authorize: allow access to /.pomerium/webauthn when policy denies acc…

…ess (#4016)

authorize: allow access to /.pomerium/webauthn when policy denies access (#4015)

Co-authored-by: Caleb Doxsey <[email protected]>

authorize/check_response.go

@@ -226,14 +226,20 @@ func (a *Authorize) requireWebAuthnResponse(
  opts := a.currentOptions.Load()
  state := a.state.Load()
 
- if !a.shouldRedirect(in) {
- return a.deniedResponse(ctx, in, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), nil)
- }
-
  // always assume https scheme
  checkRequestURL := getCheckRequestURL(in)
  checkRequestURL.Scheme = "https"
 
+ // If we're already on a webauthn route, return OK.
+ // https://github.com/pomerium/pomerium-console/issues/3210
+ if checkRequestURL.Path == urlutil.WebAuthnURLPath || checkRequestURL.Path == urlutil.DeviceEnrolledPath {
+ return a.okResponse(result.Headers), nil
+ }
+
+ if !a.shouldRedirect(in) {
+ return a.deniedResponse(ctx, in, http.StatusUnauthorized, http.StatusText(http.StatusUnauthorized), nil)
+ }
+
  q := url.Values{}
  if deviceType, ok := result.Allow.AdditionalData["device_type"].(string); ok {
  q.Set(urlutil.QueryDeviceType, deviceType)

authorize/check_response_test.go

@@ -62,6 +62,36 @@ func TestAuthorize_handleResult(t *testing.T) {
  assert.NoError(t, err)
  assert.Equal(t, 302, int(res.GetDeniedResponse().GetStatus().GetCode()))
  })
+ t.Run("device-unauthenticated", func(t *testing.T) {
+ res, err := a.handleResult(context.Background(),
+ &envoy_service_auth_v3.CheckRequest{},
+ &evaluator.Request{},
+ &evaluator.Result{
+ Allow: evaluator.NewRuleResult(false, criteria.ReasonDeviceUnauthenticated),
+ })
+ assert.NoError(t, err)
+ assert.Equal(t, 302, int(res.GetDeniedResponse().GetStatus().GetCode()))
+
+ t.Run("webauthn path", func(t *testing.T) {
+ res, err := a.handleResult(context.Background(),
+ &envoy_service_auth_v3.CheckRequest{
+ Attributes: &envoy_service_auth_v3.AttributeContext{
+ Request: &envoy_service_auth_v3.AttributeContext_Request{
+ Http: &envoy_service_auth_v3.AttributeContext_HttpRequest{
+ Path: "/.pomerium/webauthn",
+ },
+ },
+ },
+ },
+ &evaluator.Request{},
+ &evaluator.Result{
+ Allow: evaluator.NewRuleResult(true, criteria.ReasonPomeriumRoute),
+ Deny: evaluator.NewRuleResult(false, criteria.ReasonDeviceUnauthenticated),
+ })
+ assert.NoError(t, err)
+ assert.NotNil(t, res.GetOkResponse())
+ })
+ })
 }
 
 func TestAuthorize_okResponse(t *testing.T) {

config/envoyconfig/routes.go

@@ -60,7 +60,7 @@ func (b *Builder) buildPomeriumHTTPRoutes(options *config.Options, host string)
  routes = append(routes,
  // enable ext_authz
  b.buildControlPlanePathRoute("/.pomerium/jwt", true),
- b.buildControlPlanePathRoute("/.pomerium/webauthn", true),
+ b.buildControlPlanePathRoute(urlutil.WebAuthnURLPath, true),
  // disable ext_authz and passthrough to proxy handlers
  b.buildControlPlanePathRoute("/ping", false),
  b.buildControlPlanePathRoute("/healthz", false),

config/envoyconfig/routes_test.go

@@ -16,6 +16,7 @@ import (
  "github.com/pomerium/pomerium/config"
  "github.com/pomerium/pomerium/config/envoyconfig/filemgr"
  "github.com/pomerium/pomerium/internal/testutil"
+ "github.com/pomerium/pomerium/internal/urlutil"
 )
 
 func policyNameFunc() func(*config.Policy) string {
@@ -88,7 +89,7 @@ func Test_buildPomeriumHTTPRoutes(t *testing.T) {
 
  testutil.AssertProtoJSONEqual(t, `[
  `+routeString("path", "/.pomerium/jwt", true)+`,
- `+routeString("path", "/.pomerium/webauthn", true)+`,
+ `+routeString("path", urlutil.WebAuthnURLPath, true)+`,
  `+routeString("path", "/ping", false)+`,
  `+routeString("path", "/healthz", false)+`,
  `+routeString("path", "/.pomerium", false)+`,
@@ -127,7 +128,7 @@ func Test_buildPomeriumHTTPRoutes(t *testing.T) {
 
  testutil.AssertProtoJSONEqual(t, `[
  `+routeString("path", "/.pomerium/jwt", true)+`,
- `+routeString("path", "/.pomerium/webauthn", true)+`,
+ `+routeString("path", urlutil.WebAuthnURLPath, true)+`,
  `+routeString("path", "/ping", false)+`,
  `+routeString("path", "/healthz", false)+`,
  `+routeString("path", "/.pomerium", false)+`,
@@ -155,7 +156,7 @@ func Test_buildPomeriumHTTPRoutes(t *testing.T) {
 
  testutil.AssertProtoJSONEqual(t, `[
  `+routeString("path", "/.pomerium/jwt", true)+`,
- `+routeString("path", "/.pomerium/webauthn", true)+`,
+ `+routeString("path", urlutil.WebAuthnURLPath, true)+`,
  `+routeString("path", "/ping", false)+`,
  `+routeString("path", "/healthz", false)+`,
  `+routeString("path", "/.pomerium", false)+`,

internal/urlutil/known.go

@@ -34,15 +34,21 @@ func SignOutURL(r *http.Request, authenticateURL *url.URL, key []byte) string {
  return NewSignedURL(key, u).Sign().String()
 }
 
+// Device paths
+const (
+ WebAuthnURLPath = "/.pomerium/webauthn"
+ DeviceEnrolledPath = "/.pomerium/device-enrolled"
+)
+
 // WebAuthnURL returns the /.pomerium/webauthn URL.
 func WebAuthnURL(r *http.Request, authenticateURL *url.URL, key []byte, values url.Values) string {
  u := authenticateURL.ResolveReference(&url.URL{
- Path: "/.pomerium/webauthn",
+ Path: WebAuthnURLPath,
  RawQuery: buildURLValues(values, url.Values{
  QueryDeviceType: {DefaultDeviceType},
  QueryEnrollmentToken: nil,
  QueryRedirectURI: {authenticateURL.ResolveReference(&url.URL{
- Path: "/.pomerium/device-enrolled",
+ Path: DeviceEnrolledPath,
  }).String()},
  }).Encode(),
  })

pkg/policy/criteria/pomerium_routes.go

@@ -3,6 +3,7 @@ package criteria
 import (
  "github.com/open-policy-agent/opa/ast"
 
+ "github.com/pomerium/pomerium/internal/urlutil"
  "github.com/pomerium/pomerium/pkg/policy/generator"
  "github.com/pomerium/pomerium/pkg/policy/parser"
  "github.com/pomerium/pomerium/pkg/policy/rules"
@@ -34,7 +35,7 @@ func (c pomeriumRoutesCriterion) GenerateRule(_ string, _ parser.Value) (*ast.Ru
  r2.Body = ast.Body{
  ast.MustParseExpr(`contains(input.http.url, "/.pomerium/")`),
  ast.MustParseExpr(`not contains(input.http.url, "/.pomerium/jwt")`),
- ast.MustParseExpr(`not contains(input.http.url, "/.pomerium/webauthn")`),
+ ast.MustParseExpr(`not contains(input.http.url, "` + urlutil.WebAuthnURLPath + `")`),
  }
  r1.Else = r2