authenticate/proxy: add backend refresh (#438)

2025-08-03 16:59:22 +02:00 · 2019-12-30 10:47:54 -08:00 · 2019-12-30 10:47:54 -08:00 · ec029c679b
commit ec029c679b
parent 9a330613aa
35 changed files with 1226 additions and 445 deletions
--- a/internal/sessions/header/header_store.go
+++ b/internal/sessions/header/header_store.go
@ -0,0 +1,64 @@
+package header // import "github.com/pomerium/pomerium/internal/sessions/header"
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/pomerium/pomerium/internal/encoding"
+	"github.com/pomerium/pomerium/internal/sessions"
+)
+
+var _ sessions.SessionLoader = &Store{}
+
+const (
+	defaultAuthHeader = "Authorization"
+	defaultAuthType   = "Bearer"
+)
+
+// Store implements the load session store interface using http
+// authorization headers.
+type Store struct {
+	authHeader string
+	authType   string
+	encoder    encoding.Unmarshaler
+}
+
+// NewStore returns a new header store for loading sessions from
+// authorization header as defined in as defined in rfc2617
+//
+// NOTA BENE: While most servers do not log Authorization headers by default,
+// you should ensure no other services are logging or leaking your auth headers.
+func NewStore(enc encoding.Unmarshaler, headerType string) *Store {
+	if headerType == "" {
+		headerType = defaultAuthType
+	}
+	return &Store{
+		authHeader: defaultAuthHeader,
+		authType:   headerType,
+		encoder:    enc,
+	}
+}
+
+// LoadSession tries to retrieve the token string from the Authorization header.
+func (as *Store) LoadSession(r *http.Request) (*sessions.State, error) {
+	cipherText := TokenFromHeader(r, as.authHeader, as.authType)
+	if cipherText == "" {
+		return nil, sessions.ErrNoSessionFound
+	}
+	var session sessions.State
+	if err := as.encoder.Unmarshal([]byte(cipherText), &session); err != nil {
+		return nil, sessions.ErrMalformed
+	}
+	return &session, nil
+}
+
+// TokenFromHeader retrieves the value of the authorization header from a given
+// request, header key, and authentication type.
+func TokenFromHeader(r *http.Request, authHeader, authType string) string {
+	bearer := r.Header.Get(authHeader)
+	atSize := len(authType)
+	if len(bearer) > atSize && strings.EqualFold(bearer[0:atSize], authType) {
+		return bearer[atSize+1:]
+	}
+	return ""
+}
--- a/internal/sessions/header/middleware_test.go
+++ b/internal/sessions/header/middleware_test.go
@ -0,0 +1,90 @@
+package header // import "github.com/pomerium/pomerium/internal/sessions/header"
+
+import (
+	"fmt"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/pomerium/pomerium/internal/cryptutil"
+	"github.com/pomerium/pomerium/internal/encoding/ecjson"
+	"github.com/pomerium/pomerium/internal/sessions"
+
+	"github.com/google/go-cmp/cmp"
+	"gopkg.in/square/go-jose.v2/jwt"
+)
+
+func testAuthorizer(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_, err := sessions.FromContext(r.Context())
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusUnauthorized)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+func TestVerifier(t *testing.T) {
+	fnh := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/plain; charset=utf-8")
+		fmt.Fprint(w, http.StatusText(http.StatusOK))
+		w.WriteHeader(http.StatusOK)
+	})
+
+	tests := []struct {
+		name       string
+		authType   string
+		state      sessions.State
+		wantBody   string
+		wantStatus int
+	}{
+		{"good auth header session", "Bearer ", sessions.State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(10 * time.Minute))}, http.StatusText(http.StatusOK), http.StatusOK},
+		{"expired auth header", "Bearer ", sessions.State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, "internal/sessions: validation failed, token is expired (exp)\n", http.StatusUnauthorized},
+		{"malformed auth header", "Bearer ", sessions.State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, "internal/sessions: session is malformed\n", http.StatusUnauthorized},
+		{"empty auth header", "Bearer ", sessions.State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, "internal/sessions: session is not found\n", http.StatusUnauthorized},
+		{"bad auth type", "bees ", sessions.State{Email: "user@pomerium.io", Expiry: jwt.NewNumericDate(time.Now().Add(-10 * time.Minute))}, "internal/sessions: session is not found\n", http.StatusUnauthorized},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cipher, err := cryptutil.NewAEADCipherFromBase64(cryptutil.NewBase64Key())
+			encoder := ecjson.New(cipher)
+			if err != nil {
+				t.Fatal(err)
+			}
+			encSession, err := encoder.Marshal(&tt.state)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if strings.Contains(tt.name, "malformed") {
+				// add some garbage to the end of the string
+				encSession = append(encSession, cryptutil.NewKey()...)
+			}
+			s := NewStore(encoder, "")
+
+			r := httptest.NewRequest(http.MethodGet, "/", nil)
+			r.Header.Set("Accept", "application/json")
+			w := httptest.NewRecorder()
+
+			if strings.Contains(tt.name, "empty") {
+				encSession = []byte("")
+			}
+			r.Header.Set("Authorization", tt.authType+string(encSession))
+
+			got := sessions.RetrieveSession(s)(testAuthorizer((fnh)))
+			got.ServeHTTP(w, r)
+
+			gotBody := w.Body.String()
+			gotStatus := w.Result().StatusCode
+
+			if diff := cmp.Diff(gotBody, tt.wantBody); diff != "" {
+				t.Errorf("RetrieveSession() = %v", diff)
+			}
+			if diff := cmp.Diff(gotStatus, tt.wantStatus); diff != "" {
+				t.Errorf("RetrieveSession() = %v", diff)
+			}
+		})
+	}
+}