mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-29 10:26:29 +02:00
651 lines
27 KiB
Go
651 lines
27 KiB
Go
package config
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"net/url"
|
|
"os"
|
|
"regexp"
|
|
"strings"
|
|
"time"
|
|
|
|
envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
|
|
"google.golang.org/protobuf/types/known/durationpb"
|
|
|
|
"github.com/pomerium/pomerium/internal/hashutil"
|
|
"github.com/pomerium/pomerium/internal/identity"
|
|
"github.com/pomerium/pomerium/internal/log"
|
|
"github.com/pomerium/pomerium/internal/urlutil"
|
|
"github.com/pomerium/pomerium/pkg/cryptutil"
|
|
configpb "github.com/pomerium/pomerium/pkg/grpc/config"
|
|
)
|
|
|
|
// Policy contains route specific configuration and access settings.
|
|
type Policy struct {
|
|
From string `mapstructure:"from" yaml:"from"`
|
|
To WeightedURLs `mapstructure:"to" yaml:"to"`
|
|
|
|
// LbWeights are optional load balancing weights applied to endpoints specified in To
|
|
// this field exists for compatibility with mapstructure
|
|
LbWeights []uint32 `mapstructure:"_to_weights,omitempty" json:"-" yaml:"-"`
|
|
|
|
// Redirect is used for a redirect action instead of `To`
|
|
Redirect *PolicyRedirect `mapstructure:"redirect" yaml:"redirect"`
|
|
|
|
// Identity related policy
|
|
AllowedUsers []string `mapstructure:"allowed_users" yaml:"allowed_users,omitempty" json:"allowed_users,omitempty"`
|
|
AllowedGroups []string `mapstructure:"allowed_groups" yaml:"allowed_groups,omitempty" json:"allowed_groups,omitempty"`
|
|
AllowedDomains []string `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty" json:"allowed_domains,omitempty"`
|
|
AllowedIDPClaims identity.FlattenedClaims `mapstructure:"allowed_idp_claims" yaml:"allowed_idp_claims,omitempty" json:"allowed_idp_claims,omitempty"`
|
|
|
|
Source *StringURL `yaml:",omitempty" json:"source,omitempty" hash:"ignore"`
|
|
|
|
// Additional route matching options
|
|
Prefix string `mapstructure:"prefix" yaml:"prefix,omitempty" json:"prefix,omitempty"`
|
|
Path string `mapstructure:"path" yaml:"path,omitempty" json:"path,omitempty"`
|
|
Regex string `mapstructure:"regex" yaml:"regex,omitempty" json:"regex,omitempty"`
|
|
|
|
// Path Rewrite Options
|
|
PrefixRewrite string `mapstructure:"prefix_rewrite" yaml:"prefix_rewrite,omitempty" json:"prefix_rewrite,omitempty"`
|
|
RegexRewritePattern string `mapstructure:"regex_rewrite_pattern" yaml:"regex_rewrite_pattern,omitempty" json:"regex_rewrite_pattern,omitempty"`
|
|
RegexRewriteSubstitution string `mapstructure:"regex_rewrite_substitution" yaml:"regex_rewrite_substitution,omitempty" json:"regex_rewrite_substitution,omitempty"` //nolint
|
|
|
|
// Host Rewrite Options
|
|
HostRewrite string `mapstructure:"host_rewrite" yaml:"host_rewrite,omitempty" json:"host_rewrite,omitempty"`
|
|
HostRewriteHeader string `mapstructure:"host_rewrite_header" yaml:"host_rewrite_header,omitempty" json:"host_rewrite_header,omitempty"`
|
|
HostPathRegexRewritePattern string `mapstructure:"host_path_regex_rewrite_pattern" yaml:"host_path_regex_rewrite_pattern,omitempty" json:"host_path_regex_rewrite_pattern,omitempty"` //nolint
|
|
HostPathRegexRewriteSubstitution string `mapstructure:"host_path_regex_rewrite_substitution" yaml:"host_path_regex_rewrite_substitution,omitempty" json:"host_path_regex_rewrite_substitution,omitempty"` //nolint
|
|
|
|
// Allow unauthenticated HTTP OPTIONS requests as per the CORS spec
|
|
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests
|
|
CORSAllowPreflight bool `mapstructure:"cors_allow_preflight" yaml:"cors_allow_preflight,omitempty"`
|
|
|
|
// Allow any public request to access this route. **Bypasses authentication**
|
|
AllowPublicUnauthenticatedAccess bool `mapstructure:"allow_public_unauthenticated_access" yaml:"allow_public_unauthenticated_access,omitempty"`
|
|
|
|
// Allow any authenticated user
|
|
AllowAnyAuthenticatedUser bool `mapstructure:"allow_any_authenticated_user" yaml:"allow_any_authenticated_user,omitempty"`
|
|
|
|
// UpstreamTimeout is the route specific timeout. Must be less than the global
|
|
// timeout. If unset, route will fallback to the proxy's DefaultUpstreamTimeout.
