mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 02:46:30 +02:00
380d314404
- Rename SessionState to State to avoid stutter. - Simplified option validation to use a wrapper function for base64 secrets. - Removed authenticates grpc code. - Abstracted logic to load and validate a user's authenticate session. - Removed instances of url.Parse in favor of urlutil's version. - proxy: replaces grpc refresh logic with forced deadline advancement. - internal/sessions: remove rest store; parse authorize header as part of session store. - proxy: refactor request signer - sessions: remove extend deadline (fixes #294) - remove AuthenticateInternalAddr - remove AuthenticateInternalAddrString - omit type tag.Key from declaration of vars TagKey* it will be inferred from the right-hand side - remove compatibility package xerrors - use cloned http.DefaultTransport as base transport
438 lines
14 KiB
Go
438 lines
14 KiB
Go
package proxy // import "github.com/pomerium/pomerium/proxy"
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/pomerium/pomerium/internal/config"
|
|
"github.com/pomerium/pomerium/internal/cryptutil"
|
|
"github.com/pomerium/pomerium/internal/httputil"
|
|
"github.com/pomerium/pomerium/internal/log"
|
|
"github.com/pomerium/pomerium/internal/middleware"
|
|
"github.com/pomerium/pomerium/internal/sessions"
|
|
"github.com/pomerium/pomerium/internal/templates"
|
|
"github.com/pomerium/pomerium/internal/urlutil"
|
|
)
|
|
|
|
// StateParameter holds the redirect id along with the session id.
|
|
type StateParameter struct {
|
|
SessionID string `json:"session_id"`
|
|
RedirectURI string `json:"redirect_uri"`
|
|
}
|
|
|
|
// Handler returns the proxy service's ServeMux
|
|
func (p *Proxy) Handler() http.Handler {
|
|
// validation middleware chain
|
|
validate := middleware.NewChain()
|
|
validate = validate.Append(middleware.ValidateHost(func(host string) bool {
|
|
_, ok := p.routeConfigs[host]
|
|
return ok
|
|
}))
|
|
mux := http.NewServeMux()
|
|
mux.HandleFunc("/robots.txt", p.RobotsTxt)
|
|
mux.HandleFunc("/.pomerium", p.UserDashboard)
|
|
mux.HandleFunc("/.pomerium/impersonate", p.Impersonate) // POST
|
|
mux.HandleFunc("/.pomerium/sign_out", p.SignOut)
|
|
// handlers with validation
|
|
mux.Handle("/.pomerium/callback", validate.ThenFunc(p.AuthenticateCallback))
|
|
mux.Handle("/.pomerium/refresh", validate.ThenFunc(p.ForceRefresh))
|
|
mux.Handle("/", validate.ThenFunc(p.Proxy))
|
|
return mux
|
|
}
|
|
|
|
// RobotsTxt sets the User-Agent header in the response to be "Disallow"
|
|
func (p *Proxy) RobotsTxt(w http.ResponseWriter, _ *http.Request) {
|
|
w.WriteHeader(http.StatusOK)
|
|
fmt.Fprintf(w, "User-agent: *\nDisallow: /")
|
|
}
|
|
|
|
// SignOut redirects the request to the sign out url. It's the responsibility
|
|
// of the authenticate service to revoke the remote session and clear
|
|
// the local session state.
|
|
func (p *Proxy) SignOut(w http.ResponseWriter, r *http.Request) {
|
|
redirectURL := &url.URL{Scheme: "https", Host: r.Host, Path: "/"}
|
|
switch r.Method {
|
|
case http.MethodPost:
|
|
if err := r.ParseForm(); err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
uri, err := urlutil.ParseAndValidateURL(r.Form.Get("redirect_uri"))
|
|
if err == nil && uri.String() != "" {
|
|
redirectURL = uri
|
|
}
|
|
default:
|
|
uri, err := urlutil.ParseAndValidateURL(r.URL.Query().Get("redirect_uri"))
|
|
if err == nil && uri.String() != "" {
|
|
redirectURL = uri
|
|
}
|
|
}
|
|
http.Redirect(w, r, p.GetSignOutURL(p.authenticateURL, redirectURL).String(), http.StatusFound)
|
|
}
|
|
|
|
// OAuthStart begins the authenticate flow, encrypting the redirect url
|
|
// in a request to the provider's sign in endpoint.
