mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-10 15:47:36 +02:00
5edfa7b03f
- telemetry/tace: add traces throughout code - telemetry/metrics: nest metrics and trace under telemetry - telemetry/tace: add service name span to HTTPMetricsHandler. - telemetry/metrics: removed chain dependency middleware_tests. - telemetry/metrics: wrap and encapsulate variatic view registration. - telemetry/tace: add jaeger support for tracing. - cmd/pomerium: move `parseOptions` to internal/config. - cmd/pomerium: offload server handling to httputil and sub pkgs. - httputil: standardize creation/shutdown of http listeners. - httputil: prefer curve X25519 to P256 when negotiating TLS. - fileutil: use standardized Getw Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
117 lines
3.9 KiB
Go
117 lines
3.9 KiB
Go
package clients // import "github.com/pomerium/pomerium/proxy/clients"
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
|
|
"github.com/pomerium/pomerium/internal/sessions"
|
|
"github.com/pomerium/pomerium/internal/telemetry/trace"
|
|
pb "github.com/pomerium/pomerium/proto/authenticate"
|
|
|
|
"google.golang.org/grpc"
|
|
)
|
|
|
|
// Authenticator provides the authenticate service interface
|
|
type Authenticator interface {
|
|
// Redeem takes a code and returns a validated session or an error
|
|
Redeem(context.Context, string) (*sessions.SessionState, error)
|
|
// Refresh attempts to refresh a valid session with a refresh token. Returns a refreshed session.
|
|
Refresh(context.Context, *sessions.SessionState) (*sessions.SessionState, error)
|
|
// Validate evaluates a given oidc id_token for validity. Returns validity and any error.
|
|
Validate(context.Context, string) (bool, error)
|
|
// Close closes the authenticator connection if any.
|
|
Close() error
|
|
}
|
|
|
|
// NewAuthenticateClient returns a new authenticate service client. Presently,
|
|
// only gRPC is supported and is always returned so name is ignored.
|
|
func NewAuthenticateClient(name string, opts *Options) (a Authenticator, err error) {
|
|
return NewGRPCAuthenticateClient(opts)
|
|
}
|
|
|
|
// NewGRPCAuthenticateClient returns a new authenticate service client.
|
|
func NewGRPCAuthenticateClient(opts *Options) (p *AuthenticateGRPC, err error) {
|
|
conn, err := NewGRPCClientConn(opts)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
authClient := pb.NewAuthenticatorClient(conn)
|
|
return &AuthenticateGRPC{Conn: conn, client: authClient}, nil
|
|
}
|
|
|
|
// AuthenticateGRPC is a gRPC implementation of an authenticator (authenticate client)
|
|
type AuthenticateGRPC struct {
|
|
Conn *grpc.ClientConn
|
|
client pb.AuthenticatorClient
|
|
}
|
|
|
|
// Redeem makes an RPC call to the authenticate service to creates a session state
|
|
// from an encrypted code provided as a result of an oauth2 callback process.
|
|
func (a *AuthenticateGRPC) Redeem(ctx context.Context, code string) (*sessions.SessionState, error) {
|
|
ctx, span := trace.StartSpan(ctx, "proxy.client.grpc.Redeem")
|
|
defer span.End()
|
|
|
|
if code == "" {
|
|
return nil, errors.New("missing code")
|
|
}
|
|
protoSession, err := a.client.Authenticate(ctx, &pb.AuthenticateRequest{Code: code})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
session, err := pb.SessionFromProto(protoSession)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return session, nil
|
|
}
|
|
|
|
// Refresh makes an RPC call to the authenticate service to attempt to refresh the
|
|
// user's session. Requires a valid refresh token. Will return an error if the identity provider
|
|
// has revoked the session or if the refresh token is no longer valid in this context.
|
|
func (a *AuthenticateGRPC) Refresh(ctx context.Context, s *sessions.SessionState) (*sessions.SessionState, error) {
|
|
ctx, span := trace.StartSpan(ctx, "proxy.client.grpc.Refresh")
|
|
defer span.End()
|
|
|
|
if s.RefreshToken == "" {
|
|
return nil, errors.New("missing refresh token")
|
|
}
|
|
req, err := pb.ProtoFromSession(s)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// todo(bdd): add grpc specific timeouts to main options
|
|
// todo(bdd): handle request id (metadata!?) in grpc receiver and add to ctx logger
|
|
reply, err := a.client.Refresh(ctx, req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
newSession, err := pb.SessionFromProto(reply)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return newSession, nil
|
|
}
|
|
|
|
// Validate makes an RPC call to the authenticate service to validate the JWT id token;
|
|
// does NOT do nonce or revokation validation.
|
|
// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
|
|
func (a *AuthenticateGRPC) Validate(ctx context.Context, idToken string) (bool, error) {
|
|
ctx, span := trace.StartSpan(ctx, "proxy.client.grpc.Validate")
|
|
defer span.End()
|
|
|
|
if idToken == "" {
|
|
return false, errors.New("missing id token")
|
|
}
|
|
|
|
r, err := a.client.Validate(ctx, &pb.ValidateRequest{IdToken: idToken})
|
|
if err != nil {
|
|
return false, err
|
|
}
|
|
return r.IsValid, nil
|
|
}
|
|
|
|
// Close tears down the ClientConn and all underlying connections.
|
|
func (a *AuthenticateGRPC) Close() error {
|
|
return a.Conn.Close()
|
|
}
|