3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-28 18:06:34 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/authenticate/authenticate.go
Caleb Doxsey 97f85481f8
fix redirect loop, remove user/session services, remove duplicate deleted_at fields (#1162) 
* fix redirect loop, remove user/session services, remove duplicate deleted_at fields

* change loop

* reuse err variable

* wrap errors, use cookie timeout

* wrap error, duplicate if
2020-07-30 09:41:57 -06:00

238 lines
7.7 KiB
Go
Raw Blame History

// Package authenticate is a pomerium service that handles user authentication
// and refersh (AuthN).
package authenticate
import (
"crypto/cipher"
"encoding/base64"
"errors"
"fmt"
"html/template"
"net/url"
"sync"
"gopkg.in/square/go-jose.v2"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/encoding"
"github.com/pomerium/pomerium/internal/encoding/ecjson"
"github.com/pomerium/pomerium/internal/encoding/jws"
"github.com/pomerium/pomerium/internal/frontend"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/identity"
"github.com/pomerium/pomerium/internal/identity/oauth"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/sessions"
"github.com/pomerium/pomerium/internal/sessions/cookie"
"github.com/pomerium/pomerium/internal/sessions/header"
"github.com/pomerium/pomerium/internal/sessions/queryparam"
"github.com/pomerium/pomerium/internal/urlutil"
"github.com/pomerium/pomerium/pkg/cryptutil"
"github.com/pomerium/pomerium/pkg/grpc"
"github.com/pomerium/pomerium/pkg/grpc/databroker"
)
// ValidateOptions checks that configuration are complete and valid.
// Returns on first error found.
func ValidateOptions(o *config.Options) error {
if _, err := cryptutil.NewAEADCipherFromBase64(o.SharedKey); err != nil {
return fmt.Errorf("authenticate: 'SHARED_SECRET' invalid: %w", err)
}
if _, err := cryptutil.NewAEADCipherFromBase64(o.CookieSecret); err != nil {
return fmt.Errorf("authenticate: 'COOKIE_SECRET' invalid %w", err)
}
if err := urlutil.ValidateURL(o.AuthenticateURL); err != nil {
return fmt.Errorf("authenticate: invalid 'AUTHENTICATE_SERVICE_URL': %w", err)
}
if o.Provider == "" {
return errors.New("authenticate: 'IDP_PROVIDER' is required")
}
if o.ClientID == "" {
return errors.New("authenticate: 'IDP_CLIENT_ID' is required")
}
if o.ClientSecret == "" {
return errors.New("authenticate: 'IDP_CLIENT_SECRET' is required")
}
if o.AuthenticateCallbackPath == "" {
return errors.New("authenticate: 'AUTHENTICATE_CALLBACK_PATH' is required")
}
return nil
}
// Authenticate contains data required to run the authenticate service.
type Authenticate struct {
// RedirectURL is the authenticate service's externally accessible
// url that the identity provider (IdP) will callback to following
// authentication flow
RedirectURL *url.URL
// values related to cross service communication
//
// sharedKey is used to encrypt and authenticate data between services
sharedKey string
// sharedCipher is used to encrypt data for use between services
sharedCipher cipher.AEAD
// sharedEncoder is the encoder to use to serialize data to be consumed
// by other services
sharedEncoder encoding.MarshalUnmarshaler
// values related to user sessions
//
// cookieSecret is the secret to encrypt and authenticate session data
cookieSecret []byte
// cookieCipher is the cipher to use to encrypt/decrypt session data
cookieCipher cipher.AEAD
// encryptedEncoder is the encoder used to marshal and unmarshal session data
encryptedEncoder encoding.MarshalUnmarshaler
// sessionStore is the session store used to persist a user's session
sessionStore sessions.SessionStore
cookieOptions *cookie.Options
// sessionLoaders are a collection of session loaders to attempt to pull
// a user's session state from
sessionLoaders []sessions.SessionLoader
// provider is the interface to interacting with the identity provider (IdP)
provider identity.Authenticator
providerName string
// dataBrokerClient is used to retrieve sessions
