mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-02 08:19:23 +02:00
authenticate: move properties to atomically updated state (#1277)
* authenticate: remove cookie options * authenticate: remove shared key field * authenticate: remove shared cipher property * authenticate: move properties to separate state struct
This commit is contained in:
Caleb Doxsey
GitHub
parent
598102f587
commit
d608526998
5 changed files with 256 additions and 210 deletions
128
authenticate/state.go
Normal file
128
authenticate/state.go
Normal file
|
|
@ -0,0 +1,128 @@
|
|||
package authenticate
|
||||
|
||||
import (
|
||||
"crypto/cipher"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"net/url"
|
||||
"sync/atomic"
|
||||
|
||||
"gopkg.in/square/go-jose.v2"
|
||||
|
||||
"github.com/pomerium/pomerium/config"
|
||||
"github.com/pomerium/pomerium/internal/encoding"
|
||||
"github.com/pomerium/pomerium/internal/encoding/ecjson"
|
||||
"github.com/pomerium/pomerium/internal/encoding/jws"
|
||||
"github.com/pomerium/pomerium/internal/httputil"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
"github.com/pomerium/pomerium/internal/sessions/cookie"
|
||||
"github.com/pomerium/pomerium/internal/sessions/header"
|
||||
"github.com/pomerium/pomerium/internal/sessions/queryparam"
|
||||
"github.com/pomerium/pomerium/internal/urlutil"
|
||||
"github.com/pomerium/pomerium/pkg/cryptutil"
|
||||
)
|
||||
|
||||
type authenticateState struct {
|
||||
redirectURL *url.URL
|
||||
// administrators keeps track of administrator users.
|
||||
administrators map[string]struct{}
|
||||
// sharedEncoder is the encoder to use to serialize data to be consumed
|
||||
// by other services
|
||||
sharedEncoder encoding.MarshalUnmarshaler
|
||||
// cookieSecret is the secret to encrypt and authenticate session data
|
||||
cookieSecret []byte
|
||||
// cookieCipher is the cipher to use to encrypt/decrypt session data
|
||||
cookieCipher cipher.AEAD
|
||||
// encryptedEncoder is the encoder used to marshal and unmarshal session data
|
||||
encryptedEncoder encoding.MarshalUnmarshaler
|
||||
// sessionStore is the session store used to persist a user's session
|
||||
sessionStore sessions.SessionStore
|
||||
// sessionLoaders are a collection of session loaders to attempt to pull
|
||||
// a user's session state from
|
||||
sessionLoaders []sessions.SessionLoader
|
||||
|
||||
jwk *jose.JSONWebKeySet
|
||||
}
|
||||
|
||||
func newAuthenticateState() *authenticateState {
|
||||
return &authenticateState{
|
||||
administrators: map[string]struct{}{},
|
||||
jwk: new(jose.JSONWebKeySet),
|
||||
}
|
||||
}
|
||||
|
||||
func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, error) {
|
||||
state := &authenticateState{}
|
||||
|
||||
state.redirectURL, _ = urlutil.DeepCopy(cfg.Options.AuthenticateURL)
|
||||
state.redirectURL.Path = cfg.Options.AuthenticateCallbackPath
|
||||
|
||||
state.administrators = make(map[string]struct{}, len(cfg.Options.Administrators))
|
||||
for _, admin := range cfg.Options.Administrators {
|
||||
state.administrators[admin] = struct{}{}
|
||||
}
|
||||
|
||||
// shared state encoder setup
|
||||
var err error
|
||||
state.sharedEncoder, err = jws.NewHS256Signer([]byte(cfg.Options.SharedKey), cfg.Options.GetAuthenticateURL().Host)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// private state encoder setup, used to encrypt oauth2 tokens
|
||||
state.cookieSecret, _ = base64.StdEncoding.DecodeString(cfg.Options.CookieSecret)
|
||||
state.cookieCipher, _ = cryptutil.NewAEADCipher(state.cookieSecret)
|
||||
state.encryptedEncoder = ecjson.New(state.cookieCipher)
|
||||
|
||||
qpStore := queryparam.NewStore(state.encryptedEncoder, urlutil.QueryProgrammaticToken)
|
||||
headerStore := header.NewStore(state.encryptedEncoder, httputil.AuthorizationTypePomerium)
|
||||
|
||||
cookieStore, err := cookie.NewStore(func() cookie.Options {
|
||||
return cookie.Options{
|
||||
Name: cfg.Options.CookieName,
|
||||
Domain: cfg.Options.CookieDomain,
|
||||
Secure: cfg.Options.CookieSecure,
|
||||
HTTPOnly: cfg.Options.CookieHTTPOnly,
|
||||
Expire: cfg.Options.CookieExpire,
|
||||
}
|
||||
}, state.sharedEncoder)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
state.sessionStore = cookieStore
|
||||
state.sessionLoaders = []sessions.SessionLoader{qpStore, headerStore, cookieStore}
|
||||
|
||||
state.jwk = new(jose.JSONWebKeySet)
|
||||
if cfg.Options.SigningKey != "" {
|
||||
decodedCert, err := base64.StdEncoding.DecodeString(cfg.Options.SigningKey)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("authenticate: failed to decode signing key: %w", err)
|
||||
}
|
||||
jwk, err := cryptutil.PublicJWKFromBytes(decodedCert, jose.ES256)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("authenticate: failed to convert jwks: %w", err)
|
||||
}
|
||||
state.jwk.Keys = append(state.jwk.Keys, *jwk)
|
||||
}
|
||||
|
||||
return state, nil
|
||||
}
|
||||
|
||||
type atomicAuthenticateState struct {
|
||||
atomic.Value
|
||||
}
|
||||
|
||||
func newAtomicAuthenticateState(state *authenticateState) *atomicAuthenticateState {
|
||||
aas := new(atomicAuthenticateState)
|
||||
aas.Store(state)
|
||||
return aas
|
||||
}
|
||||
|
||||
func (aas *atomicAuthenticateState) Load() *authenticateState {
|
||||
return aas.Value.Load().(*authenticateState)
|
||||
}
|
||||
|
||||
func (aas *atomicAuthenticateState) Store(state *authenticateState) {
|
||||
aas.Value.Store(state)
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue