Feature/original request headers (#34)

Original request headers implemented.
Config structure expanded.

CHANGELOG.md

@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 ## [Unreleased]
 There are currently no unreleased changes.
 
+## [v0.0.1] - 2020-06-12
+### Added
+- Support for original request path and method specification through headers (see [nginx docs](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/)).
+- Server and Authentication sections to Config.
+
+### Removed
+- JWT validation related flags moved to YAML configuration.
+
 ## v0.0.0 - 2020-06-01
 This is the first version that includes the following functionality:
 - YAML configuration support
@@ -16,4 +24,5 @@ This is the first version that includes the following functionality:
 - Claims-based authorization
 - Pure authorization server and reverse proxy modes
 
-[Unreleased]: https://github.com/kaancfidan/bouncer/compare/v0.0.0...master
+[Unreleased]: https://github.com/kaancfidan/bouncer/compare/v0.0.1...master
+[v0.0.1]: https://github.com/kaancfidan/bouncer/compare/v0.0.0...v0.0.1

README.md

@@ -165,11 +165,6 @@ Every startup setting has an environment variable and a CLI flag counterpart.
 | BOUNCER_CONFIG_PATH | -p | Config YAML path. **default = /etc/bouncer/config.yaml** |
 | BOUNCER_LISTEN_ADDRESS | -l | TCP listen address. **default = :3512** |
 | BOUNCER_UPSTREAM_URL | --url | Upstream URL to be used in reverse proxy mode. If not set, Bouncer runs in pure auth server mode. |
-| BOUNCER_VALID_ISSUER | --iss | Valid issuer id. If set Bouncer validates **iss** claim. |
-| BOUNCER_VALID_AUDIENCE | --aud | Valid audience id. If set Bouncer validates **aud** claim. |
-| BOUNCER_REQUIRE_EXPIRATION | --exp | Require expiration (**exp**) timestamp on tokens. Unless explicitly set to **false**, **default = true** |
-| BOUNCER_REQUIRE_NOT_BEFORE | --nbf | Require "not before" (**nbf**) timestamp on tokens. Unless explicitly set to **false**, **default = true** |
-| BOUNCER_CLOCK_SKEW | --clk | Clock skew tolerance in seconds. When set **iat**, **exp**, **nbf** claims are checked with the given tolerance. |
 
 ## License
 [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2Fkaancfidan%2Fbouncer.svg?type=large)](https://app.fossa.com/projects/git%2Bgithub.com%2Fkaancfidan%2Fbouncer?ref=badge_large)

main.go

@@ -7,9 +7,7 @@ import (
  "log"
  "net/http"
  "net/http/httputil"
- "net/url"
  "os"
- "strconv"
 
  "github.com/kaancfidan/bouncer/services"
 )
@@ -20,13 +18,7 @@ type flags struct {
  signingKey string
  signingMethod string
  configPath string
- upstreamURL string
  listenAddress string
- validIssuer string
- validAudience string
- expRequired string
- nbfRequired string
- clockSkew string
 }
 
 func main() {
@@ -53,22 +45,6 @@ func main() {
 }
 
 func newServer(f *flags, configReader io.Reader) (*services.Server, error) {
- var upstream http.Handler
-
- if f.upstreamURL != "" {
- // parse upstream URL
- parsedURL, err := url.Parse(f.upstreamURL)
- if err != nil {
- return nil, fmt.Errorf("upstream url could not be parsed: %w", err)
- }
-
- if parsedURL.Scheme != "http" && parsedURL.Scheme != "https" {
- return nil, fmt.Errorf("upstream url scheme must be http or https")
- }
-
- upstream = httputil.NewSingleHostReverseProxy(parsedURL)
- }
-
  parser := services.YamlConfigParser{}
  cfg, err := parser.ParseConfig(configReader)
  if err != nil {
@@ -80,46 +56,34 @@ func newServer(f *flags, configReader io.Reader) (*services.Server, error) {
  return nil, fmt.Errorf("invalid config: %w", err)
  }
 
- var clockSkew int
- if f.clockSkew != "" {
- clockSkew, err = strconv.Atoi(f.clockSkew)
- if err != nil {
- return nil, fmt.Errorf("clock skew flag %s cannot be converted to integer", f.clockSkew)
- }
- } else {
- clockSkew = 0
+ var upstream http.Handler
+ if cfg.Server.ParsedURL != nil {
+ upstream = httputil.NewSingleHostReverseProxy(cfg.Server.ParsedURL)
  }
 
  authenticator, err := services.NewAuthenticator(
  []byte(f.signingKey),
  f.signingMethod,
- f.validIssuer,
- f.validAudience,
- f.expRequired != "false",
- f.nbfRequired != "false",
- clockSkew)
+ cfg.Authentication)
 
  if err != nil {
  return nil, fmt.Errorf("could not create authenticator: %w", err)
  }
 
