mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 10:56:28 +02:00
7c755d833f
- cryptutil: add hmac & tests - cryptutil: rename cipher / encoders to be more clear - cryptutil: simplify SecureEncoder interface - cryptutil: renamed NewCipherFromBase64 to NewAEADCipherFromBase64 - cryptutil: move key & random generators to helpers Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
187 lines
6.3 KiB
Go
187 lines
6.3 KiB
Go
package middleware // import "github.com/pomerium/pomerium/internal/middleware"
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"fmt"
|
|
"net/http"
|
|
"net/url"
|
|
"strings"
|
|
|
|
"github.com/pomerium/pomerium/internal/cryptutil"
|
|
"github.com/pomerium/pomerium/internal/httputil"
|
|
"github.com/pomerium/pomerium/internal/telemetry/trace"
|
|
"github.com/pomerium/pomerium/internal/urlutil"
|
|
|
|
"golang.org/x/net/publicsuffix"
|
|
)
|
|
|
|
// SetHeaders ensures that every response includes some basic security headers
|
|
func SetHeaders(securityHeaders map[string]string) func(next http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
ctx, span := trace.StartSpan(r.Context(), "middleware.SetHeaders")
|
|
defer span.End()
|
|
for key, val := range securityHeaders {
|
|
w.Header().Set(key, val)
|
|
}
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
}
|
|
|
|
// ValidateClientSecret checks the request header for the client secret and returns
|
|
// an error if it does not match the proxy client secret
|
|
func ValidateClientSecret(sharedSecret string) func(next http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
ctx, span := trace.StartSpan(r.Context(), "middleware.ValidateClientSecret")
|
|
defer span.End()
|
|
|
|
if err := r.ParseForm(); err != nil {
|
|
httputil.ErrorResponse(w, r, httputil.Error("couldn't parse form", http.StatusBadRequest, err))
|
|
return
|
|
}
|
|
clientSecret := r.Form.Get("shared_secret")
|
|
// check the request header for the client secret
|
|
if clientSecret == "" {
|
|
clientSecret = r.Header.Get("X-Client-Secret")
|
|
}
|
|
|
|
if clientSecret != sharedSecret {
|
|
httputil.ErrorResponse(w, r, httputil.Error("client secret mismatch", http.StatusBadRequest, nil))
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
}
|
|
|
|
// ValidateRedirectURI checks the redirect uri in the query parameters and ensures that
|
|
// the its domain is in the list of proxy root domains.
|
|
func ValidateRedirectURI(rootDomain *url.URL) func(next http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
ctx, span := trace.StartSpan(r.Context(), "middleware.ValidateRedirectURI")
|
|
defer span.End()
|
|
err := r.ParseForm()
|
|
if err != nil {
|
|
httputil.ErrorResponse(w, r, httputil.Error("couldn't parse form", http.StatusBadRequest, err))
|
|
return
|
|
}
|
|
redirectURI, err := urlutil.ParseAndValidateURL(r.Form.Get("redirect_uri"))
|
|
if err != nil {
|
|
httputil.ErrorResponse(w, r, httputil.Error("bad redirect_uri", http.StatusBadRequest, err))
|
|
return
|
|
}
|
|
if !SameDomain(redirectURI, rootDomain) {
|
|
httputil.ErrorResponse(w, r, httputil.Error("redirect uri and root domain differ", http.StatusBadRequest, nil))
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
}
|
|
|
|
// SameDomain checks to see if two URLs share the top level domain (TLD Plus One).
|
|
func SameDomain(u, j *url.URL) bool {
|
|
a, err := publicsuffix.EffectiveTLDPlusOne(u.Hostname())
|
|
if err != nil {
|
|
return false
|
|
}
|
|
b, err := publicsuffix.EffectiveTLDPlusOne(j.Hostname())
|
|
if err != nil {
|
|
return false
|
|
}
|
|
return a == b
|
|
}
|
|
|
|
// ValidateSignature ensures the request is valid and has been signed with
|
|
// the correspdoning client secret key
|
|
func ValidateSignature(sharedSecret string) func(next http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
ctx, span := trace.StartSpan(r.Context(), "middleware.ValidateSignature")
|
|
defer span.End()
|
|
|
|
err := r.ParseForm()
|
|
if err != nil {
|
|
httputil.ErrorResponse(w, r, httputil.Error("couldn't parse form", http.StatusBadRequest, err))
|
|
return
|
|
}
|
|
redirectURI := r.Form.Get("redirect_uri")
|
|
sigVal := r.Form.Get("sig")
|
|
timestamp := r.Form.Get("ts")
|
|
if !ValidSignature(redirectURI, sigVal, timestamp, sharedSecret) {
|
|
httputil.ErrorResponse(w, r, httputil.Error("invalid signature", http.StatusBadRequest, nil))
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
}
|
|
|
|
// ValidateHost ensures that each request's host is valid
|
|
func ValidateHost(validHost func(host string) bool) func(next http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
ctx, span := trace.StartSpan(r.Context(), "middleware.ValidateHost")
|
|
defer span.End()
|
|
|
|
if !validHost(r.Host) {
|
|
httputil.ErrorResponse(w, r, httputil.Error("", http.StatusNotFound, nil))
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
})
|
|
}
|
|
}
|
|
|
|
// Healthcheck endpoint middleware useful to setting up a path like
|
|
// `/ping` that load balancers or uptime testing external services
|
|
// can make a request before hitting any routes. It's also convenient
|
|
// to place this above ACL middlewares as well.
|
|
func Healthcheck(endpoint, msg string) func(http.Handler) http.Handler {
|
|
f := func(next http.Handler) http.Handler {
|
|
fn := func(w http.ResponseWriter, r *http.Request) {
|
|
ctx, span := trace.StartSpan(r.Context(), "middleware.Healthcheck")
|
|
defer span.End()
|
|
if strings.EqualFold(r.URL.Path, endpoint) {
|
|
// https://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
|
|
if r.Method != http.MethodGet && r.Method != http.MethodHead {
|
|
http.Error(w, http.StatusText(http.StatusMethodNotAllowed), http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
w.Header().Set("Content-Type", "text/plain")
|
|
w.WriteHeader(http.StatusOK)
|
|
if r.Method == http.MethodGet {
|
|
w.Write([]byte(msg))
|
|
}
|
|
return
|
|
}
|
|
next.ServeHTTP(w, r.WithContext(ctx))
|
|
}
|
|
return http.HandlerFunc(fn)
|
|
}
|
|
return f
|
|
}
|
|
|
|
// ValidSignature checks to see if a signature is valid. Compares hmac of
|
|
// redirect uri, timestamp, and secret and signature.
|
|
func ValidSignature(redirectURI, sigVal, timestamp, secret string) bool {
|
|
if redirectURI == "" || sigVal == "" || timestamp == "" || secret == "" {
|
|
return false
|
|
}
|
|
_, err := urlutil.ParseAndValidateURL(redirectURI)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
requestSig, err := base64.URLEncoding.DecodeString(sigVal)
|
|
if err != nil {
|
|
return false
|
|
}
|
|
if err := cryptutil.ValidTimestamp(timestamp); err != nil {
|
|
return false
|
|
}
|
|
return cryptutil.CheckHMAC([]byte(fmt.Sprint(redirectURI, timestamp)), requestSig, secret)
|
|
}
|