mirror of
https://github.com/pomerium/pomerium.git
synced 2025-06-08 05:42:47 +02:00
dc12947241
- all: prefer `FormValues` to `ParseForm` with subsequent `Form.Get`s - all: refactor authentication stack to be checked by middleware, and accessible via request context. - all: replace http.ServeMux with gorilla/mux’s router - all: replace custom CSRF checks with gorilla/csrf middleware - authenticate: extract callback path as constant. - internal/config: implement stringer interface for policy - internal/cryptutil: add helper func `NewBase64Key` - internal/cryptutil: rename `GenerateKey` to `NewKey` - internal/cryptutil: rename `GenerateRandomString` to `NewRandomStringN` - internal/middleware: removed alice in favor of gorilla/mux - internal/sessions: remove unused `ValidateRedirectURI` and `ValidateClientSecret` - internal/sessions: replace custom CSRF with gorilla/csrf fork that supports custom handler protection - internal/urlutil: add `SignedRedirectURL` to create hmac'd URLs - internal/urlutil: add `ValidateURL` helper to parse URL options - internal/urlutil: add `GetAbsoluteURL` which takes a request and returns its absolute URL. - proxy: remove holdover state verification checks; we no longer are setting sessions in any proxy routes so we don’t need them. - proxy: replace un-named http.ServeMux with named domain routes. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
130 lines
3.8 KiB
Go
130 lines
3.8 KiB
Go
package sessions // import "github.com/pomerium/pomerium/internal/sessions"
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"net/http"
|
|
"strings"
|
|
)
|
|
|
|
// Context keys
|
|
var (
|
|
SessionCtxKey = &contextKey{"Session"}
|
|
ErrorCtxKey = &contextKey{"Error"}
|
|
)
|
|
|
|
// Library errors
|
|
var (
|
|
ErrExpired = errors.New("internal/sessions: session is expired")
|
|
ErrNoSessionFound = errors.New("internal/sessions: session is not found")
|
|
ErrMalformed = errors.New("internal/sessions: session is malformed")
|
|
)
|
|
|
|
// RetrieveSession http middleware handler will verify a auth session from a http request.
|
|
//
|
|
// RetrieveSession will search for a auth session in a http request, in the order:
|
|
// 1. `pomerium_session` URI query parameter
|
|
// 2. `Authorization: BEARER` request header
|
|
// 3. Cookie `_pomerium` value
|
|
func RetrieveSession(s SessionStore) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return retrieve(s, TokenFromQuery, TokenFromHeader, TokenFromCookie)(next)
|
|
}
|
|
}
|
|
|
|
func retrieve(s SessionStore, findTokenFns ...func(r *http.Request) string) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
hfn := func(w http.ResponseWriter, r *http.Request) {
|
|
ctx := r.Context()
|
|
token, err := retrieveFromRequest(s, r, findTokenFns...)
|
|
ctx = NewContext(ctx, token, err)
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
}
|
|
return http.HandlerFunc(hfn)
|
|
}
|
|
}
|
|
|
|
func retrieveFromRequest(s SessionStore, r *http.Request, findTokenFns ...func(r *http.Request) string) (*State, error) {
|
|
var tokenStr string
|
|
var err error
|
|
|
|
// Extract token string from the request by calling token find functions in
|
|
// the order they where provided. Further extraction stops if a function
|
|
// returns a non-empty string.
|
|
for _, fn := range findTokenFns {
|
|
tokenStr = fn(r)
|
|
if tokenStr != "" {
|
|
break
|
|
}
|
|
}
|
|
if tokenStr == "" {
|
|
return nil, ErrNoSessionFound
|
|
}
|
|
|
|
state, err := s.LoadSession(r)
|
|
if err != nil {
|
|
return nil, ErrMalformed
|
|
}
|
|
err = state.Valid()
|
|
if err != nil {
|
|
// a little unusual but we want to return the expired state too
|
|
return state, err
|
|
}
|
|
|
|
// Valid!
|
|
return state, nil
|
|
}
|
|
|
|
// NewContext sets context values for the user session state and error.
|
|
func NewContext(ctx context.Context, t *State, err error) context.Context {
|
|
ctx = context.WithValue(ctx, SessionCtxKey, t)
|
|
ctx = context.WithValue(ctx, ErrorCtxKey, err)
|
|
return ctx
|
|
}
|
|
|
|
// FromContext retrieves context values for the user session state and error.
|
|
func FromContext(ctx context.Context) (*State, error) {
|
|
state, _ := ctx.Value(SessionCtxKey).(*State)
|
|
err, _ := ctx.Value(ErrorCtxKey).(error)
|
|
return state, err
|
|
}
|
|
|
|
// TokenFromCookie tries to retrieve the token string from a cookie named
|
|
// "_pomerium".
|
|
func TokenFromCookie(r *http.Request) string {
|
|
cookie, err := r.Cookie("_pomerium")
|
|
if err != nil {
|
|
return ""
|
|
}
|
|
return cookie.Value
|
|
}
|
|
|
|
// TokenFromHeader tries to retrieve the token string from the
|
|
// "Authorization" request header: "Authorization: BEARER T".
|
|
func TokenFromHeader(r *http.Request) string {
|
|
// Get token from authorization header.
|
|
bearer := r.Header.Get("Authorization")
|
|
if len(bearer) > 7 && strings.EqualFold(bearer[0:6], "BEARER") {
|
|
return bearer[7:]
|
|
}
|
|
return ""
|
|
}
|
|
|
|
// TokenFromQuery tries to retrieve the token string from the "pomerium_session" URI
|
|
// query parameter.
|
|
// todo(bdd) : document setting session code as queryparam
|
|
func TokenFromQuery(r *http.Request) string {
|
|
// Get token from query param named "pomerium_session".
|
|
return r.URL.Query().Get("pomerium_session")
|
|
}
|
|
|
|
// contextKey is a value for use with context.WithValue. It's used as
|
|
// a pointer so it fits in an interface{} without allocation. This technique
|
|
// for defining context keys was copied from Go 1.7's new use of context in net/http.
|
|
type contextKey struct {
|
|
name string
|
|
}
|
|
|
|
func (k *contextKey) String() string {
|
|
return "SessionStore context value " + k.name
|
|
}
|