|
|
UpstreamTimeout *time.Duration `mapstructure:"timeout" yaml:"timeout,omitempty"`
|
|
|
|
// IdleTimeout is distinct from UpstreamTimeout and defines period of time there may be no data over this connection
|
|
// value of zero completely disables this setting
|
|
// see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-idle-timeout
|
|
IdleTimeout *time.Duration `mapstructure:"idle_timeout" yaml:"idle_timeout,omitempty"`
|
|
|
|
// Enable proxying of websocket connections by removing the default timeout handler.
|
|
// Caution: Enabling this feature could result in abuse via DOS attacks.
|
|
AllowWebsockets bool `mapstructure:"allow_websockets" yaml:"allow_websockets,omitempty"`
|
|
|
|
// AllowSPDY enables proxying of SPDY upgrade requests
|
|
AllowSPDY bool `mapstructure:"allow_spdy" yaml:"allow_spdy,omitempty"`
|
|
|
|
// TLSSkipVerify controls whether a client verifies the server's certificate
|
|
// chain and host name.
|
|
// If TLSSkipVerify is true, TLS accepts any certificate presented by the
|
|
// server and any host name in that certificate.
|
|
// In this mode, TLS is susceptible to man-in-the-middle attacks.
|
|
// This should be used only for testing.
|
|
TLSSkipVerify bool `mapstructure:"tls_skip_verify" yaml:"tls_skip_verify,omitempty"`
|
|
|
|
// TLSServerName overrides the hostname in the `to` field. This is useful
|
|
// if your backend is an HTTPS server with a valid certificate, but you
|
|
// want to communicate to the backend with an internal hostname (e.g.
|
|
// Docker container name).
|
|
TLSServerName string `mapstructure:"tls_server_name" yaml:"tls_server_name,omitempty"`
|
|
|
|
// TLSCustomCA defines the root certificate to use with a given
|
|
// route when verifying server certificates.
|
|
TLSCustomCA string `mapstructure:"tls_custom_ca" yaml:"tls_custom_ca,omitempty"`
|
|
TLSCustomCAFile string `mapstructure:"tls_custom_ca_file" yaml:"tls_custom_ca_file,omitempty"`
|
|
|
|
// Contains the x.509 client certificate to present to the upstream host.
|
|
TLSClientCert string `mapstructure:"tls_client_cert" yaml:"tls_client_cert,omitempty"`
|
|
TLSClientKey string `mapstructure:"tls_client_key" yaml:"tls_client_key,omitempty"`
|
|
TLSClientCertFile string `mapstructure:"tls_client_cert_file" yaml:"tls_client_cert_file,omitempty"`
|
|
TLSClientKeyFile string `mapstructure:"tls_client_key_file" yaml:"tls_client_key_file,omitempty"`
|
|
ClientCertificate *tls.Certificate `yaml:",omitempty" hash:"ignore"`
|
|
|
|
// TLSDownstreamClientCA defines the root certificate to use with a given route to verify
|
|
// downstream client certificates (e.g. from a user's browser).
|
|
TLSDownstreamClientCA string `mapstructure:"tls_downstream_client_ca" yaml:"tls_downstream_client_ca,omitempty"`
|
|
TLSDownstreamClientCAFile string `mapstructure:"tls_downstream_client_ca_file" yaml:"tls_downstream_client_ca_file,omitempty"`
|
|
|
|
// SetRequestHeaders adds a collection of headers to the upstream request
|
|
// in the form of key value pairs. Note bene, this will overwrite the
|
|
// value of any existing value of a given header key.
|
|
SetRequestHeaders map[string]string `mapstructure:"set_request_headers" yaml:"set_request_headers,omitempty"`
|
|
|
|
// RemoveRequestHeaders removes a collection of headers from an upstream request.
|
|
// Note that this has lower priority than `SetRequestHeaders`, if you specify `X-Custom-Header` in both
|
|
// `SetRequestHeaders` and `RemoveRequestHeaders`, then the header won't be removed.
