mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 00:40:25 +02:00
authenticate/proxy: add backend refresh (#438)
This commit is contained in:
parent
9a330613aa
commit
ec029c679b
35 changed files with 1226 additions and 445 deletions
64
internal/sessions/header/header_store.go
Normal file
64
internal/sessions/header/header_store.go
Normal file
|
@ -0,0 +1,64 @@
|
|||
package header // import "github.com/pomerium/pomerium/internal/sessions/header"
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"strings"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/encoding"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
)
|
||||
|
||||
var _ sessions.SessionLoader = &Store{}
|
||||
|
||||
const (
|
||||
defaultAuthHeader = "Authorization"
|
||||
defaultAuthType = "Bearer"
|
||||
)
|
||||
|
||||
// Store implements the load session store interface using http
|
||||
// authorization headers.
|
||||
type Store struct {
|
||||
authHeader string
|
||||
authType string
|
||||
encoder encoding.Unmarshaler
|
||||
}
|
||||
|
||||
// NewStore returns a new header store for loading sessions from
|
||||
// authorization header as defined in as defined in rfc2617
|
||||
//
|
||||
// NOTA BENE: While most servers do not log Authorization headers by default,
|
||||
// you should ensure no other services are logging or leaking your auth headers.
|
||||
func NewStore(enc encoding.Unmarshaler, headerType string) *Store {
|
||||
if headerType == "" {
|
||||
headerType = defaultAuthType
|
||||
}
|
||||
return &Store{
|
||||
authHeader: defaultAuthHeader,
|
||||
authType: headerType,
|
||||
encoder: enc,
|
||||
}
|
||||
}
|
||||
|
||||
// LoadSession tries to retrieve the token string from the Authorization header.
|
||||
func (as *Store) LoadSession(r *http.Request) (*sessions.State, error) {
|
||||
cipherText := TokenFromHeader(r, as.authHeader, as.authType)
|
||||
if cipherText == "" {
|
||||
return nil, sessions.ErrNoSessionFound
|
||||
}
|
||||
var session sessions.State
|
||||
if err := as.encoder.Unmarshal([]byte(cipherText), &session); err != nil {
|
||||
return nil, sessions.ErrMalformed
|
||||
}
|
||||
return &session, nil
|
||||
}
|
||||
|
||||
// TokenFromHeader retrieves the value of the authorization header from a given
|
||||
// request, header key, and authentication type.
|
||||
func TokenFromHeader(r *http.Request, authHeader, authType string) string {
|
||||
bearer := r.Header.Get(authHeader)
|
||||
atSize := len(authType)
|
||||
if len(bearer) > atSize && strings.EqualFold(bearer[0:atSize], authType) {
|
||||
return bearer[atSize+1:]
|
||||
}
|
||||
return ""
|
||||
}
|
90
internal/sessions/header/middleware_test.go
Normal file
90
internal/sessions/header/middleware_test.go
Normal file
|
@ -0,0 +1,90 @@
|
|||
package header // import "github.com/pomerium/pomerium/internal/sessions/header"
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"strings"
|
||||
"testing"
|
||||
"time"
|
||||
|
||||
"github.com/pomerium/pomerium/internal/cryptutil"
|
||||
"github.com/pomerium/pomerium/internal/encoding/ecjson"
|
||||
"github.com/pomerium/pomerium/internal/sessions"
|
||||
|
||||
"github.com/google/go-cmp/cmp"
|
||||
"gopkg.in/square/go-jose.v2/jwt"
|
||||
)
|
||||
|
||||
func testAuthorizer(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
_, err := sessions.FromContext(r.Context())
|
||||
if err != nil {
|
||||
http.Error(w, err.Error(), http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
func TestVerifier(t *testing.T) {
|
||||
fnh := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
||||
fmt.Fprint(w, http.StatusText(http.StatusOK))
|
||||
w.WriteHeader(http.StatusOK)
|
||||
})
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
authType string
|
||||
state sessions.State
|
||||
wantBody string
|
||||
wantStatus int
|
||||
}{
|
||||
{"good auth header session", "Bearer ", sessions.State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}, http.StatusText(http.StatusOK), http.StatusOK},
|
||||
{"expired auth header", "Bearer ", sessions.State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, "internal/sessions: validation failed, token is expired (exp)\n", http.StatusUnauthorized},
|
||||
{"malformed auth header", "Bearer ", sessions.State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, "internal/sessions: session is malformed\n", http.StatusUnauthorized},
|
||||
{"empty auth header", "Bearer ", sessions.State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, "internal/sessions: session is not found\n", http.StatusUnauthorized},
|
||||
{"bad auth type", "bees ", sessions.State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, "internal/sessions: session is not found\n", http.StatusUnauthorized},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
cipher, err := cryptutil.NewAEADCipherFromBase64(cryptutil.NewBase64Key())
|
||||
encoder := ecjson.New(cipher)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
encSession, err := encoder.Marshal(&tt.state)
|
||||
if err != nil {
|
||||
t.Fatal(err)
|
||||
}
|
||||
if strings.Contains(tt.name, "malformed") {
|
||||
// add some garbage to the end of the string
|
||||
encSession = append(encSession, cryptutil.NewKey()...)
|
||||
}
|
||||
s := NewStore(encoder, "")
|
||||
|
||||
r := httptest.NewRequest(http.MethodGet, "/", nil)
|
||||
r.Header.Set("Accept", "application/json")
|
||||
w := httptest.NewRecorder()
|
||||
|
||||
if strings.Contains(tt.name, "empty") {
|
||||
encSession = []byte("")
|
||||
}
|
||||
r.Header.Set("Authorization", tt.authType+string(encSession))
|
||||
|
||||
got := sessions.RetrieveSession(s)(testAuthorizer((fnh)))
|
||||
got.ServeHTTP(w, r)
|
||||
|
||||
gotBody := w.Body.String()
|
||||
gotStatus := w.Result().StatusCode
|
||||
|
||||
if diff := cmp.Diff(gotBody, tt.wantBody); diff != "" {
|
||||
t.Errorf("RetrieveSession() = %v", diff)
|
||||
}
|
||||
if diff := cmp.Diff(gotStatus, tt.wantStatus); diff != "" {
|
||||
t.Errorf("RetrieveSession() = %v", diff)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue