mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-02 16:30:17 +02:00
authenticate: use gRPC for service endpoints (#39)
* authenticate: set cookie secure as default. * authenticate: remove single flight provider. * authenticate/providers: Rename “ProviderData” to “IdentityProvider” * authenticate/providers: Fixed an issue where scopes were not being overwritten * proxy/authenticate : http client code removed. * proxy: standardized session variable names between services. * docs: change basic docker-config to be an “all-in-one” example with no nginx load. * docs: nginx balanced docker compose example with intra-ingress settings. * license: attribution for adaptation of goji’s middleware pattern.
This commit is contained in:
parent
9ca3ff4fa2
commit
c886b924e7
54 changed files with 2184 additions and 1463 deletions
|
@ -38,7 +38,7 @@ type XChaCha20Cipher struct {
|
|||
aead cipher.AEAD
|
||||
}
|
||||
|
||||
// NewCipher returns a new XChacha20poly1305 cipher.
|
||||
// NewCipher takes secret key and returns a new XChacha20poly1305 cipher.
|
||||
func NewCipher(secret []byte) (*XChaCha20Cipher, error) {
|
||||
aead, err := chacha20poly1305.NewX(secret)
|
||||
if err != nil {
|
||||
|
|
|
@ -8,9 +8,11 @@ import (
|
|||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/fileutil"
|
||||
"google.golang.org/grpc"
|
||||
)
|
||||
|
||||
// Options contains the configurations settings for a TLS http server.
|
||||
|
@ -55,7 +57,7 @@ func (opt *Options) applyDefaults() {
|
|||
|
||||
// ListenAndServeTLS serves the provided handlers by HTTPS
|
||||
// using the provided options.
|
||||
func ListenAndServeTLS(opt *Options, handler http.Handler) error {
|
||||
func ListenAndServeTLS(opt *Options, httpHandler http.Handler, grpcHandler *grpc.Server) error {
|
||||
if opt == nil {
|
||||
opt = defaultOptions
|
||||
} else {
|
||||
|
@ -82,16 +84,21 @@ func ListenAndServeTLS(opt *Options, handler http.Handler) error {
|
|||
|
||||
ln = tls.NewListener(ln, config)
|
||||
|
||||
var h http.Handler
|
||||
if grpcHandler == nil {
|
||||
h = httpHandler
|
||||
} else {
|
||||
h = grpcHandlerFunc(grpcHandler, httpHandler)
|
||||
}
|
||||
// Set up the main server.
|
||||
server := &http.Server{
|
||||
ReadHeaderTimeout: 5 * time.Second,
|
||||
ReadTimeout: 15 * time.Second,
|
||||
// WriteTimeout is set to 0 because it also pertains to
|
||||
// streaming replies, e.g., the DirServer.Watch interface.
|
||||
ReadTimeout: 10 * time.Second,
|
||||
// WriteTimeout is set to 0 for streaming replies
|
||||
WriteTimeout: 0,
|
||||
IdleTimeout: 60 * time.Second,
|
||||
TLSConfig: config,
|
||||
Handler: handler,
|
||||
Handler: h,
|
||||
}
|
||||
|
||||
return server.Serve(ln)
|
||||
|
@ -130,10 +137,15 @@ func readCertificateFile(certFile, certKeyFile string) (*tls.Certificate, error)
|
|||
}
|
||||
|
||||
// newDefaultTLSConfig creates a new TLS config based on the certificate files given.
|
||||
// see also:
|
||||
// See :
|
||||
// https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
|
||||
// https://blog.cloudflare.com/exposing-go-on-the-internet/
|
||||
// https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
|
||||
// https://github.com/golang/go/blob/df91b8044dbe790c69c16058330f545be069cc1f/src/crypto/tls/common.go#L919
|
||||
func newDefaultTLSConfig(cert *tls.Certificate) (*tls.Config, error) {
|
||||
tlsConfig := &tls.Config{
|
||||
MinVersion: tls.VersionTLS12,
|
||||
// Prioritize cipher suites sped up by AES-NI (AES-GCM)
|
||||
CipherSuites: []uint16{
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
|
@ -142,10 +154,29 @@ func newDefaultTLSConfig(cert *tls.Certificate) (*tls.Config, error) {
|
|||
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
|
||||
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
|
||||
},
|
||||
MinVersion: tls.VersionTLS12,
|
||||
PreferServerCipherSuites: true,
|
||||
Certificates: []tls.Certificate{*cert},
|
||||
// Use curves which have assembly implementations
|
||||
CurvePreferences: []tls.CurveID{
|
||||
tls.CurveP256,
|
||||
tls.X25519,
|
||||
},
|
||||
Certificates: []tls.Certificate{*cert},
|
||||
// HTTP/2 must be enabled manually when using http.Serve
|
||||
NextProtos: []string{"h2"},
|
||||
}
|
||||
tlsConfig.BuildNameToCertificate()
|
||||
return tlsConfig, nil
|
||||
}
|
||||
|
||||
// grpcHandlerFunc splits request serving between gRPC and HTTPS depending on the request type.
|
||||
// Requires HTTP/2.