dataBrokerClient databroker.DataBrokerServiceClient
// guard administrator below.
administratorMu sync.Mutex
// administrators keeps track of administrator users.
administrator map[string]struct{}
jwk *jose.JSONWebKeySet
templates *template.Template
}
// New validates and creates a new authenticate service from a set of Options.
func New(opts *config.Options) (*Authenticate, error) {
if err := ValidateOptions(opts); err != nil {
return nil, err
}
// shared state encoder setup
sharedCipher, _ := cryptutil.NewAEADCipherFromBase64(opts.SharedKey)
sharedEncoder, err := jws.NewHS256Signer([]byte(opts.SharedKey), opts.GetAuthenticateURL().Host)
if err != nil {
return nil, err
}
// private state encoder setup, used to encrypt oauth2 tokens
decodedCookieSecret, _ := base64.StdEncoding.DecodeString(opts.CookieSecret)
cookieCipher, _ := cryptutil.NewAEADCipher(decodedCookieSecret)
encryptedEncoder := ecjson.New(cookieCipher)
cookieOptions := &cookie.Options{
Name: opts.CookieName,
Domain: opts.CookieDomain,
Secure: opts.CookieSecure,
HTTPOnly: opts.CookieHTTPOnly,
Expire: opts.CookieExpire,
}
cookieStore, err := cookie.NewStore(cookieOptions, sharedEncoder)
if err != nil {
return nil, err
}
dataBrokerConn, err := grpc.NewGRPCClientConn(
&grpc.Options{
Addr: opts.DataBrokerURL,
OverrideCertificateName: opts.OverrideCertificateName,
CA: opts.CA,
CAFile: opts.CAFile,
RequestTimeout: opts.GRPCClientTimeout,
ClientDNSRoundRobin: opts.GRPCClientDNSRoundRobin,
WithInsecure: opts.GRPCInsecure,
ServiceName: opts.Services,
})
if err != nil {
return nil, err
}
dataBrokerClient := databroker.NewDataBrokerServiceClient(dataBrokerConn)
qpStore := queryparam.NewStore(encryptedEncoder, urlutil.QueryProgrammaticToken)
headerStore := header.NewStore(encryptedEncoder, httputil.AuthorizationTypePomerium)
redirectURL, _ := urlutil.DeepCopy(opts.AuthenticateURL)
redirectURL.Path = opts.AuthenticateCallbackPath
// configure our identity provider
provider, err := identity.NewAuthenticator(
oauth.Options{
RedirectURL: redirectURL,
ProviderName: opts.Provider,
ProviderURL: opts.ProviderURL,
ClientID: opts.ClientID,
ClientSecret: opts.ClientSecret,
Scopes: opts.Scopes,
ServiceAccount: opts.ServiceAccount,
AuthCodeOptions: opts.RequestParams,
})
if err != nil {
return nil, err
}
a := &Authenticate{
RedirectURL: redirectURL,
// shared state
sharedKey: opts.SharedKey,
sharedCipher: sharedCipher,
sharedEncoder: sharedEncoder,
// private state
cookieSecret: decodedCookieSecret,
cookieCipher: cookieCipher,
cookieOptions: cookieOptions,
sessionStore: cookieStore,
encryptedEncoder: encryptedEncoder,
sessionLoaders: []sessions.SessionLoader{qpStore, headerStore, cookieStore},
// IdP
provider: provider,
providerName: opts.Provider,
// grpc client for cache
dataBrokerClient: dataBrokerClient,
jwk: &jose.JSONWebKeySet{},
templates: template.Must(frontend.NewTemplates()),
}
if opts.SigningKey != "" {
decodedCert, err := base64.StdEncoding.DecodeString(opts.SigningKey)
if err != nil {
return nil, fmt.Errorf("authenticate: failed to decode signing key: %w", err)
}
jwk, err := cryptutil.PublicJWKFromBytes(decodedCert, jose.ES256)
if err != nil {
return nil, fmt.Errorf("authenticate: failed to convert jwks: %w", err)
}
a.jwk.Keys = append(a.jwk.Keys, *jwk)
}
return a, nil
}
func (a *Authenticate) setAdminUsers(opts *config.Options) {
a.administratorMu.Lock()
defer a.administratorMu.Unlock()
a.administrator = make(map[string]struct{}, len(opts.Administrators))
for _, admin := range opts.Administrators {
a.administrator[admin] = struct{}{}
}
}
// OnConfigChange implements the OptionsUpdater interface and updates internal
// structures based on config.Options
func (a *Authenticate) OnConfigChange(cfg *config.Config) {
if a == nil {
return
}
log.Info().Str("checksum", fmt.Sprintf("%x", cfg.Options.Checksum())).Msg("authenticate: updating options")
a.setAdminUsers(cfg.Options)
}
Reference in a new issue View git blame Copy permalink