|
|
RemoveRequestHeaders []string `mapstructure:"remove_request_headers" yaml:"remove_request_headers,omitempty"`
|
|
|
|
// PreserveHostHeader disables host header rewriting.
|
|
//
|
|
// This option only takes affect if the destination is a DNS name. If the destination is an IP address,
|
|
// use SetRequestHeaders to explicitly set the "Host" header.
|
|
//
|
|
// https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
|
|
PreserveHostHeader bool `mapstructure:"preserve_host_header" yaml:"preserve_host_header,omitempty"`
|
|
|
|
// PassIdentityHeaders controls whether to add a user's identity headers to the upstream request.
|
|
// These includes:
|
|
//
|
|
// - X-Pomerium-Jwt-Assertion
|
|
// - X-Pomerium-Claim-*
|
|
//
|
|
PassIdentityHeaders bool `mapstructure:"pass_identity_headers" yaml:"pass_identity_headers,omitempty"`
|
|
|
|
// KubernetesServiceAccountToken is the kubernetes token to use for upstream requests.
|
|
KubernetesServiceAccountToken string `mapstructure:"kubernetes_service_account_token" yaml:"kubernetes_service_account_token,omitempty"`
|
|
// KubernetesServiceAccountTokenFile contains the kubernetes token to use for upstream requests.
|
|
KubernetesServiceAccountTokenFile string `mapstructure:"kubernetes_service_account_token_file" yaml:"kubernetes_service_account_token_file,omitempty"`
|
|
|
|
// EnableGoogleCloudServerlessAuthentication adds "Authorization: Bearer ID_TOKEN" headers
|
|
// to upstream requests.
|
|
EnableGoogleCloudServerlessAuthentication bool `mapstructure:"enable_google_cloud_serverless_authentication" yaml:"enable_google_cloud_serverless_authentication,omitempty"` //nolint
|
|
|
|
SubPolicies []SubPolicy `mapstructure:"sub_policies" yaml:"sub_policies,omitempty" json:"sub_policies,omitempty"`
|
|
|
|
EnvoyOpts *envoy_config_cluster_v3.Cluster `mapstructure:"_envoy_opts" yaml:"-" json:"-"`
|
|
|
|
// RewriteResponseHeaders rewrites response headers. This can be used to change the Location header.
|
|
RewriteResponseHeaders []RewriteHeader `mapstructure:"rewrite_response_headers" yaml:"rewrite_response_headers,omitempty" json:"rewrite_response_headers,omitempty"` //nolint
|
|
|
|
// SetResponseHeaders sets response headers.
|
|
SetResponseHeaders map[string]string `mapstructure:"set_response_headers" yaml:"set_response_headers,omitempty"`
|
|
|
|
Policy *PPLPolicy `mapstructure:"policy" yaml:"policy,omitempty" json:"policy,omitempty"`
|
|
}
|
|
|
|
// RewriteHeader is a policy configuration option to rewrite an HTTP header.
|
|
type RewriteHeader struct {
|
|
Header string `mapstructure:"header" yaml:"header" json:"header"`
|
|
Prefix string `mapstructure:"prefix" yaml:"prefix,omitempty" json:"prefix,omitempty"`
|
|
Value string `mapstructure:"value" yaml:"value,omitempty" json:"value,omitempty"`
|
|
}
|
|
|
|
// A SubPolicy is a protobuf Policy within a protobuf Route.
|
|
type SubPolicy struct {
|
|
ID string `mapstructure:"id" yaml:"id" json:"id"`
|
|
Name string `mapstructure:"name" yaml:"name" json:"name"`
|
|
AllowedUsers []string `mapstructure:"allowed_users" yaml:"allowed_users,omitempty" json:"allowed_users,omitempty"`
|
|
AllowedGroups []string `mapstructure:"allowed_groups" yaml:"allowed_groups,omitempty" json:"allowed_groups,omitempty"`
|
|
AllowedDomains []string `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty" json:"allowed_domains,omitempty"`
|
|
AllowedIDPClaims identity.FlattenedClaims `mapstructure:"allowed_idp_claims" yaml:"allowed_idp_claims,omitempty" json:"allowed_idp_claims,omitempty"`
|
|
Rego []string `mapstructure:"rego" yaml:"rego" json:"rego,omitempty"`
|
|
}
|
|
|
|
// PolicyRedirect is a route redirect action.