|
||||
func grpcHandlerFunc(rpcServer *grpc.Server, other http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
ct := r.Header.Get("Content-Type")
|
||||
if r.ProtoMajor == 2 && strings.Contains(ct, "application/grpc") {
|
||||
rpcServer.ServeHTTP(w, r)
|
||||
} else {
|
||||
other.ServeHTTP(w, r)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
|
|
@ -11,6 +11,8 @@ import (
|
|||
"net/http"
|
||||
"net/url"
|
||||
"time"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/log"
|
||||
)
|
||||
|
||||
// ErrTokenRevoked signifies a token revokation or expiration error
|
||||
|
@ -59,6 +61,7 @@ func Client(method, endpoint, userAgent string, params url.Values, response inte
|
|||
if err != nil {
|
||||
return err
|
||||
}
|
||||
log.Info().Msgf("%s", respBody)
|
||||
|
||||
if resp.StatusCode != http.StatusOK {
|
||||
switch resp.StatusCode {
|
||||
|
|
|
@ -10,11 +10,12 @@ import (
|
|||
)
|
||||
|
||||
// Logger is the global logger.
|
||||
var Logger = zerolog.New(os.Stderr).With().Timestamp().Logger()
|
||||
var Logger = zerolog.New(os.Stdout).With().Timestamp().Logger()
|
||||
|
||||
// SetDebugMode tells the logger to use standard out and pretty print output.
|
||||
func SetDebugMode() {
|
||||
Logger = Logger.Output(zerolog.ConsoleWriter{Out: os.Stdout})
|
||||
// zerolog.SetGlobalLevel(zerolog.InfoLevel)
|
||||
}
|
||||
|
||||
// With creates a child logger with the field added to its context.
|
||||
|
|
48
internal/middleware/grpc.go
Normal file
48
internal/middleware/grpc.go
Normal file
|
@ -0,0 +1,48 @@
|
|||
package middleware // import "github.com/pomerium/pomerium/internal/middleware"
|
||||
|
||||
import (
|
||||
"context"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/codes"
|
||||
"google.golang.org/grpc/metadata"
|
||||
"google.golang.org/grpc/status"
|
||||
)
|
||||
|
||||
// SharedSecretCred is a simple token-based method of mutual authentication.
|
||||
type SharedSecretCred struct{ sharedSecret string }
|
||||
|
||||
// NewSharedSecretCred returns a new instance of shared secret credential middleware for gRPC clients
|
||||
func NewSharedSecretCred(secret string) *SharedSecretCred {
|
||||
return &SharedSecretCred{sharedSecret: secret}
|
||||
}
|
||||
|
||||
// GetRequestMetadata sets the value for "authorization" key
|
||||
func (s SharedSecretCred) GetRequestMetadata(context.Context, ...string) (map[string]string, error) {
|
||||
return map[string]string{"authorization": s.sharedSecret}, nil
|
||||
}
|
||||
|
||||
// RequireTransportSecurity should be true as we want to have it encrypted over the wire.
|
||||
func (s SharedSecretCred) RequireTransportSecurity() bool { return false }
|
||||
|
||||
// ValidateRequest ensures a valid token exists within a request's metadata. If
|
||||
// the token is missing or invalid, the interceptor blocks execution of the
|
||||
// handler and returns an error. Otherwise, the interceptor invokes the unary
|
||||
// handler.
|
||||
func (s SharedSecretCred) ValidateRequest(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
|
||||
md, ok := metadata.FromIncomingContext(ctx)
|
||||
if !ok {
|
||||
return nil, status.Errorf(codes.InvalidArgument, "missing metadata")
|
||||
}
|
||||
// The keys within metadata.MD are normalized to lowercase.
|
||||
// See: https://godoc.org/google.golang.org/grpc/metadata#New
|
||||
elem, ok := md["authorization"]
|
||||
if !ok {
|
||||
return nil, status.Errorf(codes.InvalidArgument, "no auth details supplied")
|
||||
}
|
||||
if elem[0] != s.sharedSecret {
|
||||
return nil, status.Errorf(codes.Unauthenticated, "invalid shared secrets")
|
||||
}
|
||||
// Continue execution of handler after ensuring a valid token.
|
||||
return handler(ctx, req)
|
||||
}
|
|
@ -119,7 +119,7 @@ func ValidateHost(mux map[string]http.Handler) func(next http.Handler) http.Hand
|
|||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
if _, ok := mux[r.Host]; !ok {
|
||||
httputil.ErrorResponse(w, r, "Unknown host to route", http.StatusNotFound)
|
||||
httputil.ErrorResponse(w, r, "Unknown route", http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
next.ServeHTTP(w, r)
|
||||
|
|
|
@ -16,15 +16,16 @@ var (
|
|||
type SessionState struct {
|
||||
AccessToken string `json:"access_token"`
|
||||
RefreshToken string `json:"refresh_token"`
|
||||
IDToken string `json:"id_token"` // https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
|
||||
IDToken string `json:"id_token"`
|
||||
|
||||
RefreshDeadline time.Time `json:"refresh_deadline"`
|
||||
LifetimeDeadline time.Time `json:"lifetime_deadline"`
|
||||
ValidDeadline time.Time `json:"valid_deadline"`
|
||||
GracePeriodStart time.Time `json:"grace_period_start"`
|
||||
|
||||
Email string `json:"email"`
|
||||
User string `json:"user"`
|
||||
Email string `json:"email"`
|
||||
User string `json:"user"` // 'sub' in jwt parlance
|
||||
Groups []string `json:"groups"`
|
||||
}
|
||||
|
||||
// LifetimePeriodExpired returns true if the lifetime has expired
|
||||
|
|
|
@ -2,11 +2,12 @@ package templates // import "github.com/pomerium/pomerium/internal/templates"
|
|||
|
||||
import (
|
||||
"testing"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/testutil"
|
||||
)
|
||||
|
||||
func TestTemplatesCompile(t *testing.T) {
|
||||
templates := New()
|
||||
testutil.NotEqual(t, templates, nil)
|
||||
if templates == nil {
|
||||
t.Errorf("unexpected nil value %#v", templates)
|
||||
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue