3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 18:36:30 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/config/policy.go
cfanbo 84dad4c612
remove deprecated ioutil usages (#2877) 
* fix: Fixed return description error

* config/options: Adjust the position of TracingJaegerAgentEndpoint option

* DOCS: Remove duplicate configuration items

Remove duplicate configuration items of route

* remove deprecated ioutil usages
2021-12-30 10:02:12 -08:00

650 lines
27 KiB
Go
Raw Blame History

package config
import (
"context"
"crypto/tls"
"encoding/base64"
"encoding/json"
"fmt"
"net/url"
"os"
"regexp"
"strings"
"time"
envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
"google.golang.org/protobuf/types/known/durationpb"
"github.com/pomerium/pomerium/internal/hashutil"
"github.com/pomerium/pomerium/internal/identity"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/urlutil"
"github.com/pomerium/pomerium/pkg/cryptutil"
configpb "github.com/pomerium/pomerium/pkg/grpc/config"
)
// Policy contains route specific configuration and access settings.
type Policy struct {
From string `mapstructure:"from" yaml:"from"`
To WeightedURLs `mapstructure:"to" yaml:"to"`
// LbWeights are optional load balancing weights applied to endpoints specified in To
// this field exists for compatibility with mapstructure
LbWeights []uint32 `mapstructure:"_to_weights,omitempty" json:"-" yaml:"-"`
// Redirect is used for a redirect action instead of `To`
Redirect *PolicyRedirect `mapstructure:"redirect" yaml:"redirect"`
// Identity related policy
AllowedUsers []string `mapstructure:"allowed_users" yaml:"allowed_users,omitempty" json:"allowed_users,omitempty"`
AllowedGroups []string `mapstructure:"allowed_groups" yaml:"allowed_groups,omitempty" json:"allowed_groups,omitempty"`
AllowedDomains []string `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty" json:"allowed_domains,omitempty"`
AllowedIDPClaims identity.FlattenedClaims `mapstructure:"allowed_idp_claims" yaml:"allowed_idp_claims,omitempty" json:"allowed_idp_claims,omitempty"`
Source *StringURL `yaml:",omitempty" json:"source,omitempty" hash:"ignore"`
// Additional route matching options
Prefix string `mapstructure:"prefix" yaml:"prefix,omitempty" json:"prefix,omitempty"`
Path string `mapstructure:"path" yaml:"path,omitempty" json:"path,omitempty"`
Regex string `mapstructure:"regex" yaml:"regex,omitempty" json:"regex,omitempty"`
// Path Rewrite Options
PrefixRewrite string `mapstructure:"prefix_rewrite" yaml:"prefix_rewrite,omitempty" json:"prefix_rewrite,omitempty"`
RegexRewritePattern string `mapstructure:"regex_rewrite_pattern" yaml:"regex_rewrite_pattern,omitempty" json:"regex_rewrite_pattern,omitempty"`
RegexRewriteSubstitution string `mapstructure:"regex_rewrite_substitution" yaml:"regex_rewrite_substitution,omitempty" json:"regex_rewrite_substitution,omitempty"` //nolint
// Host Rewrite Options
HostRewrite string `mapstructure:"host_rewrite" yaml:"host_rewrite,omitempty" json:"host_rewrite,omitempty"`
HostRewriteHeader string `mapstructure:"host_rewrite_header" yaml:"host_rewrite_header,omitempty" json:"host_rewrite_header,omitempty"`
HostPathRegexRewritePattern string `mapstructure:"host_path_regex_rewrite_pattern" yaml:"host_path_regex_rewrite_pattern,omitempty" json:"host_path_regex_rewrite_pattern,omitempty"` //nolint
HostPathRegexRewriteSubstitution string `mapstructure:"host_path_regex_rewrite_substitution" yaml:"host_path_regex_rewrite_substitution,omitempty" json:"host_path_regex_rewrite_substitution,omitempty"` //nolint
// Allow unauthenticated HTTP OPTIONS requests as per the CORS spec
// https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#Preflighted_requests
CORSAllowPreflight bool `mapstructure:"cors_allow_preflight" yaml:"cors_allow_preflight,omitempty"`
// Allow any public request to access this route. **Bypasses authentication**
AllowPublicUnauthenticatedAccess bool `mapstructure:"allow_public_unauthenticated_access" yaml:"allow_public_unauthenticated_access,omitempty"`
// Allow any authenticated user
AllowAnyAuthenticatedUser bool `mapstructure:"allow_any_authenticated_user" yaml:"allow_any_authenticated_user,omitempty"`
// UpstreamTimeout is the route specific timeout. Must be less than the global
// timeout. If unset, route will fallback to the proxy's DefaultUpstreamTimeout.
UpstreamTimeout *time.Duration `mapstructure:"timeout" yaml:"timeout,omitempty"`
// IdleTimeout is distinct from UpstreamTimeout and defines period of time there may be no data over this connection
// value of zero completely disables this setting
// see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/route/v3/route_components.proto#envoy-v3-api-field-config-route-v3-routeaction-idle-timeout
IdleTimeout *time.Duration `mapstructure:"idle_timeout" yaml:"idle_timeout,omitempty"`
// Enable proxying of websocket connections by removing the default timeout handler.
// Caution: Enabling this feature could result in abuse via DOS attacks.
AllowWebsockets bool `mapstructure:"allow_websockets" yaml:"allow_websockets,omitempty"`
// AllowSPDY enables proxying of SPDY upgrade requests
AllowSPDY bool `mapstructure:"allow_spdy" yaml:"allow_spdy,omitempty"`
// TLSSkipVerify controls whether a client verifies the server's certificate
// chain and host name.
// If TLSSkipVerify is true, TLS accepts any certificate presented by the
// server and any host name in that certificate.
// In this mode, TLS is susceptible to man-in-the-middle attacks.
// This should be used only for testing.
TLSSkipVerify bool `mapstructure:"tls_skip_verify" yaml:"tls_skip_verify,omitempty"`
// TLSServerName overrides the hostname in the `to` field. This is useful
// if your backend is an HTTPS server with a valid certificate, but you
// want to communicate to the backend with an internal hostname (e.g.
// Docker container name).
TLSServerName string `mapstructure:"tls_server_name" yaml:"tls_server_name,omitempty"`
// TLSCustomCA defines the root certificate to use with a given
// route when verifying server certificates.
TLSCustomCA string `mapstructure:"tls_custom_ca" yaml:"tls_custom_ca,omitempty"`
TLSCustomCAFile string `mapstructure:"tls_custom_ca_file" yaml:"tls_custom_ca_file,omitempty"`
// Contains the x.509 client certificate to present to the upstream host.
TLSClientCert string `mapstructure:"tls_client_cert" yaml:"tls_client_cert,omitempty"`
TLSClientKey string `mapstructure:"tls_client_key" yaml:"tls_client_key,omitempty"`
TLSClientCertFile string `mapstructure:"tls_client_cert_file" yaml:"tls_client_cert_file,omitempty"`
TLSClientKeyFile string `mapstructure:"tls_client_key_file" yaml:"tls_client_key_file,omitempty"`
ClientCertificate *tls.Certificate `yaml:",omitempty" hash:"ignore"`
// TLSDownstreamClientCA defines the root certificate to use with a given route to verify
// downstream client certificates (e.g. from a user's browser).
TLSDownstreamClientCA string `mapstructure:"tls_downstream_client_ca" yaml:"tls_downstream_client_ca,omitempty"`
TLSDownstreamClientCAFile string `mapstructure:"tls_downstream_client_ca_file" yaml:"tls_downstream_client_ca_file,omitempty"`
// SetRequestHeaders adds a collection of headers to the upstream request
// in the form of key value pairs. Note bene, this will overwrite the
// value of any existing value of a given header key.
SetRequestHeaders map[string]string `mapstructure:"set_request_headers" yaml:"set_request_headers,omitempty"`
// RemoveRequestHeaders removes a collection of headers from an upstream request.
// Note that this has lower priority than `SetRequestHeaders`, if you specify `X-Custom-Header` in both
// `SetRequestHeaders` and `RemoveRequestHeaders`, then the header won't be removed.
RemoveRequestHeaders []string `mapstructure:"remove_request_headers" yaml:"remove_request_headers,omitempty"`
// PreserveHostHeader disables host header rewriting.
//
// This option only takes affect if the destination is a DNS name. If the destination is an IP address,
// use SetRequestHeaders to explicitly set the "Host" header.
