authorize: client cert fingerprint in set_request_headers (#4447)

Add support for a new token $pomerium.client_cert_fingerprint in the
set_request_headers option. This token will be replaced with the SHA-256
hash of the presented leaf client certificate.

authorize/evaluator/evaluator.go

@@ -225,7 +225,7 @@ func (e *Evaluator) evaluatePolicy(ctx context.Context, req *Request) (*PolicyRe
 }
 
 func (e *Evaluator) evaluateHeaders(ctx context.Context, req *Request) (*HeadersResponse, error) {
-	headersReq := NewHeadersRequestFromPolicy(req.Policy, req.HTTP.Hostname)
+	headersReq := NewHeadersRequestFromPolicy(req.Policy, req.HTTP)
 	headersReq.Session = req.Session
 	res, err := e.headersEvaluators.Evaluate(ctx, headersReq)
 	if err != nil {

authorize/evaluator/headers_evaluator.go

@@ -23,15 +23,16 @@ type HeadersRequest struct {
 	KubernetesServiceAccountToken             string                `json:"kubernetes_service_account_token"`
 	ToAudience                                string                `json:"to_audience"`
 	Session                                   RequestSession        `json:"session"`
+	ClientCertificate                         ClientCertificateInfo `json:"client_certificate"`
 	PassAccessToken                           bool                  `json:"pass_access_token"`
 	PassIDToken                               bool                  `json:"pass_id_token"`
 	SetRequestHeaders                         map[string]string     `json:"set_request_headers"`
 }
 
 // NewHeadersRequestFromPolicy creates a new HeadersRequest from a policy.
-func NewHeadersRequestFromPolicy(policy *config.Policy, hostname string) *HeadersRequest {
+func NewHeadersRequestFromPolicy(policy *config.Policy, http RequestHTTP) *HeadersRequest {
 	input := new(HeadersRequest)
-	input.Issuer = hostname
+	input.Issuer = http.Hostname
 	if policy != nil {
 		input.EnableGoogleCloudServerlessAuthentication = policy.EnableGoogleCloudServerlessAuthentication
 		input.EnableRoutingKey = policy.EnvoyOpts.GetLbPolicy() == envoy_config_cluster_v3.Cluster_RING_HASH ||
@@ -42,6 +43,7 @@ func NewHeadersRequestFromPolicy(policy *config.Policy, hostname string) *Header
 		}
 		input.PassAccessToken = policy.GetSetAuthorizationHeader() == configpb.Route_ACCESS_TOKEN
 		input.PassIDToken = policy.GetSetAuthorizationHeader() == configpb.Route_ID_TOKEN
+		input.ClientCertificate = http.ClientCertificate
 		input.SetRequestHeaders = policy.SetRequestHeaders
 	}
 	return input

authorize/evaluator/headers_evaluator_test.go

@@ -34,16 +34,24 @@ func TestNewHeadersRequestFromPolicy(t *testing.T) {
 				URL: *mustParseURL("http://to.example.com"),
 			},
 		},
-	}, "from.example.com")
+	}, RequestHTTP{
+		Hostname: "from.example.com",
+		ClientCertificate: ClientCertificateInfo{
+			Leaf: "--- FAKE CERTIFICATE ---",
+		},
+	})
 	assert.Equal(t, &HeadersRequest{
 		EnableGoogleCloudServerlessAuthentication: true,
 		Issuer:     "from.example.com",
 		ToAudience: "https://to.example.com",
+		ClientCertificate: ClientCertificateInfo{
+			Leaf: "--- FAKE CERTIFICATE ---",
+		},
 	}, req)
 }
 
 func TestNewHeadersRequestFromPolicy_nil(t *testing.T) {
-	req := NewHeadersRequestFromPolicy(nil, "from.example.com")
+	req := NewHeadersRequestFromPolicy(nil, RequestHTTP{Hostname: "from.example.com"})
 	assert.Equal(t, &HeadersRequest{
 		Issuer: "from.example.com",
 	}, req)
@@ -187,13 +195,17 @@ func TestHeadersEvaluator(t *testing.T) {
 					"X-Custom-Header":         "CUSTOM_VALUE",
 					"X-ID-Token":              "$pomerium.id_token",
 					"X-Access-Token":          "$pomerium.access_token",
+					"Client-Cert-Fingerprint": "$pomerium.client_cert_fingerprint",
 				},
+				ClientCertificate: ClientCertificateInfo{Leaf: testValidCert},
 			})
 		require.NoError(t, err)
 
 		assert.Equal(t, "CUSTOM_VALUE", output.Headers.Get("X-Custom-Header"))
 		assert.Equal(t, "ID_TOKEN", output.Headers.Get("X-ID-Token"))
 		assert.Equal(t, "ACCESS_TOKEN", output.Headers.Get("X-Access-Token"))
+		assert.Equal(t, "17859273e8a980631d367b2d5a6a6635412b0f22835f69e47b3f65624546a704",
+			output.Headers.Get("Client-Cert-Fingerprint"))
 	})
 
 	t.Run("set_request_headers original behavior", func(t *testing.T) {
@@ -217,6 +229,20 @@ func TestHeadersEvaluator(t *testing.T) {
 
 		assert.Equal(t, "Bearer ID_TOKEN", output.Headers.Get("Authorization"))
 	})
+
+	t.Run("set_request_headers no client cert", func(t *testing.T) {
+		output, err := eval(t, nil,
+			&HeadersRequest{
+				Issuer:     "from.example.com",
+				ToAudience: "to.example.com",
+				SetRequestHeaders: map[string]string{
+					"fingerprint": "$pomerium.client_cert_fingerprint",
+				},
+			})
+		require.NoError(t, err)
+
+		assert.Equal(t, "", output.Headers.Get("fingerprint"))
+	})
 }
 
 func decodeJWSPayload(t *testing.T, jws string) []byte {

authorize/evaluator/opa/policy/headers.rego

@@ -3,6 +3,8 @@ package pomerium.headers
 # input:
 #   enable_google_cloud_serverless_authentication: boolean
 #   enable_routing_key: boolean
+#   client_certificate:
+#     leaf: string
 #   issuer: string
 #   kubernetes_service_account_token: string
 #   session:
@@ -211,13 +213,19 @@ session_access_token = v {
 	v := session.oauth_token.access_token
 } else = ""
 
+client_cert_fingerprint = v {
+    cert := crypto.x509.parse_certificates(trim_space(input.client_certificate.leaf))[0]
+    v := crypto.sha256(base64.decode(cert.Raw))
+} else = ""
+
 set_request_headers = h {
 	h := [[header_name, header_value] |
 		some header_name
 		v1 := input.set_request_headers[header_name]
 		v2 := replace(v1, "$pomerium.id_token", session_id_token)
 		v3 := replace(v2, "$pomerium.access_token", session_access_token)
-		header_value := v3
+		v4 := replace(v3, "$pomerium.client_cert_fingerprint", client_cert_fingerprint)
+		header_value := v4
 	]
 } else = []