mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 02:46:30 +02:00
dbd7f55b20
* databroker: add databroker, identity manager, update cache (#864) * databroker: add databroker, identity manager, update cache * fix cache tests * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * authorize: use databroker data for rego policy (#904) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix gitlab test * use v4 backoff * authenticate: databroker changes (#914) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove groups and refresh test * databroker: remove dead code, rename cache url, move dashboard (#925) * wip * add directory provider * initialize before sync, upate google provider, remove dead code * fix flaky test * update authorize to use databroker data * implement signed jwt * wait for session and user to appear * fix test * directory service (#885) * directory: add google and okta * add onelogin * add directory provider * initialize before sync, upate google provider, remove dead code * add azure provider * fix azure provider * fix gitlab * add gitlab test, fix azure test * hook up okta * remove dead code * fix tests * fix flaky test * remove log line * only redirect when no session id exists * prepare rego query as part of create * return on ctx done * retry on disconnect for sync * move jwt signing * use != * use parent ctx for wait * remove session state, remove logs * rename function * add log message * pre-allocate slice * use errgroup * return nil on eof for sync * move check * disable timeout on gRPC requests in envoy * fix dashboard * delete session on logout * permanently delete sessions once they are marked as deleted * remove permanent delete * fix tests * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * remove cache service * remove kv * remove refresh docs * remove obsolete cache docs * add databroker url option * cache: use memberlist to detect multiple instances * add databroker service url * wip * remove groups and refresh test * fix redirect, signout * remove databroker client from proxy * remove unused method * remove user dashboard test * handle missing session ids * session: reject sessions with no id * sessions: invalidate old sessions via databroker server version (#930) * session: add a version field tied to the databroker server version that can be used to invalidate sessions * fix tests * add log * authenticate: create user record immediately, call "get" directly in authorize (#931)
114 lines
3.3 KiB
Python
Executable file
114 lines
3.3 KiB
Python
Executable file
from __future__ import absolute_import, division, print_function
|
|
|
|
import argparse
|
|
import http.server
|
|
import json
|
|
import sys
|
|
import urllib.parse
|
|
import webbrowser
|
|
from urllib.parse import urlparse
|
|
import requests
|
|
|
|
done = False
|
|
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument("--login", action="store_true")
|
|
parser.add_argument(
|
|
"--dst", default="https://httpbin.example.com/headers",
|
|
)
|
|
parser.add_argument("--server", default="localhost", type=str)
|
|
parser.add_argument("--port", default=8000, type=int)
|
|
parser.add_argument(
|
|
"--cred", default="pomerium-cred.json",
|
|
)
|
|
args = parser.parse_args()
|
|
|
|
|
|
class PomeriumSession:
|
|
def __init__(self, jwt, refresh_token):
|
|
self.jwt = jwt
|
|
self.refresh_token = refresh_token
|
|
|
|
def to_json(self):
|
|
return json.dumps(self.__dict__, indent=2)
|
|
|
|
@classmethod
|
|
def from_json_file(cls, fn):
|
|
with open(fn) as f:
|
|
data = json.load(f)
|
|
return cls(**data)
|
|
|
|
|
|
class Callback(http.server.BaseHTTPRequestHandler):
|
|
def log_message(self, format, *args):
|
|
# silence http server logs for now
|
|
return
|
|
|
|
def do_GET(self):
|
|
global args
|
|
global done
|
|
self.send_response(200)
|
|
self.end_headers()
|
|
response = b"OK"
|
|
if "pomerium" in self.path:
|
|
path = urllib.parse.urlparse(self.path).query
|
|
path_qp = urllib.parse.parse_qs(path)
|
|
session = PomeriumSession(
|
|
path_qp.get("pomerium_jwt")[0],
|
|
path_qp.get("pomerium_refresh_token")[0],
|
|
)
|
|
done = True
|
|
response = session.to_json().encode()
|
|
with open(args.cred, "w", encoding="utf-8") as f:
|
|
f.write(session.to_json())
|
|
print("=> pomerium json credential saved to:\n{}".format(f.name))
|
|
|
|
self.wfile.write(response)
|
|
|
|
|
|
def main():
|
|
global args
|
|
|
|
dst = urllib.parse.urlparse(args.dst)
|
|
try:
|
|
cred = PomeriumSession.from_json_file(args.cred)
|
|
except:
|
|
print("=> no credential found, let's login")
|
|
args.login = True
|
|
|
|
# initial login to make sure we have our credential
|
|
if args.login:
|
|
dst = urllib.parse.urlparse(args.dst)
|
|
query_params = {
|
|
"pomerium_redirect_uri": "http://{}:{}".format(args.server, args.port)
|
|
}
|
|
enc_query_params = urllib.parse.urlencode(query_params)
|
|
dst_login = "{}://{}{}?{}".format(
|
|
dst.scheme, dst.hostname, "/.pomerium/api/v1/login", enc_query_params,
|
|
)
|
|
response = requests.get(dst_login)
|
|
print("=> Your browser has been opened to visit:\n{}".format(response.text))
|
|
webbrowser.open(response.text)
|
|
|
|
with http.server.HTTPServer((args.server, args.port), Callback) as httpd:
|
|
while not done:
|
|
httpd.handle_request()
|
|
|
|
cred = PomeriumSession.from_json_file(args.cred)
|
|
response = requests.get(
|
|
args.dst,
|
|
headers={
|
|
"Authorization": "Pomerium {}".format(cred.jwt),
|
|
"Content-type": "application/json",
|
|
"Accept": "application/json",
|
|
},
|
|
)
|
|
print(
|
|
"==> request\n{}\n==> response.status_code\n{}\n==>response.text\n{}\n".format(
|
|
args.dst, response.status_code, response.text
|
|
)
|
|
)
|
|
|
|
|
|
if __name__ == "__main__":
|
|
main()
|