- s := services.NewServer(
+ return services.NewServer(
  upstream,
  services.NewRouteMatcher(cfg.RoutePolicies),
  services.NewAuthorizer(cfg.ClaimPolicies),
- authenticator)
-
- return s, nil
+ authenticator,
+ cfg.Server), nil
 }
 
 func parseFlags() *flags {
  f := flags{
  configPath: "/etc/bouncer/config.yaml",
  listenAddress: ":3512",
- expRequired: "true",
- nbfRequired: "true",
  }
- 
+
  printVersion := flag.Bool("v", false, "print version and exit")
  flag.StringVar(&f.signingKey, "k",
  lookupEnv("BOUNCER_SIGNING_KEY", ""),
@@ -137,30 +101,6 @@ func parseFlags() *flags {
  lookupEnv("BOUNCER_LISTEN_ADDRESS", f.listenAddress),
  fmt.Sprintf("listen address, default = %s", f.listenAddress))
 
- flag.StringVar(&f.upstreamURL, "url",
- lookupEnv("BOUNCER_UPSTREAM_URL", ""),
- "URL to be called when the request is authorized")
-
- flag.StringVar(&f.validIssuer, "iss",
- lookupEnv("BOUNCER_VALID_ISSUER", ""),
- fmt.Sprintf("valid token issuer"))
-
- flag.StringVar(&f.validAudience, "aud",
- lookupEnv("BOUNCER_VALID_AUDIENCE", ""),
- fmt.Sprintf("valid token audience"))
-
- flag.StringVar(&f.expRequired, "exp",
- lookupEnv("BOUNCER_REQUIRE_EXPIRATION", f.expRequired),
- fmt.Sprintf("require token expiration timestamp claims, default = %s", f.expRequired))
-
- flag.StringVar(&f.nbfRequired, "nbf",
- lookupEnv("BOUNCER_REQUIRE_NOT_BEFORE", f.nbfRequired),
- fmt.Sprintf("require token not before timestamp claims, default = %s", f.nbfRequired))
-
- flag.StringVar(&f.clockSkew, "clk",
- lookupEnv("BOUNCER_CLOCK_SKEW", f.clockSkew),
- fmt.Sprintf("require token not before timestamp claims, default = %s", f.nbfRequired))
-
  flag.Parse()
 
  if *printVersion {

main_test.go

@@ -30,46 +30,6 @@ func TestNewServer(t *testing.T) {
  cfgContent: "",
  wantErr: true,
  },
- {
- name: "reverse proxy",
- flags: &flags{
- signingKey: "SuperSecretKey123!",
- signingMethod: "HMAC",
- upstreamURL: "http://localhost:8080",
- },
- cfgContent: "claimPolicies: {}\nroutePolicies: []",
- wantErr: false,
- },
- {
- name: "clock skewed",
- flags: &flags{
- signingKey: "SuperSecretKey123!",
- signingMethod: "HMAC",
- clockSkew: "10",
- },
- cfgContent: "claimPolicies: {}\nroutePolicies: []",
- wantErr: false,
- },
- {
- name: "invalid url scheme",
- flags: &flags{
- signingKey: "SuperSecretKey123!",
- signingMethod: "HMAC",
- upstreamURL: "tcp://localhost:8080",
- },
- cfgContent: "claimPolicies: {}\nroutePolicies: []",
- wantErr: true,
- },
- {
- name: "malformed url",
- flags: &flags{
- signingKey: "SuperSecretKey123!",
- signingMethod: "HMAC",
- upstreamURL: "!!http://localhost:8080",
- },
- cfgContent: "claimPolicies: {}\nroutePolicies: []",
- wantErr: true,
- },
  {
  name: "invalid config yaml",
  flags: &flags{
@@ -104,16 +64,6 @@ func TestNewServer(t *testing.T) {
  cfgContent: "claimPolicies: {}\nroutePolicies: []",
  wantErr: true,
  },
- {
- name: "invalid clock skew flag",
- flags: &flags{
- signingKey: "SuperSecretKey123!",
- signingMethod: "HMAC",
- clockSkew: "not a number",
- },
- cfgContent: "claimPolicies: {}\nroutePolicies: []",
- wantErr: true,
- },
  }
  for _, tt := range tests {
  t.Run(tt.name, func(t *testing.T) {

models/config.go

@@ -1,5 +1,30 @@
 package models
 
+import "net/url"
+
+// AuthenticationConfig holds JWT validation related parameters
+type AuthenticationConfig struct {
+ Issuer string `yaml:"issuer"`
+ Audience string `yaml:"audience"`
+ IgnoreExpiration bool `yaml:"ignoreExpiration"`
+ IgnoreNotBefore bool `yaml:"ignoreNotBefore"`
+ ClockSkewInSeconds int `yaml:"clockSkewInSeconds"`
+}
+
+// OriginalRequestHeaders contains headers to lookup for original request method and path details
+// in the case where the auth request is a sub-request with distinct method and path
+type OriginalRequestHeaders struct {
+ Method string `yaml:"method"`
+ Path string `yaml:"path"`
+}
+
+// ServerConfig holds operation mode (auth server / reverse proxy) related parameters
+type ServerConfig struct {
+ OriginalRequestHeaders *OriginalRequestHeaders `yaml:"originalRequestHeaders"`
+ UpstreamURL string `yaml:"upstreamUrl"`
+ ParsedURL *url.URL `yaml:"-"`
+}
+
 // ClaimRequirement is a key-value pair for a given claim constraint.
 // When multiple claim values are provided, these values are effectively ORed.
 type ClaimRequirement struct {
@@ -15,8 +40,16 @@ type RoutePolicy struct {
  AllowAnonymous bool `yaml:"allowAnonymous"`
 }
 
