package authenticate // import "github.com/pomerium/pomerium/authenticate" import ( "encoding/base64" "fmt" "net/http" "net/url" "strings" "github.com/pomerium/pomerium/internal/cryptutil" "github.com/pomerium/pomerium/internal/httputil" "github.com/pomerium/pomerium/internal/log" "github.com/pomerium/pomerium/internal/middleware" "github.com/pomerium/pomerium/internal/sessions" ) // CSPHeaders are the content security headers added to the service's handlers var CSPHeaders = map[string]string{ "Content-Security-Policy": "default-src 'none'; style-src 'self'" + " 'sha256-z9MsgkMbQjRSLxzAfN55jB3a9pP0PQ4OHFH8b4iDP6s=' " + " 'sha256-qnVkQSG7pWu17hBhIw0kCpfEB3XGvt0mNRa6+uM6OUU=' " + " 'sha256-qOdRsNZhtR+htazbcy7guQl3Cn1cqOw1FcE4d3llae0='; " + "img-src 'self';", "Referrer-Policy": "Same-origin", } // Handler returns the authenticate service's HTTP request multiplexer, and routes. func (a *Authenticate) Handler() http.Handler { // validation middleware chain c := middleware.NewChain() c = c.Append(middleware.SetHeaders(CSPHeaders)) validate := c.Append(middleware.ValidateSignature(a.SharedKey)) validate = validate.Append(middleware.ValidateRedirectURI(a.RedirectURL)) mux := http.NewServeMux() mux.Handle("/robots.txt", c.ThenFunc(a.RobotsTxt)) // Identity Provider (IdP) callback endpoints and callbacks mux.Handle("/start", c.ThenFunc(a.OAuthStart)) mux.Handle("/oauth2/callback", c.ThenFunc(a.OAuthCallback)) // authenticate-server endpoints mux.Handle("/sign_in", validate.ThenFunc(a.SignIn)) mux.Handle("/sign_out", validate.ThenFunc(a.SignOut)) // POST // programmatic authentication endpoints mux.Handle("/api/v1/token", c.ThenFunc(a.ExchangeToken)) return mux } // RobotsTxt handles the /robots.txt route. func (a *Authenticate) RobotsTxt(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) fmt.Fprintf(w, "User-agent: *\nDisallow: /") } func (a *Authenticate) authenticate(w http.ResponseWriter, r *http.Request, session *sessions.SessionState) error { if session.RefreshPeriodExpired() { session, err := a.provider.Refresh(r.Context(), session) if err != nil { return fmt.Errorf("authenticate: session refresh failed : %v", err) } err = a.sessionStore.SaveSession(w, r, session) if err != nil { return fmt.Errorf("authenticate: failed saving refreshed session : %v", err) } } else { valid, err := a.provider.Validate(r.Context(), session.IDToken) if err != nil || !valid { return fmt.Errorf("authenticate: session valid: %v : %v", valid, err) } } return nil } // SignIn handles the sign_in endpoint. It attempts to authenticate the user, // and if the user is not authenticated, it renders a sign in page. func (a *Authenticate) SignIn(w http.ResponseWriter, r *http.Request) { session, err := a.sessionStore.LoadSession(r) if err != nil { switch err { case http.ErrNoCookie, sessions.ErrLifetimeExpired, sessions.ErrInvalidSession: log.FromRequest(r).Debug().Err(err).Msg("authenticate: invalid session") a.sessionStore.ClearSession(w, r) a.OAuthStart(w, r) return default: log.FromRequest(r).Error().Err(err).Msg("authenticate: unexpected error") httpErr := &httputil.Error{Message: "An unexpected error occurred", Code: http.StatusInternalServerError} httputil.ErrorResponse(w, r, httpErr) return } } err = a.authenticate(w, r, session) if err != nil { httpErr := &httputil.Error{Message: err.Error(), Code: http.StatusInternalServerError} httputil.ErrorResponse(w, r, httpErr) return } if err = r.ParseForm(); err != nil { httpErr := &httputil.Error{Message: err.Error(), Code: http.StatusInternalServerError} httputil.ErrorResponse(w, r, httpErr) return } // original `state` parameter received from the proxy application. state := r.Form.Get("state") if state == "" { httpErr := &httputil.Error{Message: "no state parameter supplied", Code: http.StatusBadRequest} httputil.ErrorResponse(w, r, httpErr) return } redirectURL, err := url.Parse(r.Form.Get("redirect_uri")) if err != nil { httpErr := &httputil.Error{Message: "malformed redirect_uri parameter passed", Code: http.StatusBadRequest} httputil.ErrorResponse(w, r, httpErr) return } // encrypt session state as json blob encrypted, err := sessions.MarshalSession(session, a.cipher) if err != nil { httpErr := &httputil.Error{Message: err.Error(), Code: http.StatusInternalServerError} httputil.ErrorResponse(w, r, httpErr) return } http.Redirect(w, r, getAuthCodeRedirectURL(redirectURL, state, encrypted), http.StatusFound) } func getAuthCodeRedirectURL(redirectURL *url.URL, state, authCode string) string { u, _ := url.Parse(redirectURL.String()) params, _ := url.ParseQuery(u.RawQuery) params.Set("code", authCode) params.Set("state", state) u.RawQuery = params.Encode() if u.Scheme == "" { u.Scheme = "https" } return u.String() } // SignOut signs the user out by trying to revoke the user's remote identity session along with // the associated local session state. Handles both GET and POST. func (a *Authenticate) SignOut(w http.ResponseWriter, r *http.Request) { if err := r.ParseForm(); err != nil { log.Error().Err(err).Msg("authenticate: error SignOut form") httpErr := &httputil.Error{Code: http.StatusBadRequest} httputil.ErrorResponse(w, r, httpErr) return } redirectURI := r.Form.Get("redirect_uri") session, err := a.sessionStore.LoadSession(r) if err != nil { log.Error().Err(err).Msg("authenticate: no session to signout, redirect and clear") http.Redirect(w, r, redirectURI, http.StatusFound) return } a.sessionStore.ClearSession(w, r) err = a.provider.Revoke(session.AccessToken) if err != nil { log.Error().Err(err).Msg("authenticate: failed to revoke user session") httpErr := &httputil.Error{Message: fmt.Sprintf("could not revoke session: %s ", err.Error()), Code: http.StatusBadRequest} httputil.ErrorResponse(w, r, httpErr) return } http.Redirect(w, r, redirectURI, http.StatusFound) } // OAuthStart starts the authenticate process by redirecting to the identity provider. // https://tools.ietf.org/html/rfc6749#section-4.2.1 func (a *Authenticate) OAuthStart(w http.ResponseWriter, r *http.Request) { authRedirectURL := a.RedirectURL.ResolveReference(r.URL) // generate a nonce to check following authentication with the IdP nonce := fmt.Sprintf("%x", cryptutil.GenerateKey()) a.csrfStore.SetCSRF(w, r, nonce) // verify redirect uri is from the root domain if !middleware.SameDomain(authRedirectURL, a.RedirectURL) { httpErr := &httputil.Error{Message: "Invalid redirect parameter: redirect uri not from the root domain", Code: http.StatusBadRequest} httputil.ErrorResponse(w, r, httpErr) return } // verify proxy url is from the root domain proxyRedirectURL, err := url.Parse(authRedirectURL.Query().Get("redirect_uri")) if err != nil || !middleware.SameDomain(proxyRedirectURL, a.RedirectURL) { httpErr := &httputil.Error{Message: "Invalid redirect parameter: proxy url not from the root domain", Code: http.StatusBadRequest} httputil.ErrorResponse(w, r, httpErr) return } // get the signature and timestamp values then compare hmac proxyRedirectSig := authRedirectURL.Query().Get("sig") ts := authRedirectURL.Query().Get("ts") if !middleware.ValidSignature(proxyRedirectURL.String(), proxyRedirectSig, ts, a.SharedKey) { httpErr := &httputil.Error{Message: "Invalid redirect parameter: invalid signature", Code: http.StatusBadRequest} httputil.ErrorResponse(w, r, httpErr) return } // concat base64'd nonce and authenticate url to make state state := base64.URLEncoding.EncodeToString([]byte(fmt.Sprintf("%v:%v", nonce, authRedirectURL.String()))) // build the provider sign in url signInURL := a.provider.GetSignInURL(state) http.Redirect(w, r, signInURL, http.StatusFound) } // OAuthCallback handles the callback from the identity provider. Displays an error page if there // was an error. If successful, the user is redirected back to the proxy-service. func (a *Authenticate) OAuthCallback(w http.ResponseWriter, r *http.Request) { redirect, err := a.getOAuthCallback(w, r) switch h := err.