mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-04 21:06:03 +02:00
c13459bb88
* authorize: authorization module adds support for per-route access policy. In this release we support the most common forms of identity based access policy: `allowed_users`, `allowed_groups`, and `allowed_domains`. In future versions, the authorization module will also support context and device based authorization policy and decisions. See website documentation for more details. * docs: updated `env.example` to include a `POLICY` setting example. * docs: added `IDP_SERVICE_ACCOUNT` to `env.example` . * docs: removed `PROXY_ROOT_DOMAIN` settings which has been replaced by `POLICY`. * all: removed `ALLOWED_DOMAINS` settings which has been replaced by `POLICY`. Authorization is now handled by the authorization service and is defined in the policy configuration files. * proxy: `ROUTES` settings which has been replaced by `POLICY`. * internal/log: `http.Server` and `httputil.NewSingleHostReverseProxy` now uses pomerium's logging package instead of the standard library's built in one. Closes #54 Closes #41 Closes #61 Closes #58
64 lines
1.9 KiB
Go
64 lines
1.9 KiB
Go
package clients // import "github.com/pomerium/pomerium/proxy/clients"
|
|
|
|
import (
|
|
"context"
|
|
"errors"
|
|
"time"
|
|
|
|
pb "github.com/pomerium/pomerium/proto/authorize"
|
|
"google.golang.org/grpc"
|
|
|
|
"github.com/pomerium/pomerium/internal/sessions"
|
|
)
|
|
|
|
// Authorizer provides the authorize service interface
|
|
type Authorizer interface {
|
|
// Authorize takes a code and returns a validated session or an error
|
|
Authorize(context.Context, string, *sessions.SessionState) (bool, error)
|
|
// Close closes the auth connection if any.
|
|
Close() error
|
|
}
|
|
|
|
// NewAuthorizeClient returns a new authorize service client.
|
|
func NewAuthorizeClient(name string, opts *Options) (a Authorizer, err error) {
|
|
// Only gRPC is supported and is always returned so name is ignored
|
|
return NewGRPCAuthorizeClient(opts)
|
|
}
|
|
|
|
// NewGRPCAuthorizeClient returns a new authorize service client.
|
|
func NewGRPCAuthorizeClient(opts *Options) (p *AuthorizeGRPC, err error) {
|
|
conn, err := NewGRPCClientConn(opts)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
client := pb.NewAuthorizerClient(conn)
|
|
return &AuthorizeGRPC{Conn: conn, client: client}, nil
|
|
}
|
|
|
|
// AuthorizeGRPC is a gRPC implementation of an authenticator (authenticate client)
|
|
type AuthorizeGRPC struct {
|
|
Conn *grpc.ClientConn
|
|
client pb.AuthorizerClient
|
|
}
|
|
|
|
// Authorize makes an RPC call to the authorize service to creates a session state
|
|
// from an encrypted code provided as a result of an oauth2 callback process.
|
|
func (a *AuthorizeGRPC) Authorize(ctx context.Context, route string, s *sessions.SessionState) (bool, error) {
|
|
if s == nil {
|
|
return false, errors.New("session cannot be nil")
|
|
}
|
|
ctx, cancel := context.WithTimeout(ctx, 5*time.Second)
|
|
defer cancel()
|
|
response, err := a.client.Authorize(ctx, &pb.AuthorizeRequest{
|
|
Route: route,
|
|
User: s.User,
|
|
Email: s.Email,
|
|
Groups: s.Groups,
|
|
})
|
|
return response.GetIsValid(), err
|
|
}
|
|
|
|
// Close tears down the ClientConn and all underlying connections.
|
|
func (a *AuthorizeGRPC) Close() error {
|
|
return a.Conn.Close()
|
|
}
|