authorize: client cert fingerprint in set_request_headers (#4447)

Add support for a new token $pomerium.client_cert_fingerprint in the set_request_headers option. This token will be replaced with the SHA-256 hash of the presented leaf client certificate.
2025-08-06 10:21:05 +02:00 · 2023-08-09 08:34:51 -07:00 · 2023-08-09 08:34:51 -07:00 · f7e0b61c03
commit f7e0b61c03
parent de68e37bc3
4 changed files with 54 additions and 18 deletions
--- a/authorize/evaluator/evaluator.go
+++ b/authorize/evaluator/evaluator.go
@ -225,7 +225,7 @@ func (e *Evaluator) evaluatePolicy(ctx context.Context, req *Request) (*PolicyRe
 }
 func (e *Evaluator) evaluateHeaders(ctx context.Context, req *Request) (*HeadersResponse, error) {
-	headersReq := NewHeadersRequestFromPolicy(req.Policy, req.HTTP.Hostname)
+	headersReq := NewHeadersRequestFromPolicy(req.Policy, req.HTTP)
 	headersReq.Session = req.Session
 	res, err := e.headersEvaluators.Evaluate(ctx, headersReq)
 	if err != nil {
--- a/authorize/evaluator/headers_evaluator.go
+++ b/authorize/evaluator/headers_evaluator.go
@ -17,21 +17,22 @@ import (
 // HeadersRequest is the input to the headers.rego script.
 type HeadersRequest struct {
-	EnableGoogleCloudServerlessAuthentication bool              `json:"enable_google_cloud_serverless_authentication"`
+	EnableGoogleCloudServerlessAuthentication bool                  `json:"enable_google_cloud_serverless_authentication"`
-	EnableRoutingKey                          bool              `json:"enable_routing_key"`
+	EnableRoutingKey                          bool                  `json:"enable_routing_key"`
-	Issuer                                    string            `json:"issuer"`
+	Issuer                                    string                `json:"issuer"`
-	KubernetesServiceAccountToken             string            `json:"kubernetes_service_account_token"`
+	KubernetesServiceAccountToken             string                `json:"kubernetes_service_account_token"`
-	ToAudience                                string            `json:"to_audience"`
+	ToAudience                                string                `json:"to_audience"`
-	Session                                   RequestSession    `json:"session"`
+	Session                                   RequestSession        `json:"session"`
-	PassAccessToken                           bool              `json:"pass_access_token"`
+	ClientCertificate                         ClientCertificateInfo `json:"client_certificate"`
-	PassIDToken                               bool              `json:"pass_id_token"`
+	PassAccessToken                           bool                  `json:"pass_access_token"`
-	SetRequestHeaders                         map[string]string `json:"set_request_headers"`
+	PassIDToken                               bool                  `json:"pass_id_token"`
 	SetRequestHeaders                         map[string]string     `json:"set_request_headers"`
 }
 // NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.
-func NewHeadersRequestFromPolicy(policy *config.Policy, hostname string) *HeadersRequest {
+func NewHeadersRequestFromPolicy(policy *config.Policy, http RequestHTTP) *HeadersRequest {
 	input := new(HeadersRequest)
-	input.Issuer = hostname
+	input.Issuer = http.Hostname
 	if policy != nil {
 		input.EnableGoogleCloudServerlessAuthentication = policy.EnableGoogleCloudServerlessAuthentication
 		input.EnableRoutingKey = policy.EnvoyOpts.GetLbPolicy() == envoy_config_cluster_v3.Cluster_RING_HASH ||
@ -42,6 +43,7 @@ func NewHeadersRequestFromPolicy(policy *config.Policy, hostname string) *Header
 		}
 		input.PassAccessToken = policy.GetSetAuthorizationHeader() == configpb.Route_ACCESS_TOKEN
 		input.PassIDToken = policy.GetSetAuthorizationHeader() == configpb.Route_ID_TOKEN
