authenticate: use gRPC for service endpoints (#39)

* authenticate: set cookie secure as default.
* authenticate: remove single flight provider.
* authenticate/providers: Rename “ProviderData” to “IdentityProvider”
* authenticate/providers: Fixed an issue where scopes were not being overwritten
* proxy/authenticate : http client code removed.
* proxy: standardized session variable names between services.
* docs: change basic docker-config to be an “all-in-one” example with no nginx load.
* docs:  nginx balanced docker compose example with intra-ingress settings.
* license:  attribution for adaptation of goji’s middleware pattern.
This commit is contained in:
Bobby DeSimone 2019-02-08 10:10:38 -08:00 committed by GitHub
parent 9ca3ff4fa2
commit c886b924e7
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
54 changed files with 2184 additions and 1463 deletions

View file

@ -38,7 +38,7 @@ type XChaCha20Cipher struct {
aead cipher.AEAD
}
// NewCipher returns a new XChacha20poly1305 cipher.
// NewCipher takes secret key and returns a new XChacha20poly1305 cipher.
func NewCipher(secret []byte) (*XChaCha20Cipher, error) {
aead, err := chacha20poly1305.NewX(secret)
if err != nil {

View file

@ -8,9 +8,11 @@ import (
"net/http"
"os"
"path/filepath"
"strings"
"time"
"github.com/pomerium/pomerium/internal/fileutil"
"google.golang.org/grpc"
)
// Options contains the configurations settings for a TLS http server.
@ -55,7 +57,7 @@ func (opt *Options) applyDefaults() {
// ListenAndServeTLS serves the provided handlers by HTTPS
// using the provided options.
func ListenAndServeTLS(opt *Options, handler http.Handler) error {
func ListenAndServeTLS(opt *Options, httpHandler http.Handler, grpcHandler *grpc.Server) error {
if opt == nil {
opt = defaultOptions
} else {
@ -82,16 +84,21 @@ func ListenAndServeTLS(opt *Options, handler http.Handler) error {
ln = tls.NewListener(ln, config)
var h http.Handler
if grpcHandler == nil {
h = httpHandler
} else {
h = grpcHandlerFunc(grpcHandler, httpHandler)
}
// Set up the main server.
server := &http.Server{
ReadHeaderTimeout: 5 * time.Second,
ReadTimeout: 15 * time.Second,
// WriteTimeout is set to 0 because it also pertains to
// streaming replies, e.g., the DirServer.Watch interface.
ReadTimeout: 10 * time.Second,
// WriteTimeout is set to 0 for streaming replies
WriteTimeout: 0,
IdleTimeout: 60 * time.Second,
TLSConfig: config,
Handler: handler,
Handler: h,
}
return server.Serve(ln)
@ -130,10 +137,15 @@ func readCertificateFile(certFile, certKeyFile string) (*tls.Certificate, error)
}
// newDefaultTLSConfig creates a new TLS config based on the certificate files given.
// see also:
// See :
// https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
// https://blog.cloudflare.com/exposing-go-on-the-internet/
// https://github.com/ssllabs/research/wiki/SSL-and-TLS-Deployment-Best-Practices
// https://github.com/golang/go/blob/df91b8044dbe790c69c16058330f545be069cc1f/src/crypto/tls/common.go#L919
func newDefaultTLSConfig(cert *tls.Certificate) (*tls.Config, error) {
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
// Prioritize cipher suites sped up by AES-NI (AES-GCM)
CipherSuites: []uint16{
tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
@ -142,10 +154,29 @@ func newDefaultTLSConfig(cert *tls.Certificate) (*tls.Config, error) {
tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,
},
MinVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
Certificates: []tls.Certificate{*cert},
// Use curves which have assembly implementations
CurvePreferences: []tls.CurveID{
tls.CurveP256,
tls.X25519,
},
Certificates: []tls.Certificate{*cert},
// HTTP/2 must be enabled manually when using http.Serve
NextProtos: []string{"h2"},
}
tlsConfig.BuildNameToCertificate()
return tlsConfig, nil
}
// grpcHandlerFunc splits request serving between gRPC and HTTPS depending on the request type.
// Requires HTTP/2.
func grpcHandlerFunc(rpcServer *grpc.Server, other http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ct := r.Header.Get("Content-Type")
if r.ProtoMajor == 2 && strings.Contains(ct, "application/grpc") {
rpcServer.ServeHTTP(w, r)
} else {
other.ServeHTTP(w, r)
}
})
}

