mirror of
https://github.com/pomerium/pomerium.git
synced 2025-05-02 20:06:03 +02:00
dbd7f55b20
* databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)
125 lines
3.2 KiB
Go
125 lines
3.2 KiB
Go
package authorize
|
|
|
|
import (
|
|
"encoding/json"
|
|
"errors"
|
|
"fmt"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"strings"
|
|
|
|
"github.com/pomerium/pomerium/config"
|
|
"github.com/pomerium/pomerium/internal/encoding"
|
|
"github.com/pomerium/pomerium/internal/httputil"
|
|
"github.com/pomerium/pomerium/internal/sessions"
|
|
"github.com/pomerium/pomerium/internal/sessions/cookie"
|
|
"github.com/pomerium/pomerium/internal/sessions/header"
|
|
"github.com/pomerium/pomerium/internal/sessions/queryparam"
|
|
"github.com/pomerium/pomerium/internal/urlutil"
|
|
)
|
|
|
|
func loadRawSession(req *http.Request, options config.Options, encoder encoding.MarshalUnmarshaler) ([]byte, error) {
|
|
var loaders []sessions.SessionLoader
|
|
cookieStore, err := getCookieStore(options, encoder)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
loaders = append(loaders,
|
|
cookieStore,
|
|
header.NewStore(encoder, httputil.AuthorizationTypePomerium),
|
|
queryparam.NewStore(encoder, urlutil.QuerySession),
|
|
)
|
|
|
|
for _, loader := range loaders {
|
|
sess, err := loader.LoadSession(req)
|
|
if err != nil && !errors.Is(err, sessions.ErrNoSessionFound) {
|
|
return nil, err
|
|
} else if err == nil {
|
|
return []byte(sess), nil
|
|
}
|
|
}
|
|
|
|
return nil, sessions.ErrNoSessionFound
|
|
}
|
|
|
|
func loadSession(encoder encoding.MarshalUnmarshaler, rawJWT []byte) (*sessions.State, error) {
|
|
var s sessions.State
|
|
err := encoder.Unmarshal(rawJWT, &s)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return &s, nil
|
|
}
|
|
|
|
func getCookieStore(options config.Options, encoder encoding.MarshalUnmarshaler) (sessions.SessionStore, error) {
|
|
cookieOptions := &cookie.Options{
|
|
Name: options.CookieName,
|
|
Domain: options.CookieDomain,
|
|
Secure: options.CookieSecure,
|
|
HTTPOnly: options.CookieHTTPOnly,
|
|
Expire: options.CookieExpire,
|
|
}
|
|
cookieStore, err := cookie.NewStore(cookieOptions, encoder)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return cookieStore, nil
|
|
}
|
|
|
|
func getJWTSetCookieHeaders(cookieStore sessions.SessionStore, rawjwt []byte) (map[string]string, error) {
|
|
recorder := httptest.NewRecorder()
|
|
err := cookieStore.SaveSession(recorder, nil /* unused by cookie store */, string(rawjwt))
|
|
if err != nil {
|
|
return nil, fmt.Errorf("authorize: error saving cookie: %w", err)
|
|
}
|
|
|
|
res := recorder.Result()
|
|
res.Body.Close()
|
|
|
|
hdrs := make(map[string]string)
|
|
for k, vs := range res.Header {
|
|
for _, v := range vs {
|
|
hdrs[k] = v
|
|
}
|
|
}
|
|
return hdrs, nil
|
|
}
|
|
|
|
func getJWTClaimHeaders(options config.Options, encoder encoding.MarshalUnmarshaler, rawjwt []byte) (map[string]string, error) {
|
|
if len(rawjwt) == 0 {
|
|
return make(map[string]string), nil
|
|
}
|
|
|
|
var claims map[string]jwtClaim
|
|
err := encoder.Unmarshal(rawjwt, &claims)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
hdrs := make(map[string]string)
|
|
for _, name := range options.JWTClaimsHeaders {
|
|
if claim, ok := claims[name]; ok {
|
|
hdrs["x-pomerium-claim-"+name] = strings.Join(claim, ",")
|
|
}
|
|
}
|
|
return hdrs, nil
|
|
}
|
|
|
|
type jwtClaim []string
|
|
|
|
func (claim *jwtClaim) UnmarshalJSON(bs []byte) error {
|
|
var raw interface{}
|
|
err := json.Unmarshal(bs, &raw)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
switch obj := raw.(type) {
|
|
case []interface{}:
|
|
for _, el := range obj {
|
|
*claim = append(*claim, fmt.Sprint(el))
|
|
}
|
|
default:
|
|
*claim = append(*claim, fmt.Sprint(obj))
|
|
}
|
|
return nil
|
|
}
|