|
|
func (p *Proxy) OAuthStart(w http.ResponseWriter, r *http.Request) {
|
|
state := &StateParameter{
|
|
SessionID: fmt.Sprintf("%x", cryptutil.GenerateKey()),
|
|
RedirectURI: r.URL.String(),
|
|
}
|
|
|
|
// Encrypt CSRF + redirect_uri and store in csrf session. Validated on callback.
|
|
csrfState, err := p.cipher.Marshal(state)
|
|
if err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
p.csrfStore.SetCSRF(w, r, csrfState)
|
|
|
|
paramState, err := p.cipher.Marshal(state)
|
|
if err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
|
|
// Sanity check. The encrypted payload of local and remote state should
|
|
// never match as each encryption round uses a cryptographic nonce.
|
|
// if paramState == csrfState {
|
|
// httputil.ErrorResponse(w, r, httputil.Error("encrypted state should not match", http.StatusBadRequest, nil))
|
|
// return
|
|
// }
|
|
|
|
signinURL := p.GetSignInURL(p.authenticateURL, p.GetRedirectURL(r.Host), paramState)
|
|
|
|
// Redirect the user to the authenticate service along with the encrypted
|
|
// state which contains a redirect uri back to the proxy and a nonce
|
|
http.Redirect(w, r, signinURL.String(), http.StatusFound)
|
|
}
|
|
|
|
// AuthenticateCallback checks the state parameter to make sure it matches the
|
|
// local csrf state then redirects the user back to the original intended route.
|
|
func (p *Proxy) AuthenticateCallback(w http.ResponseWriter, r *http.Request) {
|
|
if err := r.ParseForm(); err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
|
|
// Encrypted CSRF passed from authenticate service
|
|
remoteStateEncrypted := r.Form.Get("state")
|
|
var remoteStatePlain StateParameter
|
|
if err := p.cipher.Unmarshal(remoteStateEncrypted, &remoteStatePlain); err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
|
|
c, err := p.csrfStore.GetCSRF(r)
|
|
if err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
p.csrfStore.ClearCSRF(w, r)
|
|
|
|
localStateEncrypted := c.Value
|
|
var localStatePlain StateParameter
|
|
err = p.cipher.Unmarshal(localStateEncrypted, &localStatePlain)
|
|
if err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
|
|
// assert no nonce reuse
|
|
if remoteStateEncrypted == localStateEncrypted {
|
|
p.sessionStore.ClearSession(w, r)
|
|
httputil.ErrorResponse(w, r,
|
|
httputil.Error("local and remote state", http.StatusBadRequest,
|
|
fmt.Errorf("possible nonce-reuse / replay attack")))
|
|
return
|
|
}
|
|
|
|
// Decrypted remote and local state struct (inc. nonce) must match
|
|
if remoteStatePlain.SessionID != localStatePlain.SessionID {
|
|
p.sessionStore.ClearSession(w, r)
|
|
httputil.ErrorResponse(w, r, httputil.Error("CSRF mismatch", http.StatusBadRequest, nil))
|
|
return
|
|
}
|
|
|
|
// This is the redirect back to the original requested application
|
|
http.Redirect(w, r, remoteStatePlain.RedirectURI, http.StatusFound)
|
|
}
|
|
|
|
// shouldSkipAuthentication contains conditions for skipping authentication.
|
|
// Conditions should be few in number and have strong justifications.