(type) { case nil: break case httputil.Error: log.Error().Err(err).Msg("authenticate: oauth callback error") httpErr := &httputil.Error{Message: h.Message, Code: h.Code} httputil.ErrorResponse(w, r, httpErr) return default: log.Error().Err(err).Msg("authenticate: unexpected oauth callback error") httpErr := &httputil.Error{Message: "Internal Error", Code: http.StatusInternalServerError} httputil.ErrorResponse(w, r, httpErr) return } // redirect back to the proxy-service via sign_in http.Redirect(w, r, redirect, http.StatusFound) } // getOAuthCallback completes the oauth cycle from an identity provider's callback func (a *Authenticate) getOAuthCallback(w http.ResponseWriter, r *http.Request) (string, error) { // handle the callback response from the identity provider if err := r.ParseForm(); err != nil { return "", httputil.Error{Code: http.StatusInternalServerError, Message: err.Error()} } errorString := r.Form.Get("error") if errorString != "" { log.FromRequest(r).Error().Str("Error", errorString).Msg("authenticate: provider returned error") return "", httputil.Error{Code: http.StatusForbidden, Message: errorString} } code := r.Form.Get("code") if code == "" { log.FromRequest(r).Error().Msg("authenticate: provider missing code") return "", httputil.Error{Code: http.StatusBadRequest, Message: "Missing Code"} } // validate the returned code with the identity provider session, err := a.provider.Authenticate(r.Context(), code) if err != nil { log.FromRequest(r).Error().Err(err).Msg("authenticate: error redeeming authenticate code") return "", httputil.Error{Code: http.StatusInternalServerError, Message: err.Error()} } // okay, time to go back to the proxy service. bytes, err := base64.URLEncoding.DecodeString(r.Form.Get("state")) if err != nil { log.FromRequest(r).Error().Err(err).Msg("authenticate: failed decoding state") return "", httputil.Error{Code: http.StatusBadRequest, Message: "Couldn't decode state"} } s := strings.SplitN(string(bytes), ":", 2) if len(s) != 2 { return "", httputil.Error{Code: http.StatusBadRequest, Message: "Invalid State"} } nonce := s[0] redirect := s[1] c, err := a.csrfStore.GetCSRF(r) defer a.csrfStore.ClearCSRF(w, r) if err != nil || c.Value != nonce { log.FromRequest(r).Error().Err(err).Msg("authenticate: csrf failure") return "", httputil.Error{Code: http.StatusForbidden, Message: "CSRF failed"} } redirectURL, err := url.Parse(redirect) if err != nil { log.FromRequest(r).Error().Err(err).Msg("authenticate: malformed redirect url") return "", httputil.Error{Code: http.StatusForbidden, Message: "Malformed redirect url"} } // sanity check, we are redirecting back to the same subdomain right? if !middleware.SameDomain(redirectURL, a.RedirectURL) { return "", httputil.Error{Code: http.StatusBadRequest, Message: "Invalid Redirect URI domain"} } if err := a.sessionStore.SaveSession(w, r, session); err != nil { log.Error().Err(err).Msg("authenticate: failed saving new session") return "", httputil.Error{Code: http.StatusInternalServerError, Message: err.Error()} } return redirect, nil } // ExchangeToken takes an identity provider issued JWT as input ('id_token) // and exchanges that token for a pomerium session. The provided token's // audience ('aud') attribute must match Pomerium's client_id. func (a *Authenticate) ExchangeToken(w http.ResponseWriter, r *http.Request) { if err := r.ParseForm(); err != nil { httputil.ErrorResponse(w, r, &httputil.Error{Code: http.StatusInternalServerError, Message: err.Error()}) return } code := r.Form.Get("id_token") if code == "" { log.FromRequest(r).Error().Msg("authenticate: provider missing id token") httputil.ErrorResponse(w, r, &httputil.Error{Code: http.StatusBadRequest, Message: "missing id token"}) return } session, err := a.provider.IDTokenToSession(r.Context(), code) if err != nil { log.FromRequest(r).Error().Err(err).Msg("authenticate: error exchanging identity provider code") httputil.ErrorResponse(w, r, &httputil.Error{Code: http.StatusInternalServerError, Message: "could not exchange identity for session"}) return } if err := a.restStore.SaveSession(w, r, session); err != nil { log.Error().Err(err).Msg("authenticate: failed returning new session") httputil.ErrorResponse(w, r, &httputil.Error{Code: http.StatusInternalServerError, Message: "authenticate: failed returning new session"}) return } }