mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-29 18:36:30 +02:00
session: remove audience check (#640)
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
This commit is contained in:
Bobby DeSimone
GitHub
parent
b1d3bbaf56
commit
f7ee08b05a
3 changed files with 11 additions and 30 deletions
|
|
@ -86,15 +86,12 @@ func (a *Authenticate) VerifySession(next http.Handler) http.Handler {
|
|||
return httputil.NewError(http.StatusBadRequest, err)
|
||||
}
|
||||
|
||||
if err := s.Verify(r.Host); errors.Is(err, sessions.ErrExpired) {
|
||||
if s.IsExpired() {
|
||||
ctx, err = a.refresh(w, r, &s)
|
||||
if err != nil {
|
||||
log.FromRequest(r).Info().Err(err).Msg("authenticate: verify session, refresh")
|
||||
return a.reauthenticateOrFail(w, r, err)
|
||||
}
|
||||
} else if err != nil {
|
||||
log.FromRequest(r).Info().Err(err).Msg("authenticate: verify session")
|
||||
return a.reauthenticateOrFail(w, r, err)
|
||||
}
|
||||
next.ServeHTTP(w, r.WithContext(ctx))
|
||||
return nil
|
||||
|
|
@ -164,9 +161,7 @@ func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) error {
|
|||
if err := a.encryptedEncoder.Unmarshal([]byte(jwt), &s); err != nil {
|
||||
return httputil.NewError(http.StatusBadRequest, err)
|
||||
}
|
||||
if err := s.Verify(r.Host); err != nil && !errors.Is(err, sessions.ErrExpired) {
|
||||
return httputil.NewError(http.StatusBadRequest, err)
|
||||
}
|
||||
|
||||
// user impersonation
|
||||
if impersonate := r.FormValue(urlutil.QueryImpersonateAction); impersonate != "" {
|
||||
s.SetImpersonation(r.FormValue(urlutil.QueryImpersonateEmail), r.FormValue(urlutil.QueryImpersonateGroups))
|
||||
|
|
@ -376,10 +371,6 @@ func (a *Authenticate) RefreshAPI(w http.ResponseWriter, r *http.Request) error
|
|||
if err := a.encryptedEncoder.Unmarshal([]byte(jwt), &s); err != nil {
|
||||
return httputil.NewError(http.StatusBadRequest, err)
|
||||
}
|
||||
err = s.Verify(r.Host)
|
||||
if err != nil && !errors.Is(err, sessions.ErrExpired) {
|
||||
return httputil.NewError(http.StatusBadRequest, err)
|
||||
}
|
||||
newSession, err := a.provider.Refresh(r.Context(), &s)
|
||||
if err != nil {
|
||||
return err
|
||||
|
|
@ -425,9 +416,7 @@ func (a *Authenticate) Refresh(w http.ResponseWriter, r *http.Request) error {
|
|||
if err := a.encryptedEncoder.Unmarshal([]byte(jwt), &s); err != nil {
|
||||
return httputil.NewError(http.StatusBadRequest, err)
|
||||
}
|
||||
if err := s.Verify(r.Host); err != nil && !errors.Is(err, sessions.ErrExpired) {
|
||||
return httputil.NewError(http.StatusBadRequest, err)
|
||||
}
|
||||
|
||||
aud := strings.Split(r.FormValue(urlutil.QueryAudience), ",")
|
||||
routeSession := s.NewSession(r.Host, aud)
|
||||
routeSession.AccessTokenID = s.AccessTokenID
|
||||
|
|
|
|||
|
|
@ -114,25 +114,18 @@ func (s State) RouteSession() *State {
|
|||
return &s
|
||||
}
|
||||
|
||||
// Verify returns an error if the users's session state is not valid.
|
||||
func (s *State) Verify(audience string) error {
|
||||
// IsExpired returns true if the users's session is expired.
|
||||
func (s *State) IsExpired() bool {
|
||||
|
||||
if s.Expiry != nil && timeNow().After(s.Expiry.Time()) {
|
||||
return ErrExpired
|
||||
return true
|
||||
}
|
||||
|
||||
// if we have an associated access token, check if that token has expired as well
|
||||
if s.AccessToken != nil && timeNow().After(s.AccessToken.Expiry) {
|
||||
return ErrExpired
|
||||
return true
|
||||
}
|
||||
|
||||
if len(s.Audience) != 0 {
|
||||
if !s.Audience.Contains(audience) {
|
||||
return ErrInvalidAudience
|
||||
}
|
||||
|
||||
}
|
||||
return nil
|
||||
return false
|
||||
}
|
||||
|
||||
// Impersonating returns if the request is impersonating.
|
||||
|
|
|
|||
|
|
@ -48,7 +48,7 @@ func TestState_Impersonating(t *testing.T) {
|
|||
}
|
||||
}
|
||||
|
||||
func TestState_Verify(t *testing.T) {
|
||||
func TestState_IsExpired(t *testing.T) {
|
||||
t.Parallel()
|
||||
tests := []struct {
|
||||
name string
|
||||
|
|
@ -63,7 +63,6 @@ func TestState_Verify(t *testing.T) {
|
|||
}{
|
||||
{"good", []string{"a", "b", "c"}, jwt.NewNumericDate(time.Now().Add(time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), &oauth2.Token{Expiry: time.Now().Add(time.Hour)}, "a", false},
|
||||
{"bad expiry", []string{"a", "b", "c"}, jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), &oauth2.Token{Expiry: time.Now().Add(time.Hour)}, "a", true},
|
||||
{"bad audience", []string{"x", "y", "z"}, jwt.NewNumericDate(time.Now().Add(time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), &oauth2.Token{Expiry: time.Now().Add(time.Hour)}, "a", true},
|
||||
{"bad access token expiry", []string{"a", "b", "c"}, jwt.NewNumericDate(time.Now().Add(time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), jwt.NewNumericDate(time.Now().Add(-time.Hour)), &oauth2.Token{Expiry: time.Now().Add(-time.Hour)}, "a", true},
|
||||
}
|
||||
for _, tt := range tests {
|
||||
|
|
@ -75,8 +74,8 @@ func TestState_Verify(t *testing.T) {
|
|||
IssuedAt: tt.IssuedAt,
|
||||
AccessToken: tt.AccessToken,
|
||||
}
|
||||
if err := s.Verify(tt.audience); (err != nil) != tt.wantErr {
|
||||
t.Errorf("State.Verify() error = %v, wantErr %v", err, tt.wantErr)
|
||||
if exp := s.IsExpired(); exp != tt.wantErr {
|
||||
t.Errorf("State.IsExpired() error = %v, wantErr %v", exp, tt.wantErr)
|
||||
}
|
||||
})
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue