Commit graph

89 commits

Author SHA1 Message Date
Caleb Doxsey
753eeff12f
proxy: fix sign out redirect (#3827)
* proxy: fix sign out redirect

* add test
2022-12-20 09:32:49 -07:00
Caleb Doxsey
b375dc4896
jwt: require logged in user to return .pomerium/jwt (#3807)
* jwt: require logged in user to return .pomerium/jwt

* fix test

* update test
2022-12-13 13:49:36 -07:00
Caleb Doxsey
57217af7dd
authenticate: implement hpke-based login flow (#3779)
* urlutil: add time validation functions

* authenticate: implement hpke-based login flow

* fix import cycle

* fix tests

* log error

* fix callback url

* add idp param

* fix test

* fix test
2022-12-05 15:31:07 -07:00
Caleb Doxsey
c1a522cd82
proxy: add userinfo and webauthn endpoints (#3755)
* proxy: add userinfo and webauthn endpoints

* use TLD for RP id

* use EffectiveTLDPlusOne

* upgrade webauthn

* fix test

* Update internal/handlers/jwks.go

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
2022-11-22 10:26:35 -07:00
Caleb Doxsey
0898dd4f34
proxy: fix error page (#3020)
* fix error page

* proxy: fix error page

* share dashboard code

* fix test
2022-02-09 09:14:24 -07:00
Caleb Doxsey
f84f7551d0
authenticate: fix default sign out url (#2061) 2021-04-06 10:35:08 -06:00
Travis Groth
c7d243d742
proxy: restrict programmatic URLs to localhost (#2049)
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
2021-04-01 10:04:49 -04:00
Travis Groth
0635c838c9
authenticate: validate signature on /.pomerium, /.pomerium/sign_in and /.pomerium/sign_out (#2048)
Co-authored-by: Caleb Doxsey <cdoxsey@pomerium.com>
2021-04-01 10:04:16 -04:00
Caleb Doxsey
3690a32855
config: use getters for authenticate, signout and forward auth urls (#2000) 2021-03-19 14:49:25 -06:00
Caleb Doxsey
4f2bb60adb
proxy: redirect to dashboard for logout (#1944) 2021-02-24 11:52:38 -07:00
bobby
c3e3ed9b50
authenticate: validate origin of signout (#1876)
* authenticate: validate origin of signout

- add a debug task to kill envoy
- improve various function docs
- userinfo: return "error" page if user is logged out without redirect uri set
- remove front channel logout. There's little difference between it, and the signout function.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2021-02-11 21:37:54 -08:00
Caleb Doxsey
cc85ea601d
policy: add new certificate-authority option for downstream mTLS client certificates (#1835)
* policy: add new certificate-authority option for downstream mTLS client certificates

* update proto, docs
2021-02-01 08:10:32 -07:00
bobby
9b39deabd8
forward-auth: use envoy's ext_authz check (#1482)
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2020-10-04 20:01:06 -07:00
Caleb Doxsey
852c96f22f
proxy: add support for /.pomerium/jwt (#1446) 2020-09-23 07:55:12 -06:00
Cuong Manh Le
9de99d0211
all: add signout redirect url (#1324)
Fixes #1213
2020-08-25 01:23:58 +07:00
bobby
c1b3b45d12
proxy: remove unused handlers (#1317)
proxy: remove unused handlers

authenticate: remove unused references to refresh_token

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2020-08-22 10:02:12 -07:00
Cuong Manh Le
31205c0c29 proxy: fix wrong applied middleware
Validate signature middleware must be applied for the callback
sub-router, not the whole dashboard router.

Fixes #1297
2020-08-18 20:25:11 +07:00
Caleb Doxsey
d9a224a5e8
proxy: move properties to atomically updated state (#1280)
* authenticate: remove cookie options

* authenticate: remove shared key field

* authenticate: remove shared cipher property

* authenticate: move properties to separate state struct

* proxy: allow local state to be updated on configuration changes

* fix test

* return new connection

* use warn, collapse to single line

* address concerns, fix tests
2020-08-14 11:44:58 -06:00
Caleb Doxsey
fbf5b403b9
config: allow dynamic configuration of cookie settings (#1267) 2020-08-13 08:11:34 -06:00
Caleb Doxsey
fae02791f5
cryptutil: move to pkg dir, add token generator (#1029)
* cryptutil: move to pkg dir, add token generator