//
// https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_set_header
PreserveHostHeader bool `mapstructure:"preserve_host_header" yaml:"preserve_host_header,omitempty"`
// PassIdentityHeaders controls whether to add a user's identity headers to the upstream request.
// These includes:
//
// - X-Pomerium-Jwt-Assertion
// - X-Pomerium-Claim-*
//
PassIdentityHeaders bool `mapstructure:"pass_identity_headers" yaml:"pass_identity_headers,omitempty"`
// KubernetesServiceAccountToken is the kubernetes token to use for upstream requests.
KubernetesServiceAccountToken string `mapstructure:"kubernetes_service_account_token" yaml:"kubernetes_service_account_token,omitempty"`
// KubernetesServiceAccountTokenFile contains the kubernetes token to use for upstream requests.
KubernetesServiceAccountTokenFile string `mapstructure:"kubernetes_service_account_token_file" yaml:"kubernetes_service_account_token_file,omitempty"`
// EnableGoogleCloudServerlessAuthentication adds "Authorization: Bearer ID_TOKEN" headers
// to upstream requests.
EnableGoogleCloudServerlessAuthentication bool `mapstructure:"enable_google_cloud_serverless_authentication" yaml:"enable_google_cloud_serverless_authentication,omitempty"` //nolint
SubPolicies []SubPolicy `mapstructure:"sub_policies" yaml:"sub_policies,omitempty" json:"sub_policies,omitempty"`
EnvoyOpts *envoy_config_cluster_v3.Cluster `mapstructure:"_envoy_opts" yaml:"-" json:"-"`
// RewriteResponseHeaders rewrites response headers. This can be used to change the Location header.
RewriteResponseHeaders []RewriteHeader `mapstructure:"rewrite_response_headers" yaml:"rewrite_response_headers,omitempty" json:"rewrite_response_headers,omitempty"` //nolint
// SetResponseHeaders sets response headers.
SetResponseHeaders map[string]string `mapstructure:"set_response_headers" yaml:"set_response_headers,omitempty"`
Policy *PPLPolicy `mapstructure:"policy" yaml:"policy,omitempty" json:"policy,omitempty"`
}
// RewriteHeader is a policy configuration option to rewrite an HTTP header.
type RewriteHeader struct {
Header string `mapstructure:"header" yaml:"header" json:"header"`
Prefix string `mapstructure:"prefix" yaml:"prefix,omitempty" json:"prefix,omitempty"`
Value string `mapstructure:"value" yaml:"value,omitempty" json:"value,omitempty"`
}
// A SubPolicy is a protobuf Policy within a protobuf Route.
type SubPolicy struct {
ID string `mapstructure:"id" yaml:"id" json:"id"`
Name string `mapstructure:"name" yaml:"name" json:"name"`
AllowedUsers []string `mapstructure:"allowed_users" yaml:"allowed_users,omitempty" json:"allowed_users,omitempty"`
AllowedGroups []string `mapstructure:"allowed_groups" yaml:"allowed_groups,omitempty" json:"allowed_groups,omitempty"`
AllowedDomains []string `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty" json:"allowed_domains,omitempty"`
AllowedIDPClaims identity.FlattenedClaims `mapstructure:"allowed_idp_claims" yaml:"allowed_idp_claims,omitempty" json:"allowed_idp_claims,omitempty"`
Rego []string `mapstructure:"rego" yaml:"rego" json:"rego,omitempty"`
}
// PolicyRedirect is a route redirect action.
type PolicyRedirect struct {
HTTPSRedirect *bool `mapstructure:"https_redirect" yaml:"https_redirect,omitempty" json:"https_redirect,omitempty"`
SchemeRedirect *string `mapstructure:"scheme_redirect" yaml:"scheme_redirect,omitempty" json:"scheme_redirect,omitempty"`
HostRedirect *string `mapstructure:"host_redirect" yaml:"host_redirect,omitempty" json:"host_redirect,omitempty"`
PortRedirect *uint32 `mapstructure:"port_redirect" yaml:"port_redirect,omitempty" json:"port_redirect,omitempty"`
PathRedirect *string `mapstructure:"path_redirect" yaml:"path_redirect,omitempty" json:"path_redirect,omitempty"`
PrefixRewrite *string `mapstructure:"prefix_rewrite" yaml:"prefix_rewrite,omitempty" json:"prefix_rewrite,omitempty"`
ResponseCode *int32 `mapstructure:"response_code" yaml:"response_code,omitempty" json:"response_code,omitempty"`
StripQuery *bool `mapstructure:"strip_query" yaml:"strip_query,omitempty" json:"strip_query,omitempty"`
}
// NewPolicyFromProto creates a new Policy from a protobuf policy config route.
