pomerium/internal/urlutil/known.go

package urlutil

import (
	"fmt"
	"net/http"
	"net/url"
	"os"
	"runtime"
	"strings"
	"time"

	"github.com/google/uuid"
	"google.golang.org/protobuf/encoding/protojson"

	"github.com/pomerium/pomerium/internal/version"
	"github.com/pomerium/pomerium/pkg/grpc/identity"
	"github.com/pomerium/pomerium/pkg/hpke"
)

// HPKEPublicKeyPath is the well-known path to the HPKE public key
const HPKEPublicKeyPath = "/.well-known/pomerium/hpke-public-key"

// DefaultDeviceType is the default device type when none is specified.
const DefaultDeviceType = "any"

const signInExpiry = time.Minute * 5

var (
	pomeriumRuntime = os.Getenv("POMERIUM_RUNTIME")
	pomeriumArch    = fmt.Sprintf("%s/%s", runtime.GOOS, runtime.GOARCH)
)

func versionStr() string {
	return strings.Join([]string{version.FullVersion(), pomeriumArch, pomeriumRuntime}, " ")
}

// CallbackURL builds the callback URL using an HPKE encrypted query string.
func CallbackURL(
	authenticatePrivateKey *hpke.PrivateKey,
	proxyPublicKey *hpke.PublicKey,
	requestParams url.Values,
	profile *identity.Profile,
	encryptURLValues hpke.EncryptURLValuesFunc,
) (string, error) {
	redirectURL, err := ParseAndValidateURL(requestParams.Get(QueryRedirectURI))
	if err != nil {
		return "", fmt.Errorf("invalid %s: %w", QueryRedirectURI, err)
	}

	var callbackURL *url.URL
	if requestParams.Has(QueryCallbackURI) {
		callbackURL, err = ParseAndValidateURL(requestParams.Get(QueryCallbackURI))
		if err != nil {
			return "", fmt.Errorf("invalid %s: %w", QueryCallbackURI, err)
		}
	} else {
		callbackURL, err = DeepCopy(redirectURL)
		if err != nil {
			return "", fmt.Errorf("error copying %s: %w", QueryRedirectURI, err)
		}
		callbackURL.Path = "/.pomerium/callback/"
		callbackURL.RawQuery = ""
	}

	callbackParams := callbackURL.Query()
	if requestParams.Has(QueryIsProgrammatic) {
		callbackParams.Set(QueryIsProgrammatic, "true")
	}
	callbackParams.Set(QueryRedirectURI, redirectURL.String())

	rawProfile, err := protojson.Marshal(profile)
	if err != nil {
		return "", fmt.Errorf("error marshaling identity profile: %w", err)
	}
	callbackParams.Set(QueryIdentityProfile, string(rawProfile))
	callbackParams.Set(QueryVersion, versionStr())

	BuildTimeParameters(callbackParams, signInExpiry)

	callbackParams, err = encryptURLValues(authenticatePrivateKey, proxyPublicKey, callbackParams)
	if err != nil {
		return "", fmt.Errorf("error encrypting callback params: %w", err)
	}
	callbackURL.RawQuery = callbackParams.Encode()

	return callbackURL.String(), nil
}

// RedirectURL returns the redirect URL from the query string or a cookie.
func RedirectURL(r *http.Request) (string, bool) {
	if v := r.FormValue(QueryRedirectURI); v != "" {
		return v, true
	}

	if c, err := r.Cookie(QueryRedirectURI); err == nil {
		return c.Value, true
	}

	return "", false
}

// SignInURL builds the sign in URL using an HPKE encrypted query string.
func SignInURL(
	senderPrivateKey *hpke.PrivateKey,
	authenticatePublicKey *hpke.PublicKey,
	authenticateURL *url.URL,
	redirectURL *url.URL,
	idpID string,
) (string, error) {
	signInURL := *authenticateURL
	signInURL.Path = "/.pomerium/sign_in"

	q := signInURL.Query()
	q.Set(QueryRedirectURI, redirectURL.String())
	q.Set(QueryIdentityProviderID, idpID)
	q.Set(QueryVersion, versionStr())
	q.Set(QueryRequestUUID, uuid.NewString())
	BuildTimeParameters(q, signInExpiry)
	q, err := hpke.EncryptURLValuesV2(senderPrivateKey, authenticatePublicKey, q)
	if err != nil {
		return "", err
	}
	signInURL.RawQuery = q.Encode()

	return signInURL.String(), nil
}

// SignOutURL returns the /.pomerium/sign_out URL.
func SignOutURL(r *http.Request, authenticateURL *url.URL, key []byte) string {
	u := authenticateURL.ResolveReference(&url.URL{
		Path: "/.pomerium/sign_out",
	})
	q := u.Query()
	if redirectURI, ok := RedirectURL(r); ok {
		q.Set(QueryRedirectURI, redirectURI)
	}
	q.Set(QueryVersion, versionStr())
	u.RawQuery = q.Encode()
	return NewSignedURL(key, u).Sign().String()
}

// Device paths
const (
	WebAuthnURLPath    = "/.pomerium/webauthn"
	DeviceEnrolledPath = "/.pomerium/device-enrolled"
)

// WebAuthnURL returns the /.pomerium/webauthn URL.
func WebAuthnURL(_ *http.Request, authenticateURL *url.URL, key []byte, values url.Values) string {
	u := authenticateURL.ResolveReference(&url.URL{
		Path: WebAuthnURLPath,
		RawQuery: buildURLValues(values, url.Values{
			QueryDeviceType:      {DefaultDeviceType},
			QueryEnrollmentToken: nil,
			QueryRedirectURI: {authenticateURL.ResolveReference(&url.URL{
				Path: DeviceEnrolledPath,
			}).String()},
		}).Encode(),
	})
	return NewSignedURL(key, u).Sign().String()
}

func buildURLValues(values, defaults url.Values) url.Values {
	result := make(url.Values)
	for k, vs := range defaults {
		if values.Has(k) {
			result[k] = values[k]
		} else if vs != nil {
			result[k] = vs
		}
	}
	return result
}