authenticate: move properties to atomically updated state (#1277)

* authenticate: remove cookie options * authenticate: remove shared key field * authenticate: remove shared cipher property * authenticate: move properties to separate state struct
2025-08-03 08:50:42 +02:00 · 2020-08-14 07:53:11 -06:00 · 2020-08-14 07:53:11 -06:00 · d608526998
commit d608526998
parent 598102f587
5 changed files with 256 additions and 210 deletions
--- a/authenticate/handlers.go
+++ b/authenticate/handlers.go
@ -44,15 +44,19 @@ func (a *Authenticate) Handler() http.Handler {
 func (a *Authenticate) Mount(r *mux.Router) {
 	r.StrictSlash(true)
 	r.Use(middleware.SetHeaders(httputil.HeadersContentSecurityPolicy))
-	r.Use(csrf.Protect(
-		a.cookieSecret,
-		csrf.Secure(a.cookieOptions.Secure),
-		csrf.Path("/"),
-		csrf.UnsafePaths([]string{a.RedirectURL.Path}), // enforce CSRF on "safe" handler
-		csrf.FormValueName("state"),                    // rfc6749 section-10.12
-		csrf.CookieName(fmt.Sprintf("%s_csrf", a.cookieOptions.Name)),
-		csrf.ErrorHandler(httputil.HandlerFunc(httputil.CSRFFailureHandler)),
-	))
+	r.Use(func(h http.Handler) http.Handler {
+		options := a.options.Load()
+		state := a.state.Load()
+		return csrf.Protect(
+			state.cookieSecret,
+			csrf.Secure(options.CookieSecure),
+			csrf.Path("/"),
+			csrf.UnsafePaths([]string{state.redirectURL.Path}), // enforce CSRF on "safe" handler
+			csrf.FormValueName("state"),                        // rfc6749 section-10.12
+			csrf.CookieName(fmt.Sprintf("%s_csrf", options.CookieName)),
+			csrf.ErrorHandler(httputil.HandlerFunc(httputil.CSRFFailureHandler)),
+		)(h)
+	})

 	r.Path("/robots.txt").HandlerFunc(a.RobotsTxt).Methods(http.MethodGet)
 	// Identity Provider (IdP) endpoints
@ -62,7 +66,8 @@ func (a *Authenticate) Mount(r *mux.Router) {
 	v := r.PathPrefix("/.pomerium").Subrouter()
 	c := cors.New(cors.Options{
 		AllowOriginRequestFunc: func(r *http.Request, _ string) bool {
-			err := middleware.ValidateRequestURL(r, a.sharedKey)
+			options := a.options.Load()
+			err := middleware.ValidateRequestURL(r, options.SharedKey)
 			if err != nil {
 				log.FromRequest(r).Info().Err(err).Msg("authenticate: origin blocked")
 			}
@ -72,7 +77,9 @@ func (a *Authenticate) Mount(r *mux.Router) {
 		AllowedHeaders:   []string{"*"},
 	})
 	v.Use(c.Handler)
-	v.Use(sessions.RetrieveSession(a.sessionLoaders...))
+	v.Use(func(h http.Handler) http.Handler {
+		return sessions.RetrieveSession(a.state.Load().sessionLoaders...)(h)
+	})
 	v.Use(a.VerifySession)
 	v.Path("/").Handler(httputil.HandlerFunc(a.Dashboard))
 	v.Path("/sign_in").Handler(httputil.HandlerFunc(a.SignIn))
@ -85,12 +92,16 @@ func (a *Authenticate) Mount(r *mux.Router) {

 	// programmatic access api endpoint
 	api := r.PathPrefix("/api").Subrouter()
-	api.Use(sessions.RetrieveSession(a.sessionLoaders...))
+	api.Use(func(h http.Handler) http.Handler {
+		return sessions.RetrieveSession(a.state.Load().sessionLoaders...)(h)
+	})
 }

