3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-01 19:36:32 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/proxy/middleware.go
Bobby DeSimone badd8d69af
internal/sessions: refactor how sessions loading (#351) 
These chagnes standardize how session loading is done for session
cookie, auth bearer token, and query params.

- Bearer token previously combined with session cookie.
- rearranged cookie-store to put exported methods above unexported
- added header store that implements session loader interface
- added query param store that implements session loader interface

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2019-10-06 10:47:53 -07:00

131 lines
5.2 KiB
Go
Raw Blame History

package proxy // import "github.com/pomerium/pomerium/proxy"
import (
"fmt"
"net/http"
"strings"
"github.com/pomerium/pomerium/internal/cryptutil"
"github.com/pomerium/pomerium/internal/httputil"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/sessions"
"github.com/pomerium/pomerium/internal/telemetry/trace"
"github.com/pomerium/pomerium/internal/urlutil"
)
const (
// HeaderJWT is the header key containing JWT signed user details.
HeaderJWT = "x-pomerium-jwt-assertion"
// HeaderUserID is the header key containing the user's id.
HeaderUserID = "x-pomerium-authenticated-user-id"
// HeaderEmail is the header key containing the user's email.
HeaderEmail = "x-pomerium-authenticated-user-email"
// HeaderGroups is the header key containing the user's groups.
HeaderGroups = "x-pomerium-authenticated-user-groups"
// HeaderNoAuthRedirect is the header / query param key used to disable
// redirecting unauthenticated request by default but instead return a 401.
HeaderNoAuthRedirect = "x-pomerium-no-auth-redirect"
)
// AuthenticateSession is middleware to enforce a valid authentication
// session state is retrieved from the users's request context.
func (p *Proxy) AuthenticateSession(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ctx, span := trace.StartSpan(r.Context(), "middleware.AuthenticateSession")
defer span.End()
s, err := sessions.FromContext(r.Context())
if err != nil || s == nil {
log.Debug().Msg("proxy: re-authenticating due to session state error")
p.reqNeedsAuthentication(w, r)
return
}
if err := s.Valid(); err != nil {
log.Debug().Str("cause", err.Error()).Msg("proxy: re-authenticating due to invalid session")
p.reqNeedsAuthentication(w, r)
return
}
// add pomerium's headers to the downstream request
r.Header.Set(HeaderUserID, s.User)
r.Header.Set(HeaderEmail, s.RequestEmail())
r.Header.Set(HeaderGroups, s.RequestGroups())
next.ServeHTTP(w, r.WithContext(ctx))
})
}
// AuthorizeSession is middleware to enforce a user is authorized for a request
// session state is retrieved from the users's request context.
func (p *Proxy) AuthorizeSession(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ctx, span := trace.StartSpan(r.Context(), "middleware.AuthorizeSession")
defer span.End()
s, err := sessions.FromContext(r.Context())
if err != nil || s == nil {
httputil.ErrorResponse(w, r.WithContext(ctx), httputil.Error("", http.StatusForbidden, err))
return
}
authorized, err := p.AuthorizeClient.Authorize(r.Context(), r.Host, s)
if err != nil {
httputil.ErrorResponse(w, r.WithContext(ctx), err)
return
} else if !authorized {
errMsg := fmt.Sprintf("%s is not authorized for this route", s.RequestEmail())
httputil.ErrorResponse(w, r.WithContext(ctx), httputil.Error(errMsg, http.StatusForbidden, nil))
return
}
next.ServeHTTP(w, r.WithContext(ctx))
})
}
// SignRequest is middleware that signs a JWT that contains a user's id,
// email, and group. Session state is retrieved from the users's request context
func (p *Proxy) SignRequest(signer cryptutil.JWTSigner) func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ctx, span := trace.StartSpan(r.Context(), "middleware.SignRequest")
defer span.End()
s, err := sessions.FromContext(r.Context())
if err != nil {
httputil.ErrorResponse(w, r.WithContext(ctx), httputil.Error("", http.StatusForbidden, err))
return
}
jwt, err := signer.SignJWT(s.User, s.Email, strings.Join(s.Groups, ","))
if err != nil {
log.Warn().Err(err).Msg("proxy: failed signing jwt")
} else {
r.Header.Set(HeaderJWT, jwt)
w.Header().Set(HeaderJWT, jwt)
}
next.ServeHTTP(w, r.WithContext(ctx))
})
}
}
// reqNeedsAuthentication begins the authenticate flow, encrypting the
// redirect url in a request to the provider's sign in endpoint.
func (p *Proxy) reqNeedsAuthentication(w http.ResponseWriter, r *http.Request) {
// some proxies like nginx won't follow redirects, and treat any
// non 2xx or 4xx status as an internal service error.
// https://nginx.org/en/docs/http/ngx_http_auth_request_module.html
redirectHeader := r.Header.Get(HeaderNoAuthRedirect)
if _, ok := r.URL.Query()[HeaderNoAuthRedirect]; ok || redirectHeader == "true" {
http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
}
r.Header.Get(HeaderNoAuthRedirect)
uri := urlutil.SignedRedirectURL(p.SharedKey, p.authenticateSigninURL, urlutil.GetAbsoluteURL(r))
http.Redirect(w, r, uri.String(), http.StatusFound)
}
// SetResponseHeaders sets a map of response headers.
func SetResponseHeaders(headers map[string]string) func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
ctx, span := trace.StartSpan(r.Context(), "middleware.SetResponseHeaders")
defer span.End()
for key, val := range headers {
r.Header.Set(key, val)
}
next.ServeHTTP(w, r.WithContext(ctx))
})
}
}
Reference in a new issue View git blame Copy permalink