3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-01 19:36:32 +02:00
Code Issues Projects Releases Packages Wiki Activity

session: remove audience check (#640)

Browse source 
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone 2020-04-29 15:30:47 -07:00 committed by GitHub
parent b1d3bbaf56
commit f7ee08b05a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 11 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
authenticate/handlers.go
View file

@ -86,15 +86,12 @@ func (a *Authenticate) VerifySession(next http.Handler) http.Handler {
return httputil.NewError(http.StatusBadRequest, err) return httputil.NewError(http.StatusBadRequest, err)
} }
if err := s.Verify(r.Host); errors.Is(err, sessions.ErrExpired) { if s.IsExpired() {
ctx, err = a.refresh(w, r, &s) ctx, err = a.refresh(w, r, &s)
if err != nil { if err != nil {
log.FromRequest(r).Info().Err(err).Msg("authenticate: verify session, refresh") log.FromRequest(r).Info().Err(err).Msg("authenticate: verify session, refresh")
return a.reauthenticateOrFail(w, r, err) return a.reauthenticateOrFail(w, r, err)
} }
} else if err != nil {
log.FromRequest(r).Info().Err(err).Msg("authenticate: verify session")
return a.reauthenticateOrFail(w, r, err)
} }
next.ServeHTTP(w, r.WithContext(ctx)) next.ServeHTTP(w, r.WithContext(ctx))
return nil return nil
@ -164,9 +161,7 @@ func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) error {
if err := a.encryptedEncoder.Unmarshal([]byte(jwt), &s); err != nil { if err := a.encryptedEncoder.Unmarshal([]byte(jwt), &s); err != nil {
return httputil.NewError(http.StatusBadRequest, err) return httputil.NewError(http.StatusBadRequest, err)
} }
if err := s.Verify(r.Host); err != nil && !errors.Is(err, sessions.ErrExpired) {
return httputil.NewError(http.StatusBadRequest, err)
}
// user impersonation // user impersonation
if impersonate := r.FormValue(urlutil.QueryImpersonateAction); impersonate != "" { if impersonate := r.FormValue(urlutil.QueryImpersonateAction); impersonate != "" {
s.SetImpersonation(r.FormValue(urlutil.QueryImpersonateEmail), r.FormValue(urlutil.QueryImpersonateGroups)) s.SetImpersonation(r.FormValue(urlutil.QueryImpersonateEmail), r.FormValue(urlutil.QueryImpersonateGroups))
@ -376,10 +371,6 @@ func (a *Authenticate) RefreshAPI(w http.ResponseWriter, r *http.Request) error
if err := a.encryptedEncoder.Unmarshal([]byte(jwt), &s); err != nil { if err := a.encryptedEncoder.Unmarshal([]byte(jwt), &s); err != nil {
return httputil.NewError(http.StatusBadRequest, err) return httputil.NewError(http.StatusBadRequest, err)
} }
err = s.Verify(r.Host)
if err != nil && !errors.Is(err, sessions.ErrExpired) {
return httputil.NewError(http.StatusBadRequest, err)
}
newSession, err := a.provider.Refresh(r.Context(), &s) newSession, err := a.provider.Refresh(r.Context(), &s)
if err != nil { if err != nil {
return err return err
@ -425,9 +416,7 @@ func (a *Authenticate) Refresh(w http.ResponseWriter, r *http.Request) error {
if err := a.encryptedEncoder.Unmarshal([]byte(jwt), &s); err != nil { if err := a.encryptedEncoder.Unmarshal([]byte(jwt), &s); err != nil {
return httputil.NewError(http.StatusBadRequest, err) return httputil.NewError(http.StatusBadRequest, err)
} }
if err := s.Verify(r.Host); err != nil && !errors.Is(err, sessions.ErrExpired) {
return httputil.NewError(http.StatusBadRequest, err)
}
aud := strings.Split(r.FormValue(urlutil.QueryAudience), ",") aud := strings.Split(r.FormValue(urlutil.QueryAudience), ",")
routeSession := s.NewSession(r.Host, aud) routeSession := s.NewSession(r.Host, aud)
routeSession.AccessTokenID = s.AccessTokenID routeSession.AccessTokenID = s.AccessTokenID

17
internal/sessions/state.go
View file

@ -114,25 +114,18 @@ func (s State) RouteSession() *State {
return &s return &s
} }
// Verify returns an error if the users's session state is not valid. // IsExpired returns true if the users's session is expired.
func (s *State) Verify(audience string) error { func (s *State) IsExpired() bool {
if s.Expiry != nil && timeNow().After(s.Expiry.Time()) { if s.Expiry != nil && timeNow().After(s.Expiry.Time()) {
return ErrExpired return true
} }
// if we have an associated access token, check if that token has expired as well
if s.AccessToken != nil && timeNow().After(s.AccessToken.Expiry) { if s.AccessToken != nil && timeNow().After(s.AccessToken.Expiry) {
return ErrExpired return true
} }
if len(s.Audience) != 0 { return false
if !s.Audience.Contains(audience) {
return ErrInvalidAudience
}
}
return nil
} }
// Impersonating returns if the request is impersonating. // Impersonating returns if the request is impersonating.

7
internal/sessions/state_test.go
View file

@ -48,7 +48,7 @@ func TestState_Impersonating(t *testing.T) {
} }
} }
func TestState_Verify(t *testing.T) { func TestState_IsExpired(t *testing.T) {
t.Parallel() t.Parallel()
tests := []struct { tests := []struct {
name string name string
@ -63,7 +63,6 @@ func TestState_Verify(t *testing.T) {
}{ }{
{"good", []string{"a", "b", "c"}, jwt.NewNumericDate(time.Now().Add(time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), &oauth2.Token{Expiry: time.Now().Add(time.Hour)}, "a", false}, {"good", []string{"a", "b", "c"}, jwt.NewNumericDate(time.Now().Add(time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), &oauth2.Token{Expiry: time.Now().Add(time.Hour)}, "a", false},
{"bad expiry", []string{"a", "b", "c"}, jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), &oauth2.Token{Expiry: time.Now().Add(time.Hour)}, "a", true}, {"bad expiry", []string{"a", "b", "c"}, jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), &oauth2.Token{Expiry: time.Now().Add(time.Hour)}, "a", true},
{"bad audience", []string{"x", "y", "z"}, jwt.NewNumericDate(time.Now().Add(time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), &oauth2.Token{Expiry: time.Now().Add(time.Hour)}, "a", true},
{"bad access token expiry", []string{"a", "b", "c"}, jwt.NewNumericDate(time.Now().Add(time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), &oauth2.Token{Expiry: time.Now().Add(-time.Hour)}, "a", true}, {"bad access token expiry", []string{"a", "b", "c"}, jwt.NewNumericDate(time.Now().Add(time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), &oauth2.Token{Expiry: time.Now().Add(-time.Hour)}, "a", true},
} }
for _, tt := range tests { for _, tt := range tests {
@ -75,8 +74,8 @@ func TestState_Verify(t *testing.T) {
IssuedAt: tt.IssuedAt, IssuedAt: tt.IssuedAt,
AccessToken: tt.AccessToken, AccessToken: tt.AccessToken,
} }
if err := s.Verify(tt.audience); (err != nil) != tt.wantErr { if exp := s.IsExpired(); exp != tt.wantErr {
t.Errorf("State.Verify() error = %v, wantErr %v", err, tt.wantErr) t.Errorf("State.IsExpired() error = %v, wantErr %v", exp, tt.wantErr)
} }
}) })
} }