+// ClaimPolicyConfig is a type alias for claimPolicies section
+type ClaimPolicyConfig map[string][]ClaimRequirement
+
+// RoutePolicyConfig is a type alias for routePolicies section
+type RoutePolicyConfig []RoutePolicy
+
 // Config is the overall struct that matches the YAML structure
 type Config struct {
- ClaimPolicies map[string][]ClaimRequirement `yaml:"claimPolicies"`
- RoutePolicies []RoutePolicy `yaml:"routePolicies"`
+ Server ServerConfig `yaml:"server"`
+ Authentication AuthenticationConfig `yaml:"authentication"`
+ ClaimPolicies ClaimPolicyConfig `yaml:"claimPolicies"`
+ RoutePolicies RoutePolicyConfig `yaml:"routePolicies"`
 }

services/authenticator.go

@@ -8,6 +8,8 @@ import (
  "time"
 
  "github.com/dgrijalva/jwt-go"
+
+ "github.com/kaancfidan/bouncer/models"
 )
 
 // Authenticator interface
@@ -17,13 +19,9 @@ type Authenticator interface {
 
 // AuthenticatorImpl is a JWT based authentication implementation
 type AuthenticatorImpl struct {
- signingKey interface{}
- signingMethod string
- validIssuer string
- validAudience string
- expirationRequired bool
- notBeforeRequired bool
- clockSkew int
+ signingKey interface{}
+ signingMethod string
+ config models.AuthenticationConfig
 }
 
 type claims struct {
@@ -69,25 +67,17 @@ func parseSigningKey(signingKey []byte, signingMethod string) (key interface{},
 func NewAuthenticator(
  signingKey []byte,
  signingMethod string,
- validIssuer string,
- validAudience string,
- expirationRequired bool,
- notBeforeRequired bool,
- clockSkew int) (*AuthenticatorImpl, error) {
+ config models.AuthenticationConfig) (*AuthenticatorImpl, error) {
 
  key, err := parseSigningKey(signingKey, signingMethod)
  if err != nil {
  return nil, fmt.Errorf("could not parse signing key: %w", err)
  }
 
  return &AuthenticatorImpl{
- signingKey: key,
- signingMethod: signingMethod,
- validIssuer: validIssuer,
- validAudience: validAudience,
- expirationRequired: expirationRequired,
- notBeforeRequired: notBeforeRequired,
- clockSkew: clockSkew,
+ signingKey: key,
+ signingMethod: signingMethod,
+ config: config,
  }, nil
 }
 
@@ -114,33 +104,33 @@ func (a AuthenticatorImpl) Authenticate(authHeader string) (map[string]interface
  // check claims for authorization
  claims := claims{
  MapClaims: jwt.MapClaims{},
- ClockSkew: a.clockSkew,
+ ClockSkew: a.config.ClockSkewInSeconds,
  }
  _, err := jwt.ParseWithClaims(tokenString, &claims, a.keyFactory)
 
  if err != nil {
  return nil, fmt.Errorf("error occurred while parsing claims: %w", err)
  }
 
- if _, ok := claims.MapClaims["exp"]; !ok && a.expirationRequired {
+ if _, ok := claims.MapClaims["exp"]; !ok && !a.config.IgnoreExpiration {
  return nil, fmt.Errorf("required expiration timestamp not found")
  }
 
- if _, ok := claims.MapClaims["nbf"]; !ok && a.notBeforeRequired {
+ if _, ok := claims.MapClaims["nbf"]; !ok && !a.config.IgnoreNotBefore {
  return nil, fmt.Errorf("required not before timestamp not found")
  }
 
  // verify audience
- if a.validAudience != "" {
- checkAud := claims.VerifyAudience(a.validAudience, true)
+ if a.config.Audience != "" {
+ checkAud := claims.VerifyAudience(a.config.Audience, true)
  if !checkAud {
  return nil, fmt.Errorf("invalid audience")
  }
  }
 
  // verify issuer
- if a.validIssuer != "" {
- checkIss := claims.VerifyIssuer(a.validIssuer, true)
+ if a.config.Issuer != "" {
+ checkIss := claims.VerifyIssuer(a.config.Issuer, true)
  if !checkIss {
  return nil, fmt.Errorf("invalid issuer")
  }