|
|
type PolicyRedirect struct {
|
|
HTTPSRedirect *bool `mapstructure:"https_redirect" yaml:"https_redirect,omitempty" json:"https_redirect,omitempty"`
|
|
SchemeRedirect *string `mapstructure:"scheme_redirect" yaml:"scheme_redirect,omitempty" json:"scheme_redirect,omitempty"`
|
|
HostRedirect *string `mapstructure:"host_redirect" yaml:"host_redirect,omitempty" json:"host_redirect,omitempty"`
|
|
PortRedirect *uint32 `mapstructure:"port_redirect" yaml:"port_redirect,omitempty" json:"port_redirect,omitempty"`
|
|
PathRedirect *string `mapstructure:"path_redirect" yaml:"path_redirect,omitempty" json:"path_redirect,omitempty"`
|
|
PrefixRewrite *string `mapstructure:"prefix_rewrite" yaml:"prefix_rewrite,omitempty" json:"prefix_rewrite,omitempty"`
|
|
ResponseCode *int32 `mapstructure:"response_code" yaml:"response_code,omitempty" json:"response_code,omitempty"`
|
|
StripQuery *bool `mapstructure:"strip_query" yaml:"strip_query,omitempty" json:"strip_query,omitempty"`
|
|
}
|
|
|
|
// NewPolicyFromProto creates a new Policy from a protobuf policy config route.
|
|
func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
|
|
var timeout *time.Duration
|
|
if pb.GetTimeout() != nil {
|
|
t := pb.GetTimeout().AsDuration()
|
|
timeout = &t
|
|
}
|
|
var idleTimeout *time.Duration
|
|
if pb.GetIdleTimeout() != nil {
|
|
t := pb.GetIdleTimeout().AsDuration()
|
|
idleTimeout = &t
|
|
}
|
|
|
|
p := &Policy{
|
|
From: pb.GetFrom(),
|
|
AllowedUsers: pb.GetAllowedUsers(),
|
|
AllowedGroups: pb.GetAllowedGroups(),
|
|
AllowedDomains: pb.GetAllowedDomains(),
|
|
AllowedIDPClaims: identity.NewFlattenedClaimsFromPB(pb.GetAllowedIdpClaims()),
|
|
Prefix: pb.GetPrefix(),
|
|
Path: pb.GetPath(),
|
|
Regex: pb.GetRegex(),
|
|
PrefixRewrite: pb.GetPrefixRewrite(),
|
|
RegexRewritePattern: pb.GetRegexRewritePattern(),
|
|
RegexRewriteSubstitution: pb.GetRegexRewriteSubstitution(),
|
|
CORSAllowPreflight: pb.GetCorsAllowPreflight(),
|
|
AllowPublicUnauthenticatedAccess: pb.GetAllowPublicUnauthenticatedAccess(),
|
|
AllowAnyAuthenticatedUser: pb.GetAllowAnyAuthenticatedUser(),
|
|
UpstreamTimeout: timeout,
|
|
IdleTimeout: idleTimeout,
|
|
AllowWebsockets: pb.GetAllowWebsockets(),
|
|
AllowSPDY: pb.GetAllowSpdy(),
|
|
TLSSkipVerify: pb.GetTlsSkipVerify(),
|
|
TLSServerName: pb.GetTlsServerName(),
|
|
TLSCustomCA: pb.GetTlsCustomCa(),
|
|
TLSCustomCAFile: pb.GetTlsCustomCaFile(),
|
|
TLSClientCert: pb.GetTlsClientCert(),
|
|
TLSClientKey: pb.GetTlsClientKey(),
|
|
TLSClientCertFile: pb.GetTlsClientCertFile(),
|
|
TLSClientKeyFile: pb.GetTlsClientKeyFile(),
|
|
TLSDownstreamClientCA: pb.GetTlsDownstreamClientCa(),
|
|
TLSDownstreamClientCAFile: pb.GetTlsDownstreamClientCaFile(),
