authenticate: validate origin of signout (#1876)

* authenticate: validate origin of signout - add a debug task to kill envoy - improve various function docs - userinfo: return "error" page if user is logged out without redirect uri set - remove front channel logout. There's little difference between it, and the signout function. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-06-03 19:32:48 +02:00 · 2021-02-11 21:37:54 -08:00 · 2021-02-11 21:37:54 -08:00 · c3e3ed9b50
commit c3e3ed9b50
parent 9fd58f9b8a
11 changed files with 174 additions and 182 deletions
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -48,13 +48,20 @@ func (a *Authenticate) Mount(r *mux.Router) {
 	r.Use(func(h http.Handler) http.Handler {
 		options := a.options.Load()
 		state := a.state.Load()
+		csrfKey := fmt.Sprintf("%s_csrf", options.CookieName)
 		return csrf.Protect(
 			state.cookieSecret,
 			csrf.Secure(options.CookieSecure),
 			csrf.Path("/"),
-			csrf.UnsafePaths([]string{state.redirectURL.Path}), // enforce CSRF on "safe" handler
-			csrf.FormValueName("state"),                        // rfc6749 section-10.12
-			csrf.CookieName(fmt.Sprintf("%s_csrf", options.CookieName)),
+			csrf.UnsafePaths(
+				[]string{
+					"/oauth2/callback",    // rfc6749#section-10.12 accepts GET
+					"/.pomerium/sign_out", // https://openid.net/specs/openid-connect-frontchannel-1_0.html
+				}),
+			csrf.FormValueName("state"), // rfc6749#section-10.12
+			csrf.CookieName(csrfKey),
+			csrf.FieldName(csrfKey),
+			csrf.SameSite(csrf.SameSiteLaxMode),
 			csrf.ErrorHandler(httputil.HandlerFunc(httputil.CSRFFailureHandler)),
 		)(h)
 	})
@ -63,11 +70,6 @@ func (a *Authenticate) Mount(r *mux.Router) {
 	// Identity Provider (IdP) endpoints
 	r.Path("/oauth2/callback").Handler(httputil.HandlerFunc(a.OAuthCallback)).Methods(http.MethodGet)

-	// Proxy service endpoints
-	s := r.PathPrefix("/.pomerium/frontchannel-logout").Subrouter()
-	s.Use(a.RetrieveSession)
-	s.Path("/").Handler(httputil.HandlerFunc(a.FrontchannelLogout)).Methods(http.MethodGet)
-
 	v := r.PathPrefix("/.pomerium").Subrouter()
 	c := cors.New(cors.Options{
 		AllowOriginRequestFunc: func(r *http.Request, _ string) bool {
@ -93,26 +95,29 @@ func (a *Authenticate) Mount(r *mux.Router) {
 	wk.Path("/").Handler(httputil.HandlerFunc(a.wellKnown)).Methods(http.MethodGet)
 }

-// Well-Known Uniform Resource Identifiers (URIs)
+// wellKnown returns a list of well known URLS for Pomerium.
+//
 // https://en.wikipedia.org/wiki/List_of_/.well-known/_services_offered_by_webservers
 func (a *Authenticate) wellKnown(w http.ResponseWriter, r *http.Request) error {
 	state := a.state.Load()
-
 	wellKnownURLS := struct {
-		// URL string referencing the client's JSON Web Key (JWK) Set
-		// RFC7517 document, which contains the client's public keys.
-		JSONWebKeySetURL      string `json:"jwks_uri"`
-		OAuth2Callback        string `json:"authentication_callback_endpoint"`
-		FrontchannelLogoutURI string `json:"frontchannel_logout_uri"`
+		OAuth2Callback        string `json:"authentication_callback_endpoint"` // RFC6749
+		JSONWebKeySetURL      string `json:"jwks_uri"`                         // RFC7517
+		FrontchannelLogoutURI string `json:"frontchannel_logout_uri"`          // https://openid.net/specs/openid-connect-frontchannel-1_0.html
 	}{
-		state.redirectURL.ResolveReference(&url.URL{Path: "/.well-known/pomerium/jwks.json"}).String(),
 		state.redirectURL.ResolveReference(&url.URL{Path: "/oauth2/callback"}).String(),
-		state.redirectURL.ResolveReference(&url.URL{Path: "/.pomerium/frontchannel-logout"}).String(),
+		state.redirectURL.ResolveReference(&url.URL{Path: "/.well-known/pomerium/jwks.json"}).String(),
+		state.redirectURL.ResolveReference(&url.URL{Path: "/.pomerium/sign_out"}).String(),
 	}
+	w.Header().Set("X-CSRF-Token", csrf.Token(r))
 	httputil.RenderJSON(w, http.StatusOK, wellKnownURLS)
 	return nil
 }

