3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-08-01 16:01:26 +02:00
Code Issues Projects Releases Packages Wiki Activity

webauthn: require session when accessing /.pomerium/webauthn (#3814)

Browse source 
* webauthn: require session when accessing /.pomerium/webauthn

* remove dead code

* remove unusued PomeriumDomains field
This commit is contained in:
Caleb Doxsey 2022-12-16 10:59:21 -07:00 committed by GitHub
parent 44a5c1b2fb
commit c86ca6f76f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 67 additions and 78 deletions
Download patch file Download diff file Expand all files Collapse all files

44
pkg/policy/criteria/pomerium_routes.go
View file

@ -5,17 +5,9 @@ import (
"github.com/pomerium/pomerium/pkg/policy/generator"
"github.com/pomerium/pomerium/pkg/policy/parser"
"github.com/pomerium/pomerium/pkg/policy/rules"
)
var pomeriumRoutesBody = ast.Body{
ast.MustParseExpr(`
contains(input.http.url, "/.pomerium/")
`),
ast.MustParseExpr(`
not contains(input.http.url, "/.pomerium/jwt")
`),
}
type pomeriumRoutesCriterion struct {
g *Generator
}
@ -29,11 +21,37 @@ func (pomeriumRoutesCriterion) Name() string {
}
func (c pomeriumRoutesCriterion) GenerateRule(_ string, _ parser.Value) (*ast.Rule, []*ast.Rule, error) {
rule := NewCriterionRule(c.g, c.Name(),
ReasonPomeriumRoute, ReasonNonPomeriumRoute,
pomeriumRoutesBody)
r1 := c.g.NewRule(c.Name())
r1.Head.Value = NewCriterionTerm(true, ReasonPomeriumRoute)
r1.Body = ast.Body{
ast.MustParseExpr(`session := get_session(input.session.id)`),
ast.MustParseExpr(`session.id != ""`),
ast.MustParseExpr(`contains(input.http.url, "/.pomerium/")`),
}
return rule, nil, nil
r2 := c.g.NewRule(c.Name())
r2.Head.Value = NewCriterionTerm(true, ReasonPomeriumRoute)
r2.Body = ast.Body{
ast.MustParseExpr(`contains(input.http.url, "/.pomerium/")`),
ast.MustParseExpr(`not contains(input.http.url, "/.pomerium/jwt")`),
ast.MustParseExpr(`not contains(input.http.url, "/.pomerium/webauthn")`),
}
r1.Else = r2
r3 := c.g.NewRule(c.Name())
r3.Head.Value = NewCriterionTerm(false, ReasonUserUnauthenticated)
r3.Body = ast.Body{
ast.MustParseExpr(`contains(input.http.url, "/.pomerium/")`),
}
r2.Else = r3
r4 := c.g.NewRule(c.Name())
r4.Head.Value = NewCriterionTerm(false, ReasonNonPomeriumRoute)
r3.Else = r4
return r1, []*ast.Rule{
rules.GetSession(),
}, nil
}
// PomeriumRoutes returns a Criterion on that allows access to pomerium routes.