc(p.SignOut)).Methods(http.MethodGet, http.MethodPost)
+	h.Path("/webauthn").Handler(p.webauthn)

 	// called following authenticate auth flow to grab a new or existing session
 	// the route specific cookie is returned in a signed query params
@ -81,21 +84,22 @@ func (p *Proxy) SignOut(w http.ResponseWriter, r *http.Request) error {
 	return nil
 }

-func (p *Proxy) userInfo(w http.ResponseWriter, r *http.Request) {
-	state := p.state.Load()
-
-	redirectURL := urlutil.GetAbsoluteURL(r).String()
-	if ref := r.Header.Get(httputil.HeaderReferrer); ref != "" {
-		redirectURL = ref
+func (p *Proxy) userInfo(w http.ResponseWriter, r *http.Request) error {
+	data, err := p.getUserInfoData(r)
+	if err != nil {
+		return err
 	}
+	handlers.UserInfo(data).ServeHTTP(w, r)
+	return nil
+}

-	uri := state.authenticateDashboardURL.ResolveReference(&url.URL{
-		RawQuery: url.Values{
-			urlutil.QueryRedirectURI: {redirectURL},
-		}.Encode(),
-	})
-	uri = urlutil.NewSignedURL(state.sharedKey, uri).Sign()
-	httputil.Redirect(w, r, uri.String(), http.StatusFound)
+func (p *Proxy) deviceEnrolled(w http.ResponseWriter, r *http.Request) error {
+	data, err := p.getUserInfoData(r)
+	if err != nil {
+		return err
+	}
+	handlers.DeviceEnrolled(data).ServeHTTP(w, r)
+	return nil
 }

 // Callback handles the result of a successful call to the authenticate service
--- a/proxy/handlers_test.go
+++ b/proxy/handlers_test.go
@ -64,29 +64,6 @@ func TestProxy_Signout(t *testing.T) {
 	}
 }

-func TestProxy_userInfo(t *testing.T) {
-	opts := testOptions(t)
-	err := ValidateOptions(opts)
-	if err != nil {
-		t.Fatal(err)
-	}
-	proxy, err := New(&config.Config{Options: opts})
-	if err != nil {
-		t.Fatal(err)
-	}
-	req := httptest.NewRequest(http.MethodGet, "/.pomerium/sign_out", nil)
-	rr := httptest.NewRecorder()
-	proxy.userInfo(rr, req)
-	if status := rr.Code; status != http.StatusFound {
-		t.Errorf("handler returned wrong status code: got %v want %v", status, http.StatusFound)
-	}
-	body := rr.Body.String()
-	want := proxy.state.Load().authenticateURL.String()
-	if !strings.Contains(body, want) {
-		t.Errorf("handler returned unexpected body: got %v want %s ", body, want)
-	}
-}
-
 func TestProxy_SignOut(t *testing.T) {
 	t.Parallel()
 	tests := []struct {
--- a/proxy/proxy.go
+++ b/proxy/proxy.go
@ -13,6 +13,7 @@ import (

 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/atomicutil"
+	"github.com/pomerium/pomerium/internal/handlers/webauthn"
 	"github.com/pomerium/pomerium/internal/httputil"
 	"github.com/pomerium/pomerium/internal/log"
 	"github.com/pomerium/pomerium/internal/telemetry/metrics"
@ -54,6 +55,7 @@ type Proxy struct {
 	state          *atomicutil.Value[*proxyState]
 	currentOptions *atomicutil.Value[*config.Options]
 	currentRouter  *atomicutil.Value[*mux.Router]
+	webauthn       *webauthn.Handler
 }

 // New takes a Proxy service from options and a validation function.
@ -69,6 +71,7 @@ func New(cfg *config.Config) (*Proxy, error) {
 		currentOptions: config.NewAtomicOptions(),
 		currentRouter:  atomicutil.NewValue(httputil.NewRouter()),
 	}
+	p.webauthn = webauthn.New(p.getWebauthnState)

 	metrics.AddPolicyCountCallback("pomerium-proxy", func() int64 {
 		return int64(len(p.currentOptions.Load().GetAllPolicies()))
--- a/proxy/state.go
+++ b/proxy/state.go
@ -1,6 +1,7 @@
 package proxy

 import (
+	"context"
 	"crypto/cipher"
 	"net/url"

@ -10,8 +11,12 @@ import (
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/sessions/cookie"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
+	"github.com/pomerium/pomerium/pkg/grpc"
+	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )

+var outboundGRPCConnection = new(grpc.CachedOutboundGRPClientConn)
+
 type proxyState struct {
 	sharedKey    []byte
 	sharedCipher cipher.AEAD
@ -26,6 +31,8 @@ type proxyState struct {
 	sessionStore    sessions.SessionStore
 	jwtClaimHeaders config.JWTClaimHeaders

+	dataBrokerClient databroker.DataBrokerServiceClient
+
 	programmaticRedirectDomainWhitelist []string
 }

@ -36,6 +43,7 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 	}

 	state := new(proxyState)
+
 	state.sharedKey, err = cfg.Options.GetSharedKey()
 	if err != nil {
 		return nil, err
@ -81,6 +89,19 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	dataBrokerConn, err := outboundGRPCConnection.Get(context.Background(), &grpc.OutboundOptions{
+		OutboundPort:   cfg.OutboundPort,
+		InstallationID: cfg.Options.InstallationID,
+		ServiceName:    cfg.Options.Services,
+		SignedJWTKey:   state.sharedKey,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	state.dataBrokerClient = databroker.NewDataBrokerServiceClient(dataBrokerConn)
+
 	state.programmaticRedirectDomainWhitelist = cfg.Options.ProgrammaticRedirectDomainWhitelist

 	return state, nil