 // Well-Known Uniform Resource Identifiers (URIs)
 // https://en.wikipedia.org/wiki/List_of_/.well-known/_services_offered_by_webservers
 func (a *Authenticate) wellKnown(w http.ResponseWriter, r *http.Request) error {
+	state := a.state.Load()
+
 	wellKnownURLS := struct {
 		// URL string referencing the client's JSON Web Key (JWK) Set
 		// RFC7517 document, which contains the client's public keys.
@ -98,9 +109,9 @@ func (a *Authenticate) wellKnown(w http.ResponseWriter, r *http.Request) error {
 		OAuth2Callback         string `json:"authentication_callback_endpoint"`
 		ProgrammaticRefreshAPI string `json:"api_refresh_endpoint"`
 	}{
-		a.RedirectURL.ResolveReference(&url.URL{Path: "/.well-known/pomerium/jwks.json"}).String(),
-		a.RedirectURL.ResolveReference(&url.URL{Path: "/oauth2/callback"}).String(),
-		a.RedirectURL.ResolveReference(&url.URL{Path: "/api/v1/refresh"}).String(),
+		state.redirectURL.ResolveReference(&url.URL{Path: "/.well-known/pomerium/jwks.json"}).String(),
+		state.redirectURL.ResolveReference(&url.URL{Path: "/oauth2/callback"}).String(),
+		state.redirectURL.ResolveReference(&url.URL{Path: "/api/v1/refresh"}).String(),
 	}
 	w.Header().Set("Content-Type", "application/json")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
@ -114,9 +125,11 @@ func (a *Authenticate) wellKnown(w http.ResponseWriter, r *http.Request) error {
 }

 func (a *Authenticate) jwks(w http.ResponseWriter, r *http.Request) error {
+	state := a.state.Load()
+
 	w.Header().Set("Content-Type", "application/json")
 	w.Header().Set("X-Content-Type-Options", "nosniff")
-	jBytes, err := json.Marshal(a.jwk)
+	jBytes, err := json.Marshal(state.jwk)
 	if err != nil {
 		return err
 	}
@ -162,12 +175,20 @@ func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) error {
 	ctx, span := trace.StartSpan(r.Context(), "authenticate.SignIn")
 	defer span.End()

+	options := a.options.Load()
+	state := a.state.Load()
+
+	sharedCipher, err := cryptutil.NewAEADCipherFromBase64(options.SharedKey)
+	if err != nil {
+		return httputil.NewError(http.StatusBadRequest, err)
+	}
+
 	redirectURL, err := urlutil.ParseAndValidateURL(r.FormValue(urlutil.QueryRedirectURI))
 	if err != nil {
 		return httputil.NewError(http.StatusBadRequest, err)
 	}

-	jwtAudience := []string{a.RedirectURL.Host, redirectURL.Host}
+	jwtAudience := []string{state.redirectURL.Host, redirectURL.Host}

 	var callbackURL *url.URL
 	// if the callback is explicitly set, set it and add an additional audience
@ -191,7 +212,7 @@ func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) error {

 	s, err := a.getSessionFromCtx(ctx)
 	if err != nil {
-		a.sessionStore.ClearSession(w, r)
+		state.sessionStore.ClearSession(w, r)
 		return err
 	}

@ -199,10 +220,10 @@ func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) error {
 	if impersonate := r.FormValue(urlutil.QueryImpersonateAction); impersonate != "" {
 		s.SetImpersonation(r.FormValue(urlutil.QueryImpersonateEmail), r.FormValue(urlutil.QueryImpersonateGroups))
 	}
-	newSession := sessions.NewSession(s, a.RedirectURL.Host, jwtAudience)
+	newSession := sessions.NewSession(s, state.redirectURL.Host, jwtAudience)

 	// re-persist the session, useful when session was evicted from session
-	if err := a.sessionStore.SaveSession(w, r, s); err != nil {
+	if err := state.sessionStore.SaveSession(w, r, s); err != nil {
 		return httputil.NewError(http.StatusBadRequest, err)
 	}

@ -216,7 +237,7 @@ func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) error {
 			return httputil.NewError(http.StatusBadRequest, err)
 		}

-		encSession, err := a.encryptedEncoder.Marshal(pbSession.GetOauthToken())
+		encSession, err := state.encryptedEncoder.Marshal(pbSession.GetOauthToken())
 		if err != nil {
 			return httputil.NewError(http.StatusBadRequest, err)
 		}
@ -225,13 +246,13 @@ func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) error {
 	}