func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
var timeout *time.Duration
if pb.GetTimeout() != nil {
t := pb.GetTimeout().AsDuration()
timeout = &t
}
var idleTimeout *time.Duration
if pb.GetIdleTimeout() != nil {
t := pb.GetIdleTimeout().AsDuration()
idleTimeout = &t
}
p := &Policy{
From: pb.GetFrom(),
AllowedUsers: pb.GetAllowedUsers(),
AllowedGroups: pb.GetAllowedGroups(),
AllowedDomains: pb.GetAllowedDomains(),
AllowedIDPClaims: identity.NewFlattenedClaimsFromPB(pb.GetAllowedIdpClaims()),
Prefix: pb.GetPrefix(),
Path: pb.GetPath(),
Regex: pb.GetRegex(),
PrefixRewrite: pb.GetPrefixRewrite(),
RegexRewritePattern: pb.GetRegexRewritePattern(),
RegexRewriteSubstitution: pb.GetRegexRewriteSubstitution(),
CORSAllowPreflight: pb.GetCorsAllowPreflight(),
AllowPublicUnauthenticatedAccess: pb.GetAllowPublicUnauthenticatedAccess(),
AllowAnyAuthenticatedUser: pb.GetAllowAnyAuthenticatedUser(),
UpstreamTimeout: timeout,
IdleTimeout: idleTimeout,
AllowWebsockets: pb.GetAllowWebsockets(),
AllowSPDY: pb.GetAllowSpdy(),
TLSSkipVerify: pb.GetTlsSkipVerify(),
TLSServerName: pb.GetTlsServerName(),
TLSCustomCA: pb.GetTlsCustomCa(),
TLSCustomCAFile: pb.GetTlsCustomCaFile(),
TLSClientCert: pb.GetTlsClientCert(),
TLSClientKey: pb.GetTlsClientKey(),
TLSClientCertFile: pb.GetTlsClientCertFile(),
TLSClientKeyFile: pb.GetTlsClientKeyFile(),
TLSDownstreamClientCA: pb.GetTlsDownstreamClientCa(),
TLSDownstreamClientCAFile: pb.GetTlsDownstreamClientCaFile(),
SetRequestHeaders: pb.GetSetRequestHeaders(),
RemoveRequestHeaders: pb.GetRemoveRequestHeaders(),
PreserveHostHeader: pb.GetPreserveHostHeader(),
HostRewrite: pb.GetHostRewrite(),
HostRewriteHeader: pb.GetHostRewriteHeader(),
HostPathRegexRewritePattern: pb.GetHostPathRegexRewritePattern(),
HostPathRegexRewriteSubstitution: pb.GetHostPathRegexRewriteSubstitution(),
PassIdentityHeaders: pb.GetPassIdentityHeaders(),
KubernetesServiceAccountToken: pb.GetKubernetesServiceAccountToken(),
SetResponseHeaders: pb.GetSetResponseHeaders(),
EnableGoogleCloudServerlessAuthentication: pb.GetEnableGoogleCloudServerlessAuthentication(),
}
if pb.Redirect.IsSet() {
p.Redirect = &PolicyRedirect{
HTTPSRedirect: pb.Redirect.HttpsRedirect,
SchemeRedirect: pb.Redirect.SchemeRedirect,
HostRedirect: pb.Redirect.HostRedirect,
PortRedirect: pb.Redirect.PortRedirect,
PathRedirect: pb.Redirect.PathRedirect,
PrefixRewrite: pb.Redirect.PrefixRewrite,
ResponseCode: pb.Redirect.ResponseCode,
StripQuery: pb.Redirect.StripQuery,
}
} else {
to, err := ParseWeightedUrls(pb.GetTo()...)
if err != nil {
return nil, err
}
p.To = to
}
p.EnvoyOpts = pb.EnvoyOpts
if p.EnvoyOpts == nil {
p.EnvoyOpts = new(envoy_config_cluster_v3.Cluster)
}
if pb.Name != "" && p.EnvoyOpts.Name == "" {
p.EnvoyOpts.Name = pb.Name
}
for _, rwh := range pb.RewriteResponseHeaders {
p.RewriteResponseHeaders = append(p.RewriteResponseHeaders, RewriteHeader{
Header: rwh.GetHeader(),
Prefix: rwh.GetPrefix(),
Value: rwh.GetValue(),
})
}
for _, sp := range pb.GetPolicies() {
p.SubPolicies = append(p.SubPolicies, SubPolicy{
ID: sp.GetId(),
Name: sp.GetName(),
AllowedUsers: sp.GetAllowedUsers(),
AllowedGroups: sp.GetAllowedGroups(),
AllowedDomains: sp.GetAllowedDomains(),
AllowedIDPClaims: identity.NewFlattenedClaimsFromPB(sp.GetAllowedIdpClaims()),
Rego: sp.GetRego(),
})
}
return p, p.Validate()
}
// ToProto converts the policy to a protobuf type.
func (p *Policy) ToProto() (*configpb.Route, error) {
var timeout *durationpb.Duration
if p.UpstreamTimeout == nil {
timeout = durationpb.New(defaultOptions.DefaultUpstreamTimeout)
} else {
timeout = durationpb.New(*p.UpstreamTimeout)
}
var idleTimeout *durationpb.Duration
if p.IdleTimeout != nil {
idleTimeout = durationpb.New(*p.IdleTimeout)
}
sps := make([]*configpb.Policy, 0, len(p.SubPolicies))
for _, sp := range p.SubPolicies {
sps = append(sps, &configpb.Policy{
Id: sp.ID,
Name: sp.Name,
AllowedUsers: sp.AllowedUsers,
AllowedGroups: sp.AllowedGroups,
AllowedDomains: sp.AllowedDomains,
AllowedIdpClaims: sp.AllowedIDPClaims.ToPB(),
Rego: sp.Rego,
})
}
pb := &configpb.Route{
Name: fmt.Sprint(p.RouteID()),
From: p.From,
AllowedUsers: p.AllowedUsers,
AllowedGroups: p.AllowedGroups,
AllowedDomains: p.AllowedDomains,
AllowedIdpClaims: p.AllowedIDPClaims.ToPB(),
Prefix: p.Prefix,
Path: p.Path,
Regex: p.Regex,
PrefixRewrite: p.PrefixRewrite,
RegexRewritePattern: p.RegexRewritePattern,
RegexRewriteSubstitution: p.RegexRewriteSubstitution,
CorsAllowPreflight: p.CORSAllowPreflight,
AllowPublicUnauthenticatedAccess: p.AllowPublicUnauthenticatedAccess,
AllowAnyAuthenticatedUser: p.AllowAnyAuthenticatedUser,
Timeout: timeout,
IdleTimeout: idleTimeout,
AllowWebsockets: p.AllowWebsockets,
AllowSpdy: p.AllowSPDY,
TlsSkipVerify: p.TLSSkipVerify,
TlsServerName: p.TLSServerName,
TlsCustomCa: p.TLSCustomCA,
TlsCustomCaFile: p.TLSCustomCAFile,
TlsClientCert: p.TLSClientCert,
TlsClientKey: p.TLSClientKey,
TlsClientCertFile: p.TLSClientCertFile,
TlsClientKeyFile: p.TLSClientKeyFile,
TlsDownstreamClientCa: p.TLSDownstreamClientCA,
TlsDownstreamClientCaFile: p.TLSDownstreamClientCAFile,
SetRequestHeaders: p.SetRequestHeaders,
RemoveRequestHeaders: p.RemoveRequestHeaders,
PreserveHostHeader: p.PreserveHostHeader,
PassIdentityHeaders: p.PassIdentityHeaders,
KubernetesServiceAccountToken: p.KubernetesServiceAccountToken,
Policies: sps,
SetResponseHeaders: p.SetResponseHeaders,
}
if p.Redirect != nil {
pb.Redirect = &configpb.RouteRedirect{
HttpsRedirect: p.Redirect.HTTPSRedirect,
SchemeRedirect: p.Redirect.SchemeRedirect,
HostRedirect: p.Redirect.HostRedirect,
PortRedirect: p.Redirect.PortRedirect,
PathRedirect: p.Redirect.PathRedirect,
PrefixRewrite: p.Redirect.PrefixRewrite,
ResponseCode: p.Redirect.ResponseCode,
StripQuery: p.Redirect.StripQuery,
}
} else {
to, weights, err := p.To.Flatten()
if err != nil {
return nil, err
}
pb.To = to
pb.LoadBalancingWeights = weights
}
for _, rwh := range p.RewriteResponseHeaders {
pb.RewriteResponseHeaders = append(pb.RewriteResponseHeaders, &configpb.RouteRewriteHeader{
Header: rwh.Header,
Matcher: &configpb.RouteRewriteHeader_Prefix{
Prefix: rwh.Prefix,
},
Value: rwh.Value,
})
}
return pb, nil
}
// Validate checks the validity of a policy.
