3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-29 10:26:29 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/authorize/authorize.go
Caleb Doxsey dbd7f55b20
feature/databroker: user data and session refactor project (#926) 
* databroker: add databroker, identity manager, update cache (#864)

* databroker: add databroker, identity manager, update cache

* fix cache tests

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* authorize: use databroker data for rego policy (#904)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix gitlab test

* use v4 backoff

* authenticate: databroker changes (#914)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove groups and refresh test

* databroker: remove dead code, rename cache url, move dashboard (#925)

* wip

* add directory provider

* initialize before sync, upate google provider, remove dead code

* fix flaky test

* update authorize to use databroker data

* implement signed jwt

* wait for session and user to appear

* fix test

* directory service (#885)

* directory: add google and okta

* add onelogin

* add directory provider

* initialize before sync, upate google provider, remove dead code

* add azure provider

* fix azure provider

* fix gitlab

* add gitlab test, fix azure test

* hook up okta

* remove dead code

* fix tests

* fix flaky test

* remove log line

* only redirect when no session id exists

* prepare rego query as part of create

* return on ctx done

* retry on disconnect for sync

* move jwt signing

* use !=

* use parent ctx for wait

* remove session state, remove logs

* rename function

* add log message

* pre-allocate slice

* use errgroup

* return nil on eof for sync

* move check

* disable timeout on gRPC requests in envoy

* fix dashboard

* delete session on logout

* permanently delete sessions once they are marked as deleted

* remove permanent delete

* fix tests

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* remove cache service

* remove kv

* remove refresh docs

* remove obsolete cache docs

* add databroker url option

* cache: use memberlist to detect multiple instances

* add databroker service url

* wip

* remove groups and refresh test

* fix redirect, signout

* remove databroker client from proxy

* remove unused method

* remove user dashboard test

* handle missing session ids

* session: reject sessions with no id

* sessions: invalidate old sessions via databroker server version (#930)

* session: add a version field tied to the databroker server version that can be used to invalidate sessions

* fix tests

* add log

* authenticate: create user record immediately, call "get" directly in authorize (#931)
2020-06-19 07:52:44 -06:00

147 lines
4.3 KiB
Go
Raw Blame History

// Package authorize is a pomerium service that is responsible for determining
// if a given request should be authorized (AuthZ).
package authorize
//go:generate ../scripts/protoc -I ../internal/grpc/authorize/ --go_out=plugins=grpc:../internal/grpc/authorize/ ../internal/grpc/authorize/authorize.proto
import (
"context"
"fmt"
"html/template"
"sync"
"sync/atomic"
"github.com/pomerium/pomerium/authorize/evaluator"
"github.com/pomerium/pomerium/config"
"github.com/pomerium/pomerium/internal/cryptutil"
"github.com/pomerium/pomerium/internal/encoding"
"github.com/pomerium/pomerium/internal/encoding/jws"
"github.com/pomerium/pomerium/internal/frontend"
"github.com/pomerium/pomerium/internal/grpc"
"github.com/pomerium/pomerium/internal/grpc/databroker"
"github.com/pomerium/pomerium/internal/log"
"github.com/pomerium/pomerium/internal/telemetry/metrics"
"github.com/pomerium/pomerium/internal/telemetry/trace"
"github.com/pomerium/pomerium/internal/urlutil"
)
type atomicOptions struct {
value atomic.Value
}
func (a *atomicOptions) Load() config.Options {
return a.value.Load().(config.Options)
}
func (a *atomicOptions) Store(options config.Options) {
a.value.Store(options)
}
type atomicMarshalUnmarshaler struct {
value atomic.Value
}
func (a *atomicMarshalUnmarshaler) Load() encoding.MarshalUnmarshaler {
return a.value.Load().(encoding.MarshalUnmarshaler)
}
func (a *atomicMarshalUnmarshaler) Store(encoder encoding.MarshalUnmarshaler) {
a.value.Store(encoder)
}
// Authorize struct holds
type Authorize struct {
pe *evaluator.Evaluator
currentOptions atomicOptions
currentEncoder atomicMarshalUnmarshaler
templates *template.Template
dataBrokerClient databroker.DataBrokerServiceClient
dataBrokerDataLock sync.RWMutex
dataBrokerData evaluator.DataBrokerData
dataBrokerSessionServerVersion string
}
// New validates and creates a new Authorize service from a set of config options.
func New(opts config.Options) (*Authorize, error) {
if err := validateOptions(opts); err != nil {
return nil, fmt.Errorf("authorize: bad options: %w", err)
}
dataBrokerConn, err := grpc.NewGRPCClientConn(
&grpc.Options{
Addr: opts.DataBrokerURL,
OverrideCertificateName: opts.OverrideCertificateName,
CA: opts.CA,
CAFile: opts.CAFile,
RequestTimeout: opts.GRPCClientTimeout,
ClientDNSRoundRobin: opts.GRPCClientDNSRoundRobin,
WithInsecure: opts.GRPCInsecure,
})
if err != nil {
return nil, fmt.Errorf("authorize: error creating cache connection: %w", err)
}
a := Authorize{
templates: template.Must(frontend.NewTemplates()),
dataBrokerClient: databroker.NewDataBrokerServiceClient(dataBrokerConn),
dataBrokerData: make(evaluator.DataBrokerData),
}
var host string
if opts.AuthenticateURL != nil {
host = opts.AuthenticateURL.Host
}
encoder, err := jws.NewHS256Signer([]byte(opts.SharedKey), host)
if err != nil {
return nil, err
}
a.currentEncoder.Store(encoder)
a.currentOptions.Store(config.Options{})
err = a.UpdateOptions(opts)
if err != nil {
return nil, err
}
return &a, nil
}
func validateOptions(o config.Options) error {
if _, err := cryptutil.NewAEADCipherFromBase64(o.SharedKey); err != nil {
return fmt.Errorf("bad shared_secret: %w", err)
}
if err := urlutil.ValidateURL(o.AuthenticateURL); err != nil {
return fmt.Errorf("invalid 'AUTHENTICATE_SERVICE_URL': %w", err)
}
return nil
}
// newPolicyEvaluator returns an policy evaluator.
func newPolicyEvaluator(opts *config.Options) (*evaluator.Evaluator, error) {
metrics.AddPolicyCountCallback("pomerium-authorize", func() int64 {
return int64(len(opts.Policies))
})
ctx := context.Background()
_, span := trace.StartSpan(ctx, "authorize.newPolicyEvaluator")
defer span.End()
return evaluator.New(opts)
}
// UpdateOptions implements the OptionsUpdater interface and updates internal
// structures based on config.Options
func (a *Authorize) UpdateOptions(opts config.Options) error {
if a == nil {
return nil
}
log.Info().Str("checksum", fmt.Sprintf("%x", opts.Checksum())).Msg("authorize: updating options")
a.currentOptions.Store(opts)
var err error
if a.pe, err = newPolicyEvaluator(&opts); err != nil {
return err
}
return nil
}
Reference in a new issue View git blame Copy permalink