* add gitignored files

* add tests
2020-06-30 15:55:33 -06:00
Caleb Doxsey
8362f18355
authenticate: move impersonate from proxy to authenticate (#965) 2020-06-22 11:58:27 -06:00
Caleb Doxsey
dbd7f55b20
feature/databroker: user data and session refactor project (#926)
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
2020-06-19 07:52:44 -06:00
Travis Groth
99e788a9b4 envoy: Initial changes 2020-05-18 17:10:10 -04:00
Bobby DeSimone
ba14ea246d
*: remove import path comments (#545)
- import path comments are obsoleted by the go.mod file's module statement

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2020-03-16 10:13:47 -07:00
Bobby DeSimone
8d1732582e
authorize: use jwt insead of state struct (#514)
authenticate: unmarshal and verify state from jwt, instead of middleware
authorize: embed opa policy using statik
authorize: have IsAuthorized handle authorization for all routes
authorize: if no signing key is provided, one is generated
authorize: remove IsAdmin grpc endpoint
authorize/client: return authorize decision struct
cmd/pomerium: main logger no longer contains email and group
cryptutil: add ECDSA signing methods
dashboard: have impersonate form show up for all users, but have api gated by authz
docs: fix typo in signed jwt header
encoding/jws: remove unused es256 signer
frontend: namespace static web assets
internal/sessions: remove leeway to match authz policy
proxy:  move signing functionality to authz
proxy: remove jwt attestation from proxy (authZ does now)
proxy: remove non-signed headers from headers
proxy: remove special handling of x-forwarded-host
sessions: do not verify state in middleware
sessions: remove leeway from state to match authz
sessions/{all}: store jwt directly instead of state

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2020-03-10 11:19:26 -07:00
Bobby DeSimone
2f13488598
authorize: use opa for policy engine (#474)
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2020-02-02 11:18:22 -08:00
Bobby DeSimone
b3d3159185
httputil : wrap handlers for additional context (#413)
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-12-06 11:07:45 -08:00
Bobby DeSimone
74cd9eabbb
authenticate: fix impersonation getting cleared (#411) 2019-11-30 10:54:32 -08:00
Bobby DeSimone
c8e6277a30
Merge remote-tracking branch 'upstream/master' into bugs/fix-forward-auth
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-11-25 15:02:25 -08:00
Bobby DeSimone
0f6a9d7f1d
proxy: fix forward auth, request signing
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-11-25 14:29:52 -08:00
Bobby DeSimone
ebee64b70b
internal/frontend : serve static assets (#392)
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-11-22 17:46:01 -08:00
Bobby DeSimone
6743accd74
lint: bump golangci-lint 1.21.0 (#391)
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-11-19 19:58:11 -08:00
Bobby DeSimone
00c29f4e77
authenticate: handle XHR redirect flow (#387)
- authenticate: add cors preflight check support for sign_in endpoint
- internal/httputil: indicate responses that originate from pomerium vs the app
- proxy: detect XHR requests and do not redirect on failure.
- authenticate: removed default session duration; should be maintained out of band with rpc.
2019-11-14 19:37:31 -08:00
Bobby DeSimone
d3d60d1055 all: support route scoped sessions
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-11-06 17:54:15 -08:00
Bobby DeSimone
7d7e997e79
proxy: verify endpoint strip added callback params (#368)
- proxy: use distinct host route for forward-auth handlers
- proxy: have auth middleware set pomerium headers for request and response
2019-10-15 15:36:00 -07:00
Bobby DeSimone
0e85b2b1cb
bug: fix forward-auth redirect (#364) 2019-10-13 11:09:30 -07:00
Bobby DeSimone
badd8d69af
internal/sessions: refactor how sessions loading (#351)
These chagnes standardize how session loading is done for session
cookie, auth bearer token, and query params.

- Bearer token previously combined with session cookie.
- rearranged cookie-store to put exported methods above unexported
- added header store that implements session loader interface
- added query param store that implements session loader interface

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-10-06 10:47:53 -07:00
Bobby DeSimone
eaa1e7a4fb
proxy: support external access control requests (#324)
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-10-03 21:22:44 -07:00
Bobby DeSimone
782ffbeb3e
proxy: use middleware to manage request flow
proxy: remove duplicate error handling in New
proxy: remove routeConfigs in favor of using gorilla/mux
proxy: add proxy specific middleware
proxy: no longer need to use middleware / handler to check if valid route. Can use build in 404 mux.
internal/middleware: add cors bypass middleware

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-09-25 12:28:37 -07:00
Bobby DeSimone
cfeb5e1ef9
Merge pull request #310 from desimone/bug/262
proxy: handle double slash in paths
2019-09-18 19:54:38 -07:00
Bobby DeSimone
c315b62df4
Merge pull request #304 from desimone/bug/fix-group-impersonation
proxy: fix group impersonation bug
2019-09-18 19:54:17 -07:00
Bobby DeSimone
664fb8b0ea
proxy: remove csrf checks from proxied routes
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-09-18 12:47:30 -07:00
Bobby DeSimone
21e215ccea
proxy: handle double slash in paths
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-09-16 20:34:04 -07:00
Bobby DeSimone
decf661eb0
proxy: fix group impersonation bug
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-09-16 19:23:55 -07:00
Bobby DeSimone
dc12947241
all: refactor handler logic
- all: prefer `FormValues` to `ParseForm` with subsequent `Form.Get`s
- all: refactor authentication stack to be checked by middleware, and accessible via request context.
- all: replace http.ServeMux with gorilla/mux’s router
- all: replace custom CSRF checks with gorilla/csrf middleware
- authenticate: extract callback path as constant.
- internal/config: implement stringer interface for policy
- internal/cryptutil: add helper func `NewBase64Key`
- internal/cryptutil: rename `GenerateKey` to `NewKey`
- internal/cryptutil: rename `GenerateRandomString` to `NewRandomStringN`
- internal/middleware: removed alice in favor of gorilla/mux
- internal/sessions: remove unused `ValidateRedirectURI` and `ValidateClientSecret`
- internal/sessions: replace custom CSRF with gorilla/csrf fork that supports custom handler protection
- internal/urlutil: add `SignedRedirectURL` to create hmac'd URLs
- internal/urlutil: add `ValidateURL` helper to parse URL options
- internal/urlutil: add `GetAbsoluteURL` which takes a request and returns its absolute URL.
- proxy: remove holdover state verification checks; we no longer are setting sessions in any proxy routes so we don’t need them.
- proxy: replace un-named http.ServeMux with named domain routes.

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-09-16 18:01:14 -07:00
Bobby DeSimone
380d314404
authenticate: make service http only
- Rename SessionState to State to avoid stutter.
- Simplified option validation to use a wrapper function for base64 secrets.
- Removed authenticates grpc code.
- Abstracted logic to load and validate a user's authenticate session.
- Removed instances of url.Parse in favor of urlutil's version.
- proxy: replaces grpc refresh logic with forced deadline advancement.
- internal/sessions: remove rest store; parse authorize header as part of session store.
- proxy: refactor request signer
- sessions: remove extend deadline (fixes #294)
- remove AuthenticateInternalAddr
- remove AuthenticateInternalAddrString
- omit type tag.Key from declaration of vars TagKey* it will be inferred
  from the right-hand side
- remove compatibility package xerrors
- use cloned http.DefaultTransport as base transport
2019-09-04 16:27:08 -07:00
Bobby DeSimone
6e6ab3baa0
httputil: use http error wrapper
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-08-24 09:15:07 -07:00
Bobby DeSimone
a962877ad4
config: fix url type regression (#253)
Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-08-03 12:08:26 -07:00
Bobby DeSimone
b85f8de05f
development: use golangci-lint 2019-07-13 18:28:51 -07:00
Bobby DeSimone
7558d5b0de
internal/config: refactor option parsing
- authorize: build whitelist from policy's URLs instead of strings.
- internal/httputil: merged httputil and https package.
- internal/config: merged config and policy packages.
- internal/metrics: removed unused measure struct.
- proxy/clients: refactor Addr fields to be urls.
- proxy: remove unused extend deadline function.
- proxy: use handler middleware for reverse proxy leg.
- proxy: change the way websocket requests are made (route based).

General improvements
- omitted value from range in several cases where for loop could be simplified.
- added error checking to many tests.
- standardize url parsing.
- remove unnecessary return statements.

- proxy: add self-signed certificate support. #179
- proxy: add skip tls certificate verification. #179
- proxy: Refactor websocket support to be route based. #204
2019-07-07 09:39:31 -07:00