+// jwks returns the signing key(s) the client can use to validate signatures
+// from the authorization server.
+//
+// https://tools.ietf.org/html/rfc8414
 func (a *Authenticate) jwks(w http.ResponseWriter, r *http.Request) error {
 	httputil.RenderJSON(w, http.StatusOK, a.state.Load().jwk)
 	return nil
@ -262,10 +267,11 @@ func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request) error {
 	} else if !errors.Is(err, oidc.ErrSignoutNotImplemented) {
 		log.Warn().Err(err).Msg("authenticate.SignOut: failed getting session")
 	}
-
-	httputil.Redirect(w, r, redirectString, http.StatusFound)
-
-	return nil
+	if redirectString != "" {
+		httputil.Redirect(w, r, redirectString, http.StatusFound)
+		return nil
+	}
+	return httputil.NewError(http.StatusOK, errors.New("user logged out"))
 }

 // reauthenticateOrFail starts the authenticate process by redirecting the
@ -425,11 +431,6 @@ func (a *Authenticate) getSessionFromCtx(ctx context.Context) (*sessions.State,
 	return &s, nil
 }

-func (a *Authenticate) deleteSession(ctx context.Context, sessionID string) error {
-	state := a.state.Load()
-	return session.Delete(ctx, state.dataBrokerClient, sessionID)
-}
-
 func (a *Authenticate) userInfo(w http.ResponseWriter, r *http.Request) error {
 	ctx, span := trace.StartSpan(r.Context(), "authenticate.userInfo")
 	defer span.End()
@ -479,17 +480,8 @@ func (a *Authenticate) userInfo(w http.ResponseWriter, r *http.Request) error {
 		"DirectoryGroups": groups,          // user's groups inferred from idp directory
 		"csrfField":       csrf.TemplateField(r),
 		"RedirectURL":     r.URL.Query().Get(urlutil.QueryRedirectURI),
+		"SignOutURL":      "/.pomerium/sign_out",
 	}
-
-	if redirectURL, err := url.Parse(r.URL.Query().Get(urlutil.QueryRedirectURI)); err == nil {
-		input["RedirectURL"] = redirectURL.String()
-		signOutURL := redirectURL.ResolveReference(new(url.URL))
-		signOutURL.Path = "/.pomerium/sign_out"
-		input["SignOutURL"] = signOutURL.String()
-	} else {
-		input["SignOutURL"] = "/.pomerium/sign_out"
-	}
-
 	return a.templates.ExecuteTemplate(w, "userInfo.html", input)
 }

@ -557,27 +549,6 @@ func (a *Authenticate) saveSessionToDataBroker(
 	return nil
 }

-// FrontchannelLogout uses HTTP GETs to Relying Party URLs (Pomerium) to clear a user's login state.
-// This endpoint implements OpenID Connect Front-Channel Logout and reuses the Relying
-// Party-initiated logout functionality specified in Section 5 of OpenID Connect Session Management
-// 1.0 (RP-Initiated Logout).
-//
-// https://openid.net/specs/openid-connect-frontchannel-1_0.html
-// https://ldapwiki.com/wiki/OpenID%20Connect%20Front-Channel%20Logout
-func (a *Authenticate) FrontchannelLogout(w http.ResponseWriter, r *http.Request) error {
-	ctx, span := trace.StartSpan(r.Context(), "authenticate.FrontchannelLogout")
-	defer span.End()
-
-	_ = a.revokeSession(ctx, w, r)
-
-	w.Header().Set("Content-Type", "text/plain; charset=utf-8")
-	w.Header().Set("Cache-Control", "no-cache, no-store")
-	w.Header().Set("Pragma", "no-cache")
-	w.WriteHeader(http.StatusOK)
-	fmt.Fprintln(w, http.StatusText(http.StatusOK))
-	return nil
-}
-
 // revokeSession always clears the local session and tries to revoke the associated session stored in the
 // databroker. If successful, it returns the original `id_token` of the session, if failed, returns
 // and empty string.
@ -598,7 +569,7 @@ func (a *Authenticate) revokeSession(ctx context.Context, w http.ResponseWriter,
 			log.Ctx(ctx).Warn().Err(err).Msg("authenticate: failed to revoke access token")
 		}
 	}
-	if err := a.deleteSession(ctx, sessionState.ID); err != nil {
+	if err := session.Delete(ctx, state.dataBrokerClient, sessionState.ID); err != nil {
 		log.Ctx(ctx).Warn().Err(err).Msg("authenticate: failed to delete session from session store")
 	}

--- a/authenticate/handlers_test.go
+++ b/authenticate/handlers_test.go
@ -13,10 +13,18 @@ import (
 	"testing"
 	"time"

+	"github.com/golang/mock/gomock"
+	"github.com/golang/protobuf/ptypes"
+	"github.com/golang/protobuf/ptypes/empty"
+	"github.com/google/go-cmp/cmp"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/crypto/chacha20poly1305"
+	"golang.org/x/oauth2"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 	"google.golang.org/protobuf/types/known/emptypb"
+	"gopkg.in/square/go-jose.v2/jwt"

 	"github.com/pomerium/pomerium/config"
 	"github.com/pomerium/pomerium/internal/encoding"
@ -33,15 +41,6 @@ import (
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 	"github.com/pomerium/pomerium/pkg/grpc/directory"
 	"github.com/pomerium/pomerium/pkg/grpc/session"
-
-	"github.com/golang/mock/gomock"
-	"github.com/golang/protobuf/ptypes"
-	"github.com/golang/protobuf/ptypes/empty"
-	"github.com/google/go-cmp/cmp"
-	"github.com/stretchr/testify/assert"
-	"golang.org/x/crypto/chacha20poly1305"
-	"golang.org/x/oauth2"
-	"gopkg.in/square/go-jose.v2/jwt"
 )

