mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-29 10:26:29 +02:00
151 lines
4.7 KiB
Go
151 lines
4.7 KiB
Go
package authenticate // import "github.com/pomerium/pomerium/authenticate"
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"html/template"
|
|
"net/url"
|
|
"time"
|
|
|
|
"github.com/pomerium/envconfig"
|
|
|
|
"github.com/pomerium/pomerium/internal/cryptutil"
|
|
"github.com/pomerium/pomerium/internal/identity"
|
|
"github.com/pomerium/pomerium/internal/sessions"
|
|
"github.com/pomerium/pomerium/internal/templates"
|
|
)
|
|
|
|
var defaultOptions = &Options{
|
|
CookieName: "_pomerium_authenticate",
|
|
CookieHTTPOnly: true,
|
|
CookieSecure: true,
|
|
CookieExpire: time.Duration(14) * time.Hour,
|
|
CookieRefresh: time.Duration(30) * time.Minute,
|
|
}
|
|
|
|
// Options details the available configuration settings for the authenticate service
|
|
type Options struct {
|
|
AuthenticateURL *url.URL `envconfig:"AUTHENTICATE_SERVICE_URL"`
|
|
|
|
// SharedKey is used to authenticate requests between services
|
|
SharedKey string `envconfig:"SHARED_SECRET"`
|
|
// Session/Cookie management
|
|
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
|
|
CookieName string
|
|
CookieSecret string `envconfig:"COOKIE_SECRET"`
|
|
CookieDomain string `envconfig:"COOKIE_DOMAIN"`
|
|
CookieSecure bool `envconfig:"COOKIE_SECURE"`
|
|
CookieHTTPOnly bool `envconfig:"COOKIE_HTTP_ONLY"`
|
|
CookieExpire time.Duration `envconfig:"COOKIE_EXPIRE"`
|
|
CookieRefresh time.Duration `envconfig:"COOKIE_REFRESH"`
|
|
|
|
// Identity provider configuration variables as specified by RFC6749
|
|
// https://openid.net/specs/openid-connect-basic-1_0.html#RFC6749
|
|
ClientID string `envconfig:"IDP_CLIENT_ID"`
|
|
ClientSecret string `envconfig:"IDP_CLIENT_SECRET"`
|
|
Provider string `envconfig:"IDP_PROVIDER"`
|
|
ProviderURL string `envconfig:"IDP_PROVIDER_URL"`
|
|
Scopes []string `envconfig:"IDP_SCOPES"`
|
|
ServiceAccount string `envconfig:"IDP_SERVICE_ACCOUNT"`
|
|
}
|
|
|
|
// OptionsFromEnvConfig builds the authenticate service's configuration environmental variables
|
|
func OptionsFromEnvConfig() (*Options, error) {
|
|
o := defaultOptions
|
|
if err := envconfig.Process("", o); err != nil {
|
|
return nil, err
|
|
}
|
|
return o, nil
|
|
}
|
|
|
|
// Validate checks to see if configuration values are valid for the authenticate service.
|
|
// The checks do not modify the internal state of the Option structure. Returns
|
|
// on first error found.
|
|
func (o *Options) Validate() error {
|
|
if o.AuthenticateURL == nil {
|
|
return errors.New("authenticate: 'AUTHENTICATE_SERVICE_URL' missing")
|
|
}
|
|
if o.ClientID == "" {
|
|
return errors.New("authenticate: 'IDP_CLIENT_ID' missing")
|
|
}
|
|
if o.ClientSecret == "" {
|
|
return errors.New("authenticate: 'IDP_CLIENT_SECRET' missing")
|
|
}
|
|
if o.SharedKey == "" {
|
|
return errors.New("authenticate: 'SHARED_SECRET' missing")
|
|
}
|
|
decodedCookieSecret, err := base64.StdEncoding.DecodeString(o.CookieSecret)
|
|
if err != nil {
|
|
return fmt.Errorf("authenticate: 'COOKIE_SECRET' must be base64 encoded: %v", err)
|
|
}
|
|
if len(decodedCookieSecret) != 32 {
|
|
return fmt.Errorf("authenticate: 'COOKIE_SECRET' should be 32; got %d", len(decodedCookieSecret))
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Authenticate validates a user's identity
|
|
type Authenticate struct {
|
|
SharedKey string
|
|
RedirectURL *url.URL
|
|
|
|
templates *template.Template
|
|
csrfStore sessions.CSRFStore
|
|
sessionStore sessions.SessionStore
|
|
cipher cryptutil.Cipher
|
|
provider identity.Authenticator
|
|
}
|
|
|
|
// New validates and creates a new authenticate service from a set of Options
|
|
func New(opts *Options) (*Authenticate, error) {
|
|
if opts == nil {
|
|
return nil, errors.New("authenticate: options cannot be nil")
|
|
}
|
|
if err := opts.Validate(); err != nil {
|
|
return nil, err
|
|
}
|
|
decodedCookieSecret, _ := base64.StdEncoding.DecodeString(opts.CookieSecret)
|
|
cipher, err := cryptutil.NewCipher([]byte(decodedCookieSecret))
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
cookieStore, err := sessions.NewCookieStore(
|
|
&sessions.CookieStoreOptions{
|
|
Name: opts.CookieName,
|
|
CookieSecure: opts.CookieSecure,
|
|
CookieHTTPOnly: opts.CookieHTTPOnly,
|
|
CookieExpire: opts.CookieExpire,
|
|
CookieCipher: cipher,
|
|
})
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
redirectURL := opts.AuthenticateURL
|
|
redirectURL.Path = "/oauth2/callback"
|
|
provider, err := identity.New(
|
|
opts.Provider,
|
|
&identity.Provider{
|
|
RedirectURL: redirectURL,
|
|
ProviderName: opts.Provider,
|
|
ProviderURL: opts.ProviderURL,
|
|
ClientID: opts.ClientID,
|
|
ClientSecret: opts.ClientSecret,
|
|
Scopes: opts.Scopes,
|
|
ServiceAccount: opts.ServiceAccount,
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &Authenticate{
|
|
SharedKey: opts.SharedKey,
|
|
RedirectURL: redirectURL,
|
|
templates: templates.New(),
|
|
csrfStore: cookieStore,
|
|
sessionStore: cookieStore,
|
|
cipher: cipher,
|
|
provider: provider,
|
|
}, nil
|
|
}
|