|
|
SetRequestHeaders: pb.GetSetRequestHeaders(),
|
|
RemoveRequestHeaders: pb.GetRemoveRequestHeaders(),
|
|
PreserveHostHeader: pb.GetPreserveHostHeader(),
|
|
HostRewrite: pb.GetHostRewrite(),
|
|
HostRewriteHeader: pb.GetHostRewriteHeader(),
|
|
HostPathRegexRewritePattern: pb.GetHostPathRegexRewritePattern(),
|
|
HostPathRegexRewriteSubstitution: pb.GetHostPathRegexRewriteSubstitution(),
|
|
PassIdentityHeaders: pb.GetPassIdentityHeaders(),
|
|
KubernetesServiceAccountToken: pb.GetKubernetesServiceAccountToken(),
|
|
SetResponseHeaders: pb.GetSetResponseHeaders(),
|
|
EnableGoogleCloudServerlessAuthentication: pb.GetEnableGoogleCloudServerlessAuthentication(),
|
|
}
|
|
|
|
if pb.Redirect.IsSet() {
|
|
p.Redirect = &PolicyRedirect{
|
|
HTTPSRedirect: pb.Redirect.HttpsRedirect,
|
|
SchemeRedirect: pb.Redirect.SchemeRedirect,
|
|
HostRedirect: pb.Redirect.HostRedirect,
|
|
PortRedirect: pb.Redirect.PortRedirect,
|
|
PathRedirect: pb.Redirect.PathRedirect,
|
|
PrefixRewrite: pb.Redirect.PrefixRewrite,
|
|
ResponseCode: pb.Redirect.ResponseCode,
|
|
StripQuery: pb.Redirect.StripQuery,
|
|
}
|
|
} else {
|
|
to, err := ParseWeightedUrls(pb.GetTo()...)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
p.To = to
|
|
}
|
|
|
|
p.EnvoyOpts = pb.EnvoyOpts
|
|
if p.EnvoyOpts == nil {
|
|
p.EnvoyOpts = new(envoy_config_cluster_v3.Cluster)
|
|
}
|
|
if pb.Name != "" && p.EnvoyOpts.Name == "" {
|
|
p.EnvoyOpts.Name = pb.Name
|
|
}
|
|
|
|
for _, rwh := range pb.RewriteResponseHeaders {
|
|
p.RewriteResponseHeaders = append(p.RewriteResponseHeaders, RewriteHeader{
|
|
Header: rwh.GetHeader(),
|
|
Prefix: rwh.GetPrefix(),
|
|
Value: rwh.GetValue(),
|
|
})
|
|
}
|
|
|
|
for _, sp := range pb.GetPolicies() {
|
|
p.SubPolicies = append(p.SubPolicies, SubPolicy{
|
|
ID: sp.GetId(),
|
|
Name: sp.GetName(),
|
|
AllowedUsers: sp.GetAllowedUsers(),
|
|
AllowedGroups: sp.GetAllowedGroups(),
|
|
AllowedDomains: sp.GetAllowedDomains(),
|
|
AllowedIDPClaims: identity.NewFlattenedClaimsFromPB(sp.GetAllowedIdpClaims()),
|
|
Rego: sp.GetRego(),
|
|
})
|
|
}
|
|
return p, p.Validate()
|
|
}
|
|
|
|
// ToProto converts the policy to a protobuf type.
|
|
func (p *Policy) ToProto() (*configpb.Route, error) {
|
|
var timeout *durationpb.Duration
|
|
if p.UpstreamTimeout == nil {
|
|
timeout = durationpb.New(defaultOptions.DefaultUpstreamTimeout)
|
|
} else {
|
|
timeout = durationpb.New(*p.UpstreamTimeout)
|
|
}
|
|
var idleTimeout *durationpb.Duration
|
|
if p.IdleTimeout != nil {
|
|
idleTimeout = durationpb.New(*p.IdleTimeout)
|
|
}
|
|
sps := make([]*configpb.Policy, 0, len(p.SubPolicies))
|
|
for _, sp := range p.SubPolicies {
|
|