 func testAuthenticate() *Authenticate {
@ -106,7 +105,7 @@ func TestAuthenticate_Handler(t *testing.T) {
 	expected = fmt.Sprintf("User-agent: *\nDisallow: /")
 	code := rr.Code
 	if code != http.StatusOK {
-		t.Errorf("bad preflight code")
+		t.Errorf("bad preflight code %v", code)
 	}
 	resp := rr.Result()
 	body = resp.Header.Get("vary")
@ -235,6 +234,7 @@ func TestAuthenticate_SignOut(t *testing.T) {
 		{"failed revoke", http.MethodPost, nil, "https://corp.pomerium.io/", "", "sig", "ts", identity.MockProvider{RevokeError: errors.New("OH NO")}, &mstore.Store{Encrypted: true, Session: &sessions.State{}}, http.StatusFound, ""},
 		{"load session error", http.MethodPost, errors.New("error"), "https://corp.pomerium.io/", "", "sig", "ts", identity.MockProvider{RevokeError: errors.New("OH NO")}, &mstore.Store{Encrypted: true, Session: &sessions.State{}}, http.StatusFound, ""},
 		{"bad redirect uri", http.MethodPost, nil, "corp.pomerium.io/", "", "sig", "ts", identity.MockProvider{LogOutError: oidc.ErrSignoutNotImplemented}, &mstore.Store{Encrypted: true, Session: &sessions.State{}}, http.StatusFound, ""},
+		{"no redirect uri", http.MethodPost, nil, "", "", "sig", "ts", identity.MockProvider{LogOutResponse: (*uriParseHelper("https://microsoft.com"))}, &mstore.Store{Encrypted: true, Session: &sessions.State{}}, http.StatusOK, "{\"Status\":200,\"Error\":\"OK: user logged out\"}\n"},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@ -566,7 +566,7 @@ func TestWellKnownEndpoint(t *testing.T) {
 	rr := httptest.NewRecorder()
 	h.ServeHTTP(rr, req)
 	body := rr.Body.String()
-	expected := "{\"jwks_uri\":\"https://auth.example.com/.well-known/pomerium/jwks.json\",\"authentication_callback_endpoint\":\"https://auth.example.com/oauth2/callback\",\"frontchannel_logout_uri\":\"https://auth.example.com/.pomerium/frontchannel-logout\"}\n"
+	expected := "{\"authentication_callback_endpoint\":\"https://auth.example.com/oauth2/callback\",\"jwks_uri\":\"https://auth.example.com/.well-known/pomerium/jwks.json\",\"frontchannel_logout_uri\":\"https://auth.example.com/.pomerium/sign_out\"}\n"
 	assert.Equal(t, body, expected)
 }

@ -669,84 +669,6 @@ func TestAuthenticate_userInfo(t *testing.T) {
 	}
 }

-func TestAuthenticate_FrontchannelLogout(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		name string
-
-		logoutIssuer string
-		tokenIssuer  string
-		widthSession bool
-		sessionStore sessions.SessionStore
-		provider     identity.MockProvider
-
-		wantCode int
-	}{
-		{"good", "https://idp.pomerium.io", "https://idp.pomerium.io", true, &mstore.Store{}, identity.MockProvider{AuthenticateResponse: oauth2.Token{}}, http.StatusOK},
-		{"good no session", "https://idp.pomerium.io", "https://idp.pomerium.io", false, &mstore.Store{SaveError: errors.New("error")}, identity.MockProvider{AuthenticateResponse: oauth2.Token{}}, http.StatusOK},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ctrl := gomock.NewController(t)
-			defer ctrl.Finish()
-			a := &Authenticate{
-				state: newAtomicAuthenticateState(&authenticateState{
-					sessionStore:     tt.sessionStore,
-					encryptedEncoder: mock.Encoder{},
-					sharedEncoder:    mock.Encoder{},
-					dataBrokerClient: mockDataBrokerServiceClient{
-						delete: func(ctx context.Context, in *databroker.DeleteRequest, opts ...grpc.CallOption) (*emptypb.Empty, error) {
-							return nil, nil
-						},
-						get: func(ctx context.Context, in *databroker.GetRequest, opts ...grpc.CallOption) (*databroker.GetResponse, error) {
-							if !tt.widthSession {
-								return nil, nil
-							}
-
-							data, err := ptypes.MarshalAny(&session.Session{
-								Id: "SESSION_ID",
-								IdToken: &session.IDToken{
-									Issuer: tt.tokenIssuer,
-								},
-							})
-							if err != nil {
-								return nil, err
-							}
-
-							return &databroker.GetResponse{
-								Record: &databroker.Record{
-									Version: "0001",
-									Type:    data.GetTypeUrl(),
-									Id:      "SESSION_ID",
-									Data:    data,
-								},
-							}, nil
-						},
-					},
-					directoryClient: new(mockDirectoryServiceClient),
-				}),
-				options:  config.NewAtomicOptions(),
-				provider: identity.NewAtomicAuthenticator(),
-			}
-
-			a.provider.Store(tt.provider)
-			u, _ := url.Parse("/.pomerium/frontchannel-logout")
-			params, _ := url.ParseQuery(u.RawQuery)
-			params.Add("iss", tt.logoutIssuer)
-			u.RawQuery = params.Encode()
-			r := httptest.NewRequest(http.MethodGet, u.String(), nil)
-
-			w := httptest.NewRecorder()
-			httputil.HandlerFunc(a.FrontchannelLogout).ServeHTTP(w, r)
-			if status := w.Code; status != tt.wantCode {
-				t.Errorf("handler returned wrong status code: got %v want %v", status, tt.wantCode)
-			}
-		})
-	}
-}
-
 type mockDataBrokerServiceClient struct {
 	databroker.DataBrokerServiceClient