 	// sign the route session, as a JWT
-	signedJWT, err := a.sharedEncoder.Marshal(newSession)
+	signedJWT, err := state.sharedEncoder.Marshal(newSession)
 	if err != nil {
 		return httputil.NewError(http.StatusBadRequest, err)
 	}

 	// encrypt our route-based token JWT avoiding any accidental logging
-	encryptedJWT := cryptutil.Encrypt(a.sharedCipher, signedJWT, nil)
+	encryptedJWT := cryptutil.Encrypt(sharedCipher, signedJWT, nil)
 	// base64 our encrypted payload for URL-friendlyness
 	encodedJWT := base64.URLEncoding.EncodeToString(encryptedJWT)

@ -242,7 +263,7 @@ func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) error {

 	// build our hmac-d redirect URL with our session, pointing back to the
 	// proxy's callback URL which is responsible for setting our new route-session
-	uri := urlutil.NewSignedURL(a.sharedKey, callbackURL)
+	uri := urlutil.NewSignedURL(options.SharedKey, callbackURL)
 	httputil.Redirect(w, r, uri.String(), http.StatusFound)
 	return nil
 }
@ -253,6 +274,8 @@ func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request) error {
 	ctx, span := trace.StartSpan(r.Context(), "authenticate.SignOut")
 	defer span.End()

+	state := a.state.Load()
+
 	sessionState, err := a.getSessionFromCtx(ctx)
 	if err == nil {
 		if s, _ := session.Get(ctx, a.dataBrokerClient, sessionState.ID); s != nil && s.OauthToken != nil {
@ -267,7 +290,7 @@ func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request) error {
 	}

 	// no matter what happens, we want to clear the session store
-	a.sessionStore.ClearSession(w, r)
+	state.sessionStore.ClearSession(w, r)
 	redirectString := r.FormValue(urlutil.QueryRedirectURI)
 	endSessionURL, err := a.provider.Load().LogOut()
 	if err == nil {
@ -288,6 +311,8 @@ func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request) error {
 // to the user's current user sessions state if the user is currently an
 // administrative user. Requests are redirected back to the user dashboard.
 func (a *Authenticate) Impersonate(w http.ResponseWriter, r *http.Request) error {
+	options := a.options.Load()
+
 	redirectURL := urlutil.GetAbsoluteURL(r).ResolveReference(&url.URL{
 		Path: "/.pomerium",
 	})
@ -303,7 +328,7 @@ func (a *Authenticate) Impersonate(w http.ResponseWriter, r *http.Request) error
 	q.Set(urlutil.QueryImpersonateEmail, r.FormValue(urlutil.QueryImpersonateEmail))
 	q.Set(urlutil.QueryImpersonateGroups, r.FormValue(urlutil.QueryImpersonateGroups))
 	signinURL.RawQuery = q.Encode()
-	httputil.Redirect(w, r, urlutil.NewSignedURL(a.sharedKey, signinURL).String(), http.StatusFound)
+	httputil.Redirect(w, r, urlutil.NewSignedURL(options.SharedKey, signinURL).String(), http.StatusFound)
 	return nil
 }