sps = append(sps, &configpb.Policy{
|
|
Id: sp.ID,
|
|
Name: sp.Name,
|
|
AllowedUsers: sp.AllowedUsers,
|
|
AllowedGroups: sp.AllowedGroups,
|
|
AllowedDomains: sp.AllowedDomains,
|
|
AllowedIdpClaims: sp.AllowedIDPClaims.ToPB(),
|
|
Rego: sp.Rego,
|
|
})
|
|
}
|
|
|
|
pb := &configpb.Route{
|
|
Name: fmt.Sprint(p.RouteID()),
|
|
From: p.From,
|
|
AllowedUsers: p.AllowedUsers,
|
|
AllowedGroups: p.AllowedGroups,
|
|
AllowedDomains: p.AllowedDomains,
|
|
AllowedIdpClaims: p.AllowedIDPClaims.ToPB(),
|
|
Prefix: p.Prefix,
|
|
Path: p.Path,
|
|
Regex: p.Regex,
|
|
PrefixRewrite: p.PrefixRewrite,
|
|
RegexRewritePattern: p.RegexRewritePattern,
|
|
RegexRewriteSubstitution: p.RegexRewriteSubstitution,
|
|
CorsAllowPreflight: p.CORSAllowPreflight,
|
|
AllowPublicUnauthenticatedAccess: p.AllowPublicUnauthenticatedAccess,
|
|
AllowAnyAuthenticatedUser: p.AllowAnyAuthenticatedUser,
|
|
Timeout: timeout,
|
|
IdleTimeout: idleTimeout,
|
|
AllowWebsockets: p.AllowWebsockets,
|
|
AllowSpdy: p.AllowSPDY,
|
|
TlsSkipVerify: p.TLSSkipVerify,
|
|
TlsServerName: p.TLSServerName,
|
|
TlsCustomCa: p.TLSCustomCA,
|
|
TlsCustomCaFile: p.TLSCustomCAFile,
|
|
TlsClientCert: p.TLSClientCert,
|
|
TlsClientKey: p.TLSClientKey,
|
|
TlsClientCertFile: p.TLSClientCertFile,
|
|
TlsClientKeyFile: p.TLSClientKeyFile,
|
|
TlsDownstreamClientCa: p.TLSDownstreamClientCA,
|
|
TlsDownstreamClientCaFile: p.TLSDownstreamClientCAFile,
|
|
SetRequestHeaders: p.SetRequestHeaders,
|
|
RemoveRequestHeaders: p.RemoveRequestHeaders,
|
|
PreserveHostHeader: p.PreserveHostHeader,
|
|
PassIdentityHeaders: p.PassIdentityHeaders,
|
|
KubernetesServiceAccountToken: p.KubernetesServiceAccountToken,
|
|
Policies: sps,
|
|
SetResponseHeaders: p.SetResponseHeaders,
|
|
}
|
|
if p.Redirect != nil {
|
|
pb.Redirect = &configpb.RouteRedirect{
|
|
HttpsRedirect: p.Redirect.HTTPSRedirect,
|
|
SchemeRedirect: p.Redirect.SchemeRedirect,
|
|
HostRedirect: p.Redirect.HostRedirect,
|
|
PortRedirect: p.Redirect.PortRedirect,
|
|
PathRedirect: p.Redirect.PathRedirect,
|
|
PrefixRewrite: p.Redirect.PrefixRewrite,
|
|
ResponseCode: p.Redirect.ResponseCode,
|
|
StripQuery: p.Redirect.StripQuery,
|
|
}
|
|
} else {
|
|
to, weights, err := p.To.Flatten()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
pb.To = to
|
|
pb.LoadBalancingWeights = weights
|
|
}
|
|
|
|
for _, rwh := range p.RewriteResponseHeaders {
|
|
pb.RewriteResponseHeaders = append(pb.RewriteResponseHeaders, &configpb.RouteRewriteHeader{
|
|
Header: rwh.Header,
|
|
Matcher: &configpb.RouteRewriteHeader_Prefix{
|
|
Prefix: rwh.Prefix,
|
|
},
|
|
Value: rwh.Value,
|
|
})
|
|
}
|
|
|
|
return pb, nil
|
|
}
|
|
|
|
// Validate checks the validity of a policy.