|
|
func (p *Proxy) shouldSkipAuthentication(r *http.Request) bool {
|
|
policy, policyExists := p.policy(r)
|
|
|
|
if isCORSPreflight(r) && policyExists && policy.CORSAllowPreflight {
|
|
log.FromRequest(r).Debug().Msg("proxy: skipping authentication for valid CORS preflight request")
|
|
return true
|
|
}
|
|
|
|
if policyExists && policy.AllowPublicUnauthenticatedAccess {
|
|
log.FromRequest(r).Debug().Msg("proxy: skipping authentication for public route")
|
|
return true
|
|
}
|
|
|
|
return false
|
|
}
|
|
|
|
// isCORSPreflight inspects the request to see if this is a valid CORS preflight request.
|
|
// These checks are not exhaustive, because the proxied server should be verifying it as well.
|
|
//
|
|
// See https://www.html5rocks.com/static/images/cors_server_flowchart.png for more info.
|
|
func isCORSPreflight(r *http.Request) bool {
|
|
return r.Method == http.MethodOptions &&
|
|
r.Header.Get("Access-Control-Request-Method") != "" &&
|
|
r.Header.Get("Origin") != ""
|
|
}
|
|
|
|
func (p *Proxy) loadExistingSession(r *http.Request) (*sessions.State, error) {
|
|
s, err := p.sessionStore.LoadSession(r)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("proxy: invalid session: %w", err)
|
|
}
|
|
if err := s.Valid(); err != nil {
|
|
return nil, fmt.Errorf("proxy: invalid state: %w", err)
|
|
}
|
|
return s, nil
|
|
}
|
|
|
|
// Proxy authenticates a request, either proxying the request if it is authenticated,
|
|
// or starting the authenticate service for validation if not.
|
|
func (p *Proxy) Proxy(w http.ResponseWriter, r *http.Request) {
|
|
route, ok := p.router(r)
|
|
if !ok {
|
|
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusNotFound, nil))
|
|
return
|
|
}
|
|
|
|
if p.shouldSkipAuthentication(r) {
|
|
log.FromRequest(r).Debug().Msg("proxy: access control skipped")
|
|
route.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
s, err := p.loadExistingSession(r)
|
|
if err != nil {
|
|
log.Debug().Str("cause", err.Error()).Msg("proxy: bad authN session, redirecting")
|
|
p.OAuthStart(w, r)
|
|
return
|
|
}
|
|
authorized, err := p.AuthorizeClient.Authorize(r.Context(), r.Host, s)
|
|
if err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
} else if !authorized {
|
|
httputil.ErrorResponse(w, r, httputil.Error(fmt.Sprintf("%s is not authorized for this route", s.Email), http.StatusForbidden, nil))
|
|
return
|
|
}
|
|
r.Header.Set(HeaderUserID, s.User)
|
|
r.Header.Set(HeaderEmail, s.RequestEmail())
|
|
r.Header.Set(HeaderGroups, s.RequestGroups())
|
|
|
|
route.ServeHTTP(w, r)
|
|
}
|
|
|
|
// UserDashboard lets users investigate, and refresh their current session.
|
|
// It also contains certain administrative actions like user impersonation.
|
|
// Nota bene: This endpoint does authentication, not authorization.
|
|
func (p *Proxy) UserDashboard(w http.ResponseWriter, r *http.Request) {
|
|
session, err := p.loadExistingSession(r)
|
|
if err != nil {
|
|
log.Debug().Str("cause", err.Error()).Msg("proxy: bad authN session, redirecting")
|
|
p.OAuthStart(w, r)
|
|
return
|
|
}
|
|
|
|
redirectURL := &url.URL{Scheme: "https", Host: r.Host, Path: "/.pomerium/sign_out"}
|
|
isAdmin, err := p.AuthorizeClient.IsAdmin(r.Context(), session)
|
|
if err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
|
|
// CSRF value used to mitigate replay attacks.