@ -318,17 +343,18 @@ func (a *Authenticate) Impersonate(w http.ResponseWriter, r *http.Request) error
 // https://tools.ietf.org/html/rfc6749#section-4.2.1
 // https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest
 func (a *Authenticate) reauthenticateOrFail(w http.ResponseWriter, r *http.Request, err error) error {
+	state := a.state.Load()
 	// If request AJAX/XHR request, return a 401 instead because the redirect
 	// will almost certainly violate their CORs policy
 	if reqType := r.Header.Get("X-Requested-With"); strings.EqualFold(reqType, "XmlHttpRequest") {
 		return httputil.NewError(http.StatusUnauthorized, err)
 	}
-	a.sessionStore.ClearSession(w, r)
-	redirectURL := a.RedirectURL.ResolveReference(r.URL)
+	state.sessionStore.ClearSession(w, r)
+	redirectURL := state.redirectURL.ResolveReference(r.URL)
 	nonce := csrf.Token(r)
 	now := time.Now().Unix()
 	b := []byte(fmt.Sprintf("%s|%d|", nonce, now))
-	enc := cryptutil.Encrypt(a.cookieCipher, []byte(redirectURL.String()), b)
+	enc := cryptutil.Encrypt(state.cookieCipher, []byte(redirectURL.String()), b)
 	b = append(b, enc...)
 	encodedState := base64.URLEncoding.EncodeToString(b)
 	httputil.Redirect(w, r, a.provider.Load().GetSignInURL(encodedState), http.StatusFound)
@ -361,6 +387,8 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
 	ctx, span := trace.StartSpan(r.Context(), "authenticate.getOAuthCallback")
 	defer span.End()

+	state := a.state.Load()
+
 	// Error Authentication Response: rfc6749#section-4.1.2.1 & OIDC#3.1.2.6
 	//
 	// first, check if the identity provider returned an error
@ -389,8 +417,8 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)

 	newState := sessions.NewSession(
 		&s,
-		a.RedirectURL.Hostname(),
-		[]string{a.RedirectURL.Hostname()})
+		state.redirectURL.Hostname(),
+		[]string{state.redirectURL.Hostname()})

 	// state includes a csrf nonce (validated by middleware) and redirect uri
 	bytes, err := base64.URLEncoding.DecodeString(r.FormValue("state"))
@ -414,7 +442,7 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
 	// mac: to validate the nonce again, and above timestamp
 	// decrypt: to prevent leaking 'redirect_uri' to IdP or logs
 	b := []byte(fmt.Sprint(statePayload[0], "|", statePayload[1], "|"))
-	redirectString, err := cryptutil.Decrypt(a.cookieCipher, []byte(statePayload[2]), b)
+	redirectString, err := cryptutil.Decrypt(state.cookieCipher, []byte(statePayload[2]), b)
 	if err != nil {
 		return nil, httputil.NewError(http.StatusBadRequest, err)
 	}
@ -425,19 +453,21 @@ func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request)
 	}

 	// ...  and the user state to local storage.
-	if err := a.sessionStore.SaveSession(w, r, &newState); err != nil {
+	if err := state.sessionStore.SaveSession(w, r, &newState); err != nil {
 		return nil, fmt.Errorf("failed saving new session: %w", err)
 	}
 	return redirectURL, nil
 }

 func (a *Authenticate) getSessionFromCtx(ctx context.Context) (*sessions.State, error) {
+	state := a.state.Load()
+
 	jwt, err := sessions.FromContext(ctx)
 	if err != nil {
 		return nil, httputil.NewError(http.StatusBadRequest, err)
 	}
 	var s sessions.State
-	if err := a.sharedEncoder.Unmarshal([]byte(jwt), &s); err != nil {
+	if err := state.sharedEncoder.Unmarshal([]byte(jwt), &s); err != nil {
 		return nil, httputil.NewError(http.StatusBadRequest, err)
 	}
 	return &s, nil
@ -452,10 +482,8 @@ func (a *Authenticate) deleteSession(ctx context.Context, sessionID string) erro
 }

 func (a *Authenticate) isAdmin(user string) bool {
-	a.administratorMu.Lock()
-	defer a.administratorMu.Unlock()
-
-	_, ok := a.administrator[user]
+	state := a.state.Load()
+	_, ok := state.administrators[user]
 	return ok
 }

@ -532,7 +560,9 @@ func (a *Authenticate) saveSessionToDataBroker(ctx context.Context, sessionState
 		return nil
 	}

-	sessionExpiry, _ := ptypes.TimestampProto(time.Now().Add(a.cookieOptions.Expire))
+	options := a.options.Load()
+
+	sessionExpiry, _ := ptypes.TimestampProto(time.Now().Add(options.CookieExpire))
 	sessionState.Expiry = jwt.NewNumericDate(sessionExpiry.AsTime())
 	idTokenIssuedAt, _ := ptypes.TimestampProto(sessionState.IssuedAt.Time())