View file

@ -11,6 +11,8 @@ import (
"net/http"
"net/url"
"time"
"github.com/pomerium/pomerium/internal/log"
)
// ErrTokenRevoked signifies a token revokation or expiration error
@ -59,6 +61,7 @@ func Client(method, endpoint, userAgent string, params url.Values, response inte
if err != nil {
return err
}
log.Info().Msgf("%s", respBody)
if resp.StatusCode != http.StatusOK {
switch resp.StatusCode {

View file

@ -10,11 +10,12 @@ import (
)
// Logger is the global logger.
var Logger = zerolog.New(os.Stderr).With().Timestamp().Logger()
var Logger = zerolog.New(os.Stdout).With().Timestamp().Logger()
// SetDebugMode tells the logger to use standard out and pretty print output.
func SetDebugMode() {
Logger = Logger.Output(zerolog.ConsoleWriter{Out: os.Stdout})
// zerolog.SetGlobalLevel(zerolog.InfoLevel)
}
// With creates a child logger with the field added to its context.

View file

@ -0,0 +1,48 @@
package middleware // import "github.com/pomerium/pomerium/internal/middleware"
import (
"context"
"google.golang.org/grpc"
"google.golang.org/grpc/codes"
"google.golang.org/grpc/metadata"
"google.golang.org/grpc/status"
)
// SharedSecretCred is a simple token-based method of mutual authentication.
type SharedSecretCred struct{ sharedSecret string }
// NewSharedSecretCred returns a new instance of shared secret credential middleware for gRPC clients
func NewSharedSecretCred(secret string) *SharedSecretCred {
return &SharedSecretCred{sharedSecret: secret}
}
// GetRequestMetadata sets the value for "authorization" key
func (s SharedSecretCred) GetRequestMetadata(context.Context, ...string) (map[string]string, error) {
return map[string]string{"authorization": s.sharedSecret}, nil
}
// RequireTransportSecurity should be true as we want to have it encrypted over the wire.
func (s SharedSecretCred) RequireTransportSecurity() bool { return false }
// ValidateRequest ensures a valid token exists within a request's metadata. If
// the token is missing or invalid, the interceptor blocks execution of the
// handler and returns an error. Otherwise, the interceptor invokes the unary
// handler.
func (s SharedSecretCred) ValidateRequest(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
md, ok := metadata.FromIncomingContext(ctx)
if !ok {
return nil, status.Errorf(codes.InvalidArgument, "missing metadata")
}
// The keys within metadata.MD are normalized to lowercase.
// See: https://godoc.org/google.golang.org/grpc/metadata#New
elem, ok := md["authorization"]
if !ok {
return nil, status.Errorf(codes.InvalidArgument, "no auth details supplied")
}
if elem[0] != s.sharedSecret {
return nil, status.Errorf(codes.Unauthenticated, "invalid shared secrets")
}
// Continue execution of handler after ensuring a valid token.
return handler(ctx, req)
}

View file

@ -119,7 +119,7 @@ func ValidateHost(mux map[string]http.Handler) func(next http.Handler) http.Hand
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if _, ok := mux[r.Host]; !ok {
httputil.ErrorResponse(w, r, "Unknown host to route", http.StatusNotFound)
httputil.ErrorResponse(w, r, "Unknown route", http.StatusNotFound)
return
}
next.ServeHTTP(w, r)

View file

@ -16,15 +16,16 @@ var (
type SessionState struct {
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
IDToken string `json:"id_token"` // https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
IDToken string `json:"id_token"`
RefreshDeadline time.Time `json:"refresh_deadline"`
LifetimeDeadline time.Time `json:"lifetime_deadline"`
ValidDeadline time.Time `json:"valid_deadline"`
GracePeriodStart time.Time `json:"grace_period_start"`
Email string `json:"email"`
User string `json:"user"`
Email string `json:"email"`
User string `json:"user"` // 'sub' in jwt parlance
Groups []string `json:"groups"`
}
// LifetimePeriodExpired returns true if the lifetime has expired

View file

@ -2,11 +2,12 @@ package templates // import "github.com/pomerium/pomerium/internal/templates"
import (
"testing"
"github.com/pomerium/pomerium/internal/testutil"
)
func TestTemplatesCompile(t *testing.T) {
templates := New()
testutil.NotEqual(t, templates, nil)
if templates == nil {
t.Errorf("unexpected nil value %#v", templates)
}
}