mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-29 10:26:29 +02:00
dc12947241
- all: prefer `FormValues` to `ParseForm` with subsequent `Form.Get`s - all: refactor authentication stack to be checked by middleware, and accessible via request context. - all: replace http.ServeMux with gorilla/mux’s router - all: replace custom CSRF checks with gorilla/csrf middleware - authenticate: extract callback path as constant. - internal/config: implement stringer interface for policy - internal/cryptutil: add helper func `NewBase64Key` - internal/cryptutil: rename `GenerateKey` to `NewKey` - internal/cryptutil: rename `GenerateRandomString` to `NewRandomStringN` - internal/middleware: removed alice in favor of gorilla/mux - internal/sessions: remove unused `ValidateRedirectURI` and `ValidateClientSecret` - internal/sessions: replace custom CSRF with gorilla/csrf fork that supports custom handler protection - internal/urlutil: add `SignedRedirectURL` to create hmac'd URLs - internal/urlutil: add `ValidateURL` helper to parse URL options - internal/urlutil: add `GetAbsoluteURL` which takes a request and returns its absolute URL. - proxy: remove holdover state verification checks; we no longer are setting sessions in any proxy routes so we don’t need them. - proxy: replace un-named http.ServeMux with named domain routes. Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
108 lines
3.1 KiB
Go
108 lines
3.1 KiB
Go
package authenticate // import "github.com/pomerium/pomerium/authenticate"
|
|
|
|
import (
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"html/template"
|
|
"net/url"
|
|
|
|
"github.com/pomerium/pomerium/internal/config"
|
|
"github.com/pomerium/pomerium/internal/cryptutil"
|
|
"github.com/pomerium/pomerium/internal/identity"
|
|
"github.com/pomerium/pomerium/internal/sessions"
|
|
"github.com/pomerium/pomerium/internal/templates"
|
|
"github.com/pomerium/pomerium/internal/urlutil"
|
|
)
|
|
|
|
const callbackPath = "/oauth2/callback"
|
|
|
|
// ValidateOptions checks that configuration are complete and valid.
|
|
// Returns on first error found.
|
|
func ValidateOptions(o config.Options) error {
|
|
if _, err := cryptutil.NewCipherFromBase64(o.SharedKey); err != nil {
|
|
return fmt.Errorf("authenticate: 'SHARED_SECRET' invalid: %v", err)
|
|
}
|
|
if _, err := cryptutil.NewCipherFromBase64(o.CookieSecret); err != nil {
|
|
return fmt.Errorf("authenticate: 'COOKIE_SECRET' invalid %v", err)
|
|
}
|
|
if err := urlutil.ValidateURL(o.AuthenticateURL); err != nil {
|
|
return fmt.Errorf("authenticate: invalid 'AUTHENTICATE_SERVICE_URL': %v", err)
|
|
}
|
|
if o.ClientID == "" {
|
|
return errors.New("authenticate: 'IDP_CLIENT_ID' is required")
|
|
}
|
|
if o.ClientSecret == "" {
|
|
return errors.New("authenticate: 'IDP_CLIENT_SECRET' is required")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Authenticate contains data required to run the authenticate service.
|
|
type Authenticate struct {
|
|
SharedKey string
|
|
RedirectURL *url.URL
|
|
|
|
cookieName string
|
|
cookieDomain string
|
|
cookieSecret []byte
|
|
templates *template.Template
|
|
sessionStore sessions.SessionStore
|
|
cipher cryptutil.Cipher
|
|
provider identity.Authenticator
|
|
}
|
|
|
|
// New validates and creates a new authenticate service from a set of Options.
|
|
func New(opts config.Options) (*Authenticate, error) {
|
|
if err := ValidateOptions(opts); err != nil {
|
|
return nil, err
|
|
}
|
|
decodedCookieSecret, _ := base64.StdEncoding.DecodeString(opts.CookieSecret)
|
|
cipher, err := cryptutil.NewCipher(decodedCookieSecret)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
if opts.CookieDomain == "" {
|
|
opts.CookieDomain = sessions.ParentSubdomain(opts.AuthenticateURL.String())
|
|
}
|
|
cookieStore, err := sessions.NewCookieStore(
|
|
&sessions.CookieStoreOptions{
|
|
Name: opts.CookieName,
|
|
CookieDomain: opts.CookieDomain,
|
|
CookieSecure: opts.CookieSecure,
|
|
CookieHTTPOnly: opts.CookieHTTPOnly,
|
|
CookieExpire: opts.CookieExpire,
|
|
CookieCipher: cipher,
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
redirectURL, _ := urlutil.DeepCopy(opts.AuthenticateURL)
|
|
redirectURL.Path = callbackPath
|
|
provider, err := identity.New(
|
|
opts.Provider,
|
|
&identity.Provider{
|
|
RedirectURL: redirectURL,
|
|
ProviderName: opts.Provider,
|
|
ProviderURL: opts.ProviderURL,
|
|
ClientID: opts.ClientID,
|
|
ClientSecret: opts.ClientSecret,
|
|
Scopes: opts.Scopes,
|
|
ServiceAccount: opts.ServiceAccount,
|
|
})
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &Authenticate{
|
|
SharedKey: opts.SharedKey,
|
|
RedirectURL: redirectURL,
|
|
templates: templates.New(),
|
|
sessionStore: cookieStore,
|
|
cipher: cipher,
|
|
provider: provider,
|
|
cookieSecret: decodedCookieSecret,
|
|
cookieName: opts.CookieName,
|
|
cookieDomain: opts.CookieDomain,
|
|
}, nil
|
|
}
|