3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-05-02 03:46:29 +02:00
Code Issues Projects Releases Packages Wiki Activity
pomerium/internal/handlers/sign_in.go
Caleb Doxsey 57217af7dd
authenticate: implement hpke-based login flow (#3779) 
* urlutil: add time validation functions

* authenticate: implement hpke-based login flow

* fix import cycle

* fix tests

* log error

* fix callback url

* add idp param

* fix test

* fix test
2022-12-05 15:31:07 -07:00

89 lines
2.6 KiB
Go
Raw Blame History

package handlers
import (
"fmt"
"net/url"
"time"
"google.golang.org/protobuf/encoding/protojson"
"github.com/pomerium/pomerium/internal/urlutil"
"github.com/pomerium/pomerium/pkg/grpc/identity"
"github.com/pomerium/pomerium/pkg/hpke"
)
const signInExpiry = time.Minute * 5
// BuildCallbackURL builds the callback URL using an HPKE encrypted query string.
func BuildCallbackURL(
authenticatePrivateKey *hpke.PrivateKey,
proxyPublicKey *hpke.PublicKey,
requestParams url.Values,
profile *identity.Profile,
) (string, error) {
redirectURL, err := urlutil.ParseAndValidateURL(requestParams.Get(urlutil.QueryRedirectURI))
if err != nil {
return "", fmt.Errorf("invalid %s: %w", urlutil.QueryRedirectURI, err)
}
var callbackURL *url.URL
if requestParams.Has(urlutil.QueryCallbackURI) {
callbackURL, err = urlutil.ParseAndValidateURL(requestParams.Get(urlutil.QueryCallbackURI))
if err != nil {
return "", fmt.Errorf("invalid %s: %w", urlutil.QueryCallbackURI, err)
}
} else {
callbackURL, err = urlutil.DeepCopy(redirectURL)
if err != nil {
return "", fmt.Errorf("error copying %s: %w", urlutil.QueryRedirectURI, err)
}
callbackURL.Path = "/.pomerium/callback/"
callbackURL.RawQuery = ""
}
callbackParams := callbackURL.Query()
if requestParams.Has(urlutil.QueryIsProgrammatic) {
callbackParams.Set(urlutil.QueryIsProgrammatic, "true")
}
callbackParams.Set(urlutil.QueryRedirectURI, redirectURL.String())
rawProfile, err := protojson.Marshal(profile)
if err != nil {
return "", fmt.Errorf("error marshaling identity profile: %w", err)
}
callbackParams.Set(urlutil.QueryIdentityProfile, string(rawProfile))
urlutil.BuildTimeParameters(callbackParams, signInExpiry)
callbackParams, err = hpke.EncryptURLValues(authenticatePrivateKey, proxyPublicKey, callbackParams)
if err != nil {
return "", fmt.Errorf("error encrypting callback params: %w", err)
}
callbackURL.RawQuery = callbackParams.Encode()
return callbackURL.String(), nil
}
// BuildSignInURL buidls the sign in URL using an HPKE encrypted query string.
func BuildSignInURL(
senderPrivateKey *hpke.PrivateKey,
authenticatePublicKey *hpke.PublicKey,
authenticateURL *url.URL,
redirectURL *url.URL,
idpID string,
) (string, error) {
signInURL := *authenticateURL
signInURL.Path = "/.pomerium/sign_in"
q := signInURL.Query()
q.Set(urlutil.QueryRedirectURI, redirectURL.String())
q.Set(urlutil.QueryIdentityProviderID, idpID)
urlutil.BuildTimeParameters(q, signInExpiry)
q, err := hpke.EncryptURLValues(senderPrivateKey, authenticatePublicKey, q)
if err != nil {
return "", err
}
signInURL.RawQuery = q.Encode()
return signInURL.String(), nil
}
Reference in a new issue View git blame Copy permalink