From 5bc98e4bb8dcec6ea2d052a38b9195d921f258d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lars=20Sj=C3=B6str=C3=B6m?= <lars@radicore.se>
Date: Tue, 17 Sep 2024 22:15:36 +0200
Subject: [PATCH] feat: session source address validation

---
 authz/authz.go                 | 20 ++++++++++++++++++++
 authz/config.go                |  1 +
 proto/session/v1/session.proto |  1 +
 3 files changed, 22 insertions(+)

diff --git a/authz/authz.go b/authz/authz.go
index 9936d3a..004e558 100644
--- a/authz/authz.go
+++ b/authz/authz.go
@@ -283,6 +283,22 @@ func (s *Service) authProcess(ctx context.Context, req *auth.AttributeContext_Ht
 		return s.authResponse(false, envoy_type.StatusCode_Found, headers, nil, "redirect to Idp"), nil
 	}
 
+	if !provider.DisableSourceAddressCheck && sessionData.GetSourceAddress() != req.GetHeaders()["x-forwarded-for"] {
+		slog.Warn("source address mismatch", slog.String("session_address", sessionData.GetSourceAddress()), slog.String("request_address", req.GetHeaders()["x-forwarded-for"]))
+		storeKey, _ := session.VerifySessionToken(ctx, sessionToken, s.secretKey, s.sessionExpiration)
+		slog.Info("Deleting session", slog.String("key", storeKey))
+		if err := s.store.Delete(ctx, storeKey); err != nil {
+			return nil, err
+		}
+		headers, err := s.newSession(ctx, requestedURL, sessionCookieName, provider)
+		if err != nil {
+			span.RecordError(err, trace.WithStackTrace(true