 		input.ClientCertificate = http.ClientCertificate
 		input.SetRequestHeaders = policy.SetRequestHeaders
 	}
 	return input
--- a/authorize/evaluator/headers_evaluator_test.go
+++ b/authorize/evaluator/headers_evaluator_test.go
@ -34,16 +34,24 @@ func TestNewHeadersRequestFromPolicy(t *testing.T) {
 				URL: *mustParseURL("http://to.example.com"),
 			},
 		},
-	}, "from.example.com")
+	}, RequestHTTP{
 		Hostname: "from.example.com",
 		ClientCertificate: ClientCertificateInfo{
 			Leaf: "--- FAKE CERTIFICATE ---",
 		},
 	})
 	assert.Equal(t, &HeadersRequest{
 		EnableGoogleCloudServerlessAuthentication: true,
 		Issuer:     "from.example.com",
 		ToAudience: "https://to.example.com",
 		ClientCertificate: ClientCertificateInfo{
 			Leaf: "--- FAKE CERTIFICATE ---",
 		},
 	}, req)
 }
 func TestNewHeadersRequestFromPolicy_nil(t *testing.T) {
-	req := NewHeadersRequestFromPolicy(nil, "from.example.com")
+	req := NewHeadersRequestFromPolicy(nil, RequestHTTP{Hostname: "from.example.com"})
 	assert.Equal(t, &HeadersRequest{
 		Issuer: "from.example.com",
 	}, req)
@ -184,16 +192,20 @@ func TestHeadersEvaluator(t *testing.T) {
 				ToAudience: "to.example.com",
 				Session:    RequestSession{ID: "s1"},
 				SetRequestHeaders: map[string]string{
-					"X-Custom-Header": "CUSTOM_VALUE",
+					"X-Custom-Header":         "CUSTOM_VALUE",
-					"X-ID-Token":      "$pomerium.id_token",
+					"X-ID-Token":              "$pomerium.id_token",
-					"X-Access-Token":  "$pomerium.access_token",
+					"X-Access-Token":          "$pomerium.access_token",
 					"Client-Cert-Fingerprint": "$pomerium.client_cert_fingerprint",
 				},
 				ClientCertificate: ClientCertificateInfo{Leaf: testValidCert},
 			})
 		require.NoError(t, err)
 		assert.Equal(t, "CUSTOM_VALUE", output.Headers.Get("X-Custom-Header"))
 		assert.Equal(t, "ID_TOKEN", output.Headers.Get("X-ID-Token"))
 		assert.Equal(t, "ACCESS_TOKEN", output.Headers.Get("X-Access-Token"))
 		assert.Equal(t, "17859273e8a980631d367b2d5a6a6635412b0f22835f69e47b3f65624546a704",
 			output.Headers.Get("Client-Cert-Fingerprint"))
 	})
 	t.Run("set_request_headers original behavior", func(t *testing.T) {
@ -217,6 +229,20 @@ func TestHeadersEvaluator(t *testing.T) {
 		assert.Equal(t, "Bearer ID_TOKEN", output.Headers.Get("Authorization"))
 	})
 	t.Run("set_request_headers no client cert", func(t *testing.T) {
 		output, err := eval(t, nil,
 			&HeadersRequest{
 				Issuer:     "from.example.com",
 				ToAudience: "to.example.com",
 				SetRequestHeaders: map[string]string{
 					"fingerprint": "$pomerium.client_cert_fingerprint",
 				},
 			})
 		require.NoError(t, err)
 		assert.Equal(t, "", output.Headers.Get("fingerprint"))
 	})
 }
 func decodeJWSPayload(t *testing.T, jws string) []byte {
--- a/authorize/evaluator/opa/policy/headers.rego
+++ b/authorize/evaluator/opa/policy/headers.rego
@ -3,6 +3,8 @@ package pomerium.headers
 # input:
 #   enable_google_cloud_serverless_authentication: boolean
 #   enable_routing_key: boolean
 #   client_certificate:
 #     leaf: string
 #   issuer: string
 #   kubernetes_service_account_token: string
 #   session:
@ -211,13 +213,19 @@ session_access_token = v {
 	v := session.oauth_token.access_token
 } else = ""
 client_cert_fingerprint = v {
    cert := crypto.x509.parse_certificates(trim_space(input.client_certificate.leaf))[0]
    v := crypto.sha256(base64.decode(cert.Raw))
 } else = ""
 set_request_headers = h {
 	h := [[header_name, header_value] |
 		some header_name
 		v1 := input.set_request_headers[header_name]
 		v2 := replace(v1, "$pomerium.id_token", session_id_token)
 		v3 := replace(v2, "$pomerium.access_token", session_access_token)
-		header_value := v3
+		v4 := replace(v3, "$pomerium.client_cert_fingerprint", client_cert_fingerprint)
 		header_value := v4
 	]
 } else = []