feat: session source address validation

shelmangroup · Sep 17, 2024 · 5bc98e4 · 5bc98e4
1 parent 009061d
commit 5bc98e4
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 0 deletions.
diff --git a/authz/authz.go b/authz/authz.go
@@ -283,6 +283,22 @@ func (s *Service) authProcess(ctx context.Context, req *auth.AttributeContext_Ht
 		return s.authResponse(false, envoy_type.StatusCode_Found, headers, nil, "redirect to Idp"), nil
 	}
 
+	if !provider.DisableSourceAddressCheck && sessionData.GetSourceAddress() != req.GetHeaders()["x-forwarded-for"] {
+		slog.Warn("source address mismatch", slog.String("session_address", sessionData.GetSourceAddress()), slog.String("request_address", req.GetHeaders()["x-forwarded-for"]))
+		storeKey, _ := session.VerifySessionToken(ctx, sessionToken, s.secretKey, s.sessionExpiration)
+		slog.Info("Deleting session", slog.String("key", storeKey))
+		if err := s.store.Delete(ctx, storeKey); err != nil {
+			return nil, err
+		}
+		headers, err := s.newSession(ctx, requestedURL, sessionCookieName, provider)
+		if err != nil {
+			span.RecordError(err, trace.WithStackTrace(true))
+			span.SetStatus(codes.Error, err.Error())
+			return nil, err
+		}
+		return s.authResponse(false, envoy_type.StatusCode_Found, headers, nil, "redirect to Idp"), nil
+	}
+
 	if !provider.DisablePassAuthorizationHeader {
 		slog.Debug("setting authorization header to upstream request")
 		headers = append(headers, s.setAuthorizationHeader(sessionData.IdToken))
@@ -457,6 +473,10 @@ func (s *Service) getSessionCookieData(ctx context.Context, req *auth.AttributeC
 		return "", nil
 	}
 
+	if sessionData.GetSourceAddress() == "" {
+		sessionData.SourceAddress = req.GetHeaders()["x-forwarded-for"]
+	}
+
 	return sessionToken, sessionData
 }
 

diff --git a/authz/config.go b/authz/config.go
@@ -39,6 +39,7 @@ type OIDCProvider struct {
 	Scopes                         []string     `yaml:"scopes"`
 	DisableSecureCookie            bool         `yaml:"disableSecureCookie"`
 	DisablePassAuthorizationHeader bool         `yaml:"disablePassAuthorizationHeader"`
+	DisableSourceAddressCheck      bool         `yaml:"disableSourceAddressCheck"`
 }
 
 type HeaderMatch struct {

diff --git a/proto/session/v1/session.proto b/proto/session/v1/session.proto
@@ -7,4 +7,5 @@ message SessionData {
   string access_token = 2;
   string refresh_token = 3;
   string id_token = 4;
+  string source_address = 5;
 }