|
|
csrf := &StateParameter{SessionID: fmt.Sprintf("%x", cryptutil.GenerateKey())}
|
|
csrfCookie, err := p.cipher.Marshal(csrf)
|
|
if err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
p.csrfStore.SetCSRF(w, r, csrfCookie)
|
|
|
|
t := struct {
|
|
Email string
|
|
User string
|
|
Groups []string
|
|
RefreshDeadline string
|
|
SignoutURL string
|
|
|
|
IsAdmin bool
|
|
ImpersonateEmail string
|
|
ImpersonateGroup string
|
|
CSRF string
|
|
}{
|
|
Email: session.Email,
|
|
User: session.User,
|
|
Groups: session.Groups,
|
|
RefreshDeadline: time.Until(session.RefreshDeadline).Round(time.Second).String(),
|
|
SignoutURL: p.GetSignOutURL(p.authenticateURL, redirectURL).String(),
|
|
IsAdmin: isAdmin,
|
|
ImpersonateEmail: session.ImpersonateEmail,
|
|
ImpersonateGroup: strings.Join(session.ImpersonateGroups, ","),
|
|
CSRF: csrf.SessionID,
|
|
}
|
|
templates.New().ExecuteTemplate(w, "dashboard.html", t)
|
|
}
|
|
|
|
// ForceRefresh redeems and extends an existing authenticated oidc session with
|
|
// the underlying identity provider. All session details including groups,
|
|
// timeouts, will be renewed.
|
|
func (p *Proxy) ForceRefresh(w http.ResponseWriter, r *http.Request) {
|
|
session, err := p.loadExistingSession(r)
|
|
if err != nil {
|
|
log.Debug().Str("cause", err.Error()).Msg("proxy: bad authN session, redirecting")
|
|
p.OAuthStart(w, r)
|
|
return
|
|
}
|
|
iss, err := session.IssuedAt()
|
|
if err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
|
|
// reject a refresh if it's been less than the refresh cooldown to prevent abuse
|
|
if time.Since(iss) < p.refreshCooldown {
|
|
httputil.ErrorResponse(w, r,
|
|
httputil.Error(
|
|
fmt.Sprintf("Session must be %s old before refreshing", p.refreshCooldown),
|
|
http.StatusBadRequest, nil))
|
|
return
|
|
}
|
|
session.ForceRefresh()
|
|
if err = p.sessionStore.SaveSession(w, r, session); err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
http.Redirect(w, r, "/.pomerium", http.StatusFound)
|
|
}
|
|
|
|
// Impersonate takes the result of a form and adds user impersonation details
|
|
// to the user's current user sessions state if the user is currently an
|
|
// administrative user. Requests are redirected back to the user dashboard.
|
|
func (p *Proxy) Impersonate(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method == http.MethodPost {
|
|
if err := r.ParseForm(); err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
session, err := p.loadExistingSession(r)
|
|
if err != nil {
|
|
log.Debug().Str("cause", err.Error()).Msg("proxy: bad authN session, redirecting")
|
|
p.OAuthStart(w, r)
|
|
return
|
|
}
|
|
isAdmin, err := p.AuthorizeClient.IsAdmin(r.Context(), session)
|
|
if err != nil || !isAdmin {
|
|
httputil.ErrorResponse(w, r, httputil.Error(fmt.Sprintf("%s is not an administrator", session.Email), http.StatusForbidden, err))
|
|
return
|
|
}
|
|
// CSRF check -- did this request originate from our form?
|
|
c, err := p.csrfStore.GetCSRF(r)
|
|
if err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
p.csrfStore.ClearCSRF(w, r)
|
|
encryptedCSRF := c.Value
|
|
var decryptedCSRF StateParameter
|
|
if err = p.cipher.Unmarshal(encryptedCSRF, decryptedCSRF); err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
if decryptedCSRF.SessionID != r.FormValue("csrf") {
|
|
httputil.ErrorResponse(w, r, httputil.Error("CSRF mismatch", http.StatusBadRequest, nil))
|
|
return
|
|
}
|
|
|
|
// OK to impersonation
|
|
session.ImpersonateEmail = r.FormValue("email")
|
|
session.ImpersonateGroups = strings.Split(r.FormValue("group"), ",")
|
|
|
|
if err := p.sessionStore.SaveSession(w, r, session); err != nil {
|
|
httputil.ErrorResponse(w, r, err)
|
|
return
|
|
}
|
|
}
|
|
http.Redirect(w, r, "/.pomerium", http.StatusFound)
|
|
}
|
|
|
|
// router attempts to find a route for a request. If a route is successfully matched,
|
|
// it returns the route information and a bool value of `true`. If a route can
|
|
// not be matched, a nil value for the route and false bool value is returned.
|
|
func (p *Proxy) router(r *http.Request) (http.Handler, bool) {
|
|
config, ok := p.routeConfigs[r.Host]
|
|
if ok {
|
|
return config.mux, true
|
|
}
|
|
return nil, false
|
|
}
|
|
|
|
// policy attempts to find a policy for a request. If a policy is successfully matched,
|
|
// it returns the policy information and a bool value of `true`. If a policy can not be matched,
|
|
// a nil value for the policy and false bool value is returned.
|
|
func (p *Proxy) policy(r *http.Request) (*config.Policy, bool) {
|
|
config, ok := p.routeConfigs[r.Host]
|
|
if ok {
|
|
return &config.policy, true
|
|
}
|
|
return nil, false
|
|
}
|
|
|
|
// GetRedirectURL returns the redirect url for a single reverse proxy host. HTTPS is set explicitly.
|
|
func (p *Proxy) GetRedirectURL(host string) *url.URL {
|
|
u := p.redirectURL
|
|
u.Scheme = "https"
|
|
u.Host = host
|
|
return u
|
|
}
|
|
|
|
// signRedirectURL takes a redirect url string and timestamp and returns the base64
|
|
// encoded HMAC result.
|
|
func (p *Proxy) signRedirectURL(rawRedirect string, timestamp time.Time) string {
|
|
data := []byte(fmt.Sprint(rawRedirect, timestamp.Unix()))
|
|
h := cryptutil.Hash(p.SharedKey, data)
|
|
return base64.URLEncoding.EncodeToString(h)
|
|
}
|
|
|
|
// GetSignInURL with typical oauth parameters
|
|
func (p *Proxy) GetSignInURL(authenticateURL, redirectURL *url.URL, state string) *url.URL {
|
|
a := authenticateURL.ResolveReference(&url.URL{Path: "/sign_in"})
|
|
now := time.Now()
|
|
rawRedirect := redirectURL.String()
|
|
params, _ := url.ParseQuery(a.RawQuery) // handled by ServeMux
|
|
params.Set("redirect_uri", rawRedirect)
|
|
params.Set("shared_secret", p.SharedKey)
|
|
params.Set("response_type", "code")
|
|
params.Add("state", state)
|
|
params.Set("ts", fmt.Sprint(now.Unix()))
|
|
params.Set("sig", p.signRedirectURL(rawRedirect, now))
|
|
a.RawQuery = params.Encode()
|
|
return a
|
|
}
|
|
|
|
// GetSignOutURL creates and returns the sign out URL, given a redirectURL
|
|
func (p *Proxy) GetSignOutURL(authenticateURL, redirectURL *url.URL) *url.URL {
|
|
a := authenticateURL.ResolveReference(&url.URL{Path: "/sign_out"})
|
|
now := time.Now()
|
|
rawRedirect := redirectURL.String()
|
|
params, _ := url.ParseQuery(a.RawQuery) // handled by ServeMux
|
|
params.Add("redirect_uri", rawRedirect)
|
|
params.Set("ts", fmt.Sprint(now.Unix()))
|
|
params.Set("sig", p.signRedirectURL(rawRedirect, now))
|
|
a.RawQuery = params.Encode()
|
|
return a
|
|
}
|