@ -779,3 +701,87 @@ func (m mockDirectoryServiceClient) RefreshUser(ctx context.Context, in *directo
 	}
 	return nil, status.Error(codes.Unimplemented, "")
 }
+
+func TestAuthenticate_SignOut_CSRF(t *testing.T) {
+	now := time.Now()
+	signer, err := jws.NewHS256Signer(nil)
+	if err != nil {
+		t.Fatal(err)
+	}
+	pbNow, _ := ptypes.TimestampProto(now)
+	a := &Authenticate{
+		options: config.NewAtomicOptions(),
+		state: newAtomicAuthenticateState(&authenticateState{
+			// sessionStore:     tt.sessionStore,
+			cookieSecret:     cryptutil.NewKey(),
+			encryptedEncoder: signer,
+			sharedEncoder:    signer,
+			dataBrokerClient: mockDataBrokerServiceClient{
+				get: func(ctx context.Context, in *databroker.GetRequest, opts ...grpc.CallOption) (*databroker.GetResponse, error) {
+					data, err := ptypes.MarshalAny(&session.Session{
+						Id:      "SESSION_ID",
+						UserId:  "USER_ID",
+						IdToken: &session.IDToken{IssuedAt: pbNow},
+					})
+					if err != nil {
+						return nil, err
+					}
+
+					return &databroker.GetResponse{
+						Record: &databroker.Record{
+							Version: "0001",
+							Type:    data.GetTypeUrl(),
+							Id:      "SESSION_ID",
+							Data:    data,
+						},
+					}, nil
+				},
+			},
+			directoryClient: new(mockDirectoryServiceClient),
+		}),
+		templates: template.Must(frontend.NewTemplates()),
+	}
+	tests := []struct {
+		name          string
+		setCSRFCookie bool
+		method        string
+		wantStatus    int
+		wantBody      string
+	}{
+		{"GET without CSRF should fail", false, "GET", 400, "{\"Status\":400,\"Error\":\"Bad Request: CSRF token invalid\"}\n"},
+		{"POST without CSRF should fail", false, "POST", 400, "{\"Status\":400,\"Error\":\"Bad Request: CSRF token invalid\"}\n"},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			s := a.Handler()
+
+			// Obtain a CSRF cookie via a GET request.
+			orr, err := http.NewRequest("GET", "/", nil)
+			if err != nil {
+				t.Fatal(err)
+			}
+			rr := httptest.NewRecorder()
+			s.ServeHTTP(rr, orr)
+
+			r, err := http.NewRequest(tt.method, "/.pomerium/sign_out", nil)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if tt.setCSRFCookie {
+				r.Header.Set("Cookie", rr.Header().Get("Set-Cookie"))
+			}
+			r.Header.Set("Accept", "application/json")
+			r.Header.Set("Referer", "/")
+			rr = httptest.NewRecorder()
+			s.ServeHTTP(rr, r)
+
+			if rr.Code != tt.wantStatus {
+				t.Errorf("status: got %v want %v", rr.Code, tt.wantStatus)
+			}
+			body := rr.Body.String()
+			if diff := cmp.Diff(body, tt.wantBody); diff != "" {
+				t.Errorf("handler returned wrong body Body: %s", diff)
+			}
+		})
+	}
+}