func (p *Policy) Validate() error {
var err error
source, err := urlutil.ParseAndValidateURL(p.From)
if err != nil {
return fmt.Errorf("config: policy bad source url %w", err)
}
// Make sure there's no path set on the from url
if (source.Scheme == "http" || source.Scheme == "https") && !(source.Path == "" || source.Path == "/") {
return fmt.Errorf("config: policy source url (%s) contains a path, but it should be set using the path field instead",
source.String())
}
if source.Scheme == "http" {
log.Warn(context.Background()).Msgf("config: policy source url (%s) uses HTTP but only HTTPS is supported",
source.String())
}
p.Source = &StringURL{source}
if len(p.To) == 0 && p.Redirect == nil {
return errEitherToOrRedirectRequired
}
for _, u := range p.To {
if err = u.Validate(); err != nil {
return fmt.Errorf("config: %s: %w", u.URL.String(), err)
}
}
// Only allow public access if no other whitelists are in place
if p.AllowPublicUnauthenticatedAccess && (p.AllowAnyAuthenticatedUser || p.AllowedDomains != nil || p.AllowedGroups != nil || p.AllowedUsers != nil) {
return fmt.Errorf("config: policy route marked as public but contains whitelists")
}
// Only allow any authenticated user if no other whitelists are in place
if p.AllowAnyAuthenticatedUser && (p.AllowedDomains != nil || p.AllowedGroups != nil || p.AllowedUsers != nil) {
return fmt.Errorf("config: policy route marked accessible for any authenticated user but contains whitelists")
}
if (p.TLSClientCert == "" && p.TLSClientKey != "") || (p.TLSClientCert != "" && p.TLSClientKey == "") ||
(p.TLSClientCertFile == "" && p.TLSClientKeyFile != "") || (p.TLSClientCertFile != "" && p.TLSClientKeyFile == "") {
return fmt.Errorf("config: client certificate key and cert both must be non-empty")
}
if p.TLSClientCert != "" && p.TLSClientKey != "" {
p.ClientCertificate, err = cryptutil.CertificateFromBase64(p.TLSClientCert, p.TLSClientKey)
if err != nil {
return fmt.Errorf("config: couldn't decode client cert %w", err)
}
} else if p.TLSClientCertFile != "" && p.TLSClientKeyFile != "" {
p.ClientCertificate, err = cryptutil.CertificateFromFile(p.TLSClientCertFile, p.TLSClientKeyFile)
if err != nil {
return fmt.Errorf("config: couldn't load client cert file %w", err)
}
}
if p.TLSCustomCA != "" {
_, err := base64.StdEncoding.DecodeString(p.TLSCustomCA)
if err != nil {
return fmt.Errorf("config: couldn't decode custom ca: %w", err)
}
} else if p.TLSCustomCAFile != "" {
_, err := os.Stat(p.TLSCustomCAFile)
if err != nil {
return fmt.Errorf("config: couldn't load client ca file: %w", err)
}
}
if p.TLSDownstreamClientCA != "" {
_, err := base64.StdEncoding.DecodeString(p.TLSDownstreamClientCA)
if err != nil {
return fmt.Errorf("config: couldn't decode downstream client ca: %w", err)
}
}
if p.TLSDownstreamClientCAFile != "" {
bs, err := os.ReadFile(p.TLSDownstreamClientCAFile)
if err != nil {
return fmt.Errorf("config: couldn't load downstream client ca: %w", err)
}
p.TLSDownstreamClientCA = base64.StdEncoding.EncodeToString(bs)
}
if p.KubernetesServiceAccountTokenFile != "" {
if p.KubernetesServiceAccountToken != "" {
return fmt.Errorf("config: specified both `kubernetes_service_account_token_file` and `kubernetes_service_account_token`")
}
token, err := os.ReadFile(p.KubernetesServiceAccountTokenFile)
if err != nil {
return fmt.Errorf("config: failed to load kubernetes service account token: %w", err)
}
p.KubernetesServiceAccountToken = string(token)
}
if p.PrefixRewrite != "" && p.RegexRewritePattern != "" {
return fmt.Errorf("config: only prefix_rewrite or regex_rewrite_pattern can be specified, but not both")
}
return nil
}
// Checksum returns the xxhash hash for the policy.
func (p *Policy) Checksum() uint64 {
return hashutil.MustHash(p)
}
// RouteID returns a unique identifier for a route
func (p *Policy) RouteID() (uint64, error) {
id := routeID{
Source: p.Source,
Prefix: p.Prefix,
Path: p.Path,
Regex: p.Regex,
}
if len(p.To) > 0 {
dst, _, err := p.To.Flatten()
if err != nil {
return 0, err
}
id.To = dst
} else if p.Redirect != nil {
id.Redirect = p.Redirect
} else {
return 0, errEitherToOrRedirectRequired
}
return hashutil.Hash(id)
}
func (p *Policy) String() string {
to := "?"
if len(p.To) > 0 {
var dsts []string
for _, dst := range p.To {
dsts = append(dsts, dst.URL.String())
}
to = strings.Join(dsts, ",")
}
return fmt.Sprintf("%s → %s", p.Source.String(), to)
}
// Matches returns true if the policy would match the given URL.
func (p *Policy) Matches(requestURL url.URL) bool {
// handle nils by always returning false
if p.Source == nil {
return false
}
if p.Source.Host != requestURL.Host {
return false
}
if p.Prefix != "" {
if !strings.HasPrefix(requestURL.Path, p.Prefix) {
return false
}
}
if p.Path != "" {
if requestURL.Path != p.Path {
return false
}
}
if p.Regex != "" {
re, err := regexp.Compile(p.Regex)
if err == nil && !re.MatchString(requestURL.String()) {
return false
}
}
return true
}
// IsForKubernetes returns true if the policy is for kubernetes.
func (p *Policy) IsForKubernetes() bool {
return p.KubernetesServiceAccountTokenFile != "" || p.KubernetesServiceAccountToken != ""
}
// AllAllowedDomains returns all the allowed domains.
func (p *Policy) AllAllowedDomains() []string {
var ads []string
ads = append(ads, p.AllowedDomains...)
for _, sp := range p.SubPolicies {
ads = append(ads, sp.AllowedDomains...)
}
return ads
}
// AllAllowedGroups returns all the allowed groups.
func (p *Policy) AllAllowedGroups() []string {
var ags []string
ags = append(ags, p.AllowedGroups...)
for _, sp := range p.SubPolicies {
ags = append(ags, sp.AllowedGroups...)
}
return ags
}
// AllAllowedIDPClaims returns all the allowed IDP claims.
func (p *Policy) AllAllowedIDPClaims() []identity.FlattenedClaims {
var aics []identity.FlattenedClaims
if len(p.AllowedIDPClaims) > 0 {
aics = append(aics, p.AllowedIDPClaims)
}
for _, sp := range p.SubPolicies {
if len(sp.AllowedIDPClaims) > 0 {
aics = append(aics, sp.AllowedIDPClaims)
}
}
return aics
}
// AllAllowedUsers returns all the allowed users.
func (p *Policy) AllAllowedUsers() []string {
var aus []string
aus = append(aus, p.AllowedUsers...)
for _, sp := range p.SubPolicies {
aus = append(aus, sp.AllowedUsers...)
}
return aus
}
// StringURL stores a URL as a string in json.
type StringURL struct {
*url.URL
}
func (su *StringURL) String() string {
if su == nil || su.URL == nil {
return "?"
}
return su.URL.String()
}
// MarshalJSON returns the URLs host as json.
func (su *StringURL) MarshalJSON() ([]byte, error) {
return json.Marshal(su.String())
}
type routeID struct {
Source *StringURL
To []string
Prefix string
Path string
Regex string
Redirect *PolicyRedirect
}
Reference in a new issue View git blame Copy permalink