|
|
func (p *Policy) Validate() error {
|
|
var err error
|
|
source, err := urlutil.ParseAndValidateURL(p.From)
|
|
if err != nil {
|
|
return fmt.Errorf("config: policy bad source url %w", err)
|
|
}
|
|
|
|
// Make sure there's no path set on the from url
|
|
if (source.Scheme == "http" || source.Scheme == "https") && !(source.Path == "" || source.Path == "/") {
|
|
return fmt.Errorf("config: policy source url (%s) contains a path, but it should be set using the path field instead",
|
|
source.String())
|
|
}
|
|
if source.Scheme == "http" {
|
|
log.Warn(context.Background()).Msgf("config: policy source url (%s) uses HTTP but only HTTPS is supported",
|
|
source.String())
|
|
}
|
|
|
|
p.Source = &StringURL{source}
|
|
|
|
if len(p.To) == 0 && p.Redirect == nil {
|
|
return errEitherToOrRedirectRequired
|
|
}
|
|
|
|
for _, u := range p.To {
|
|
if err = u.Validate(); err != nil {
|
|
return fmt.Errorf("config: %s: %w", u.URL.String(), err)
|
|
}
|
|
}
|
|
|
|
// Only allow public access if no other whitelists are in place
|
|
if p.AllowPublicUnauthenticatedAccess && (p.AllowAnyAuthenticatedUser || p.AllowedDomains != nil || p.AllowedGroups != nil || p.AllowedUsers != nil) {
|
|
return fmt.Errorf("config: policy route marked as public but contains whitelists")
|
|
}
|
|
|
|
// Only allow any authenticated user if no other whitelists are in place
|
|
if p.AllowAnyAuthenticatedUser && (p.AllowedDomains != nil || p.AllowedGroups != nil || p.AllowedUsers != nil) {
|
|
return fmt.Errorf("config: policy route marked accessible for any authenticated user but contains whitelists")
|
|
}
|
|
|
|
if (p.TLSClientCert == "" && p.TLSClientKey != "") || (p.TLSClientCert != "" && p.TLSClientKey == "") ||
|
|
(p.TLSClientCertFile == "" && p.TLSClientKeyFile != "") || (p.TLSClientCertFile != "" && p.TLSClientKeyFile == "") {
|
|
return fmt.Errorf("config: client certificate key and cert both must be non-empty")
|
|
}
|
|
|
|
if p.TLSClientCert != "" && p.TLSClientKey != "" {
|
|
p.ClientCertificate, err = cryptutil.CertificateFromBase64(p.TLSClientCert, p.TLSClientKey)
|
|
if err != nil {
|
|
return fmt.Errorf("config: couldn't decode client cert %w", err)
|
|
}
|
|
} else if p.TLSClientCertFile != "" && p.TLSClientKeyFile != "" {
|
|
p.ClientCertificate, err = cryptutil.CertificateFromFile(p.TLSClientCertFile, p.TLSClientKeyFile)
|
|
if err != nil {
|
|
return fmt.Errorf("config: couldn't load client cert file %w", err)
|
|
}
|
|
}
|
|
|
|
if p.TLSCustomCA != "" {
|
|
_, err := base64.StdEncoding.DecodeString(p.TLSCustomCA)
|
|
if err != nil {
|
|
return fmt.Errorf("config: couldn't decode custom ca: %w", err)
|
|
}
|
|
} else if p.TLSCustomCAFile != "" {
|
|
_, err := os.Stat(p.TLSCustomCAFile)
|
|
if err != nil {
|
|
return fmt.Errorf("config: couldn't load client ca file: %w", err)
|
|
}
|
|
}
|
|
|
|
if p.TLSDownstreamClientCA != "" {
|
|
_, err := base64.StdEncoding.DecodeString(p.TLSDownstreamClientCA)
|
|
if err != nil {
|
|
return fmt.Errorf("config: couldn't decode downstream client ca: %w", err)
|
|
}
|
|
}
|
|
|
|
if p.TLSDownstreamClientCAFile != "" {
|
|
bs, err := ioutil.ReadFile(p.TLSDownstreamClientCAFile)
|
|
if err != nil {
|
|
return fmt.Errorf("config: couldn't load downstream client ca: %w", err)
|
|
}
|
|
p.TLSDownstreamClientCA = base64.StdEncoding.EncodeToString(bs)
|
|
}
|
|
|
|
if p.KubernetesServiceAccountTokenFile != "" {
|
|
if p.KubernetesServiceAccountToken != "" {
|
|
return fmt.Errorf("config: specified both `kubernetes_service_account_token_file` and `kubernetes_service_account_token`")
|
|
}
|
|
|
|
token, err := ioutil.ReadFile(p.KubernetesServiceAccountTokenFile)
|
|
if err != nil {
|
|
return fmt.Errorf("config: failed to load kubernetes service account token: %w", err)
|
|
}
|
|
p.KubernetesServiceAccountToken = string(token)
|
|
}
|
|
|
|
if p.PrefixRewrite != "" && p.RegexRewritePattern != "" {
|
|
return fmt.Errorf("config: only prefix_rewrite or regex_rewrite_pattern can be specified, but not both")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// Checksum returns the xxhash hash for the policy.
|
|
func (p *Policy) Checksum() uint64 {
|
|
return hashutil.MustHash(p)
|
|
}
|
|
|
|
// RouteID returns a unique identifier for a route
|
|
func (p *Policy) RouteID() (uint64, error) {
|
|
id := routeID{
|
|
Source: p.Source,
|
|
Prefix: p.Prefix,
|
|
Path: p.Path,
|
|
Regex: p.Regex,
|
|
}
|
|
|
|
if len(p.To) > 0 {
|
|
dst, _, err := p.To.Flatten()
|
|
if err != nil {
|
|
return 0, err
|
|
}
|
|
id.To = dst
|
|
} else if p.Redirect != nil {
|
|
id.Redirect = p.Redirect
|
|
} else {
|
|
return 0, errEitherToOrRedirectRequired
|
|
}
|
|
|
|
return hashutil.Hash(id)
|
|
}
|
|
|
|
func (p *Policy) String() string {
|
|
to := "?"
|
|
if len(p.To) > 0 {
|
|
var dsts []string
|
|
for _, dst := range p.To {
|
|
dsts = append(dsts, dst.URL.String())
|
|
}
|
|
to = strings.Join(dsts, ",")
|
|
}
|
|
|
|
return fmt.Sprintf("%s → %s", p.Source.String(), to)
|
|
}
|
|
|
|
// Matches returns true if the policy would match the given URL.
|
|
func (p *Policy) Matches(requestURL url.URL) bool {
|
|
// handle nils by always returning false
|
|
if p.Source == nil {
|
|
return false
|
|
}
|
|
|
|
if p.Source.Host != requestURL.Host {
|
|
return false
|
|
}
|
|
|
|
if p.Prefix != "" {
|
|
if !strings.HasPrefix(requestURL.Path, p.Prefix) {
|
|
return false
|
|
}
|
|
}
|
|
|
|
if p.Path != "" {
|
|
if requestURL.Path != p.Path {
|
|
return false
|
|
}
|
|
}
|
|
|
|
if p.Regex != "" {
|
|
re, err := regexp.Compile(p.Regex)
|
|
if err == nil && !re.MatchString(requestURL.String()) {
|
|
return false
|
|
}
|
|
}
|
|
|
|
return true
|
|
}
|
|
|
|
// IsForKubernetes returns true if the policy is for kubernetes.
|
|
func (p *Policy) IsForKubernetes() bool {
|
|
return p.KubernetesServiceAccountTokenFile != "" || p.KubernetesServiceAccountToken != ""
|
|
}
|
|
|
|
// AllAllowedDomains returns all the allowed domains.
|
|
func (p *Policy) AllAllowedDomains() []string {
|
|
var ads []string
|
|
ads = append(ads, p.AllowedDomains...)
|
|
for _, sp := range p.SubPolicies {
|
|
ads = append(ads, sp.AllowedDomains...)
|
|
}
|
|
return ads
|
|
}
|
|
|
|
// AllAllowedGroups returns all the allowed groups.
|
|
func (p *Policy) AllAllowedGroups() []string {
|
|
var ags []string
|
|
ags = append(ags, p.AllowedGroups...)
|
|
for _, sp := range p.SubPolicies {
|
|
ags = append(ags, sp.AllowedGroups...)
|
|
}
|
|
return ags
|
|
}
|
|
|
|
// AllAllowedIDPClaims returns all the allowed IDP claims.
|
|
func (p *Policy) AllAllowedIDPClaims() []identity.FlattenedClaims {
|
|
var aics []identity.FlattenedClaims
|
|
if len(p.AllowedIDPClaims) > 0 {
|
|
aics = append(aics, p.AllowedIDPClaims)
|
|
}
|
|
for _, sp := range p.SubPolicies {
|
|
if len(sp.AllowedIDPClaims) > 0 {
|
|
aics = append(aics, sp.AllowedIDPClaims)
|
|
}
|
|
}
|
|
return aics
|
|
}
|
|
|
|
// AllAllowedUsers returns all the allowed users.
|
|
func (p *Policy) AllAllowedUsers() []string {
|
|
var aus []string
|
|
aus = append(aus, p.AllowedUsers...)
|
|
for _, sp := range p.SubPolicies {
|
|
aus = append(aus, sp.AllowedUsers...)
|
|
}
|
|
return aus
|
|
}
|
|
|
|
// StringURL stores a URL as a string in json.
|
|
type StringURL struct {
|
|
*url.URL
|
|
}
|
|
|
|
func (su *StringURL) String() string {
|
|
if su == nil || su.URL == nil {
|
|
return "?"
|
|
}
|
|
return su.URL.String()
|
|
}
|
|
|
|
// MarshalJSON returns the URLs host as json.
|
|
func (su *StringURL) MarshalJSON() ([]byte, error) {
|
|
return json.Marshal(su.String())
|
|
}
|
|
|
|
type routeID struct {
|
|
Source *StringURL
|
|
To []string
|
|
Prefix string
|
|
Path string
|
|
Regex string
|
|
Redirect *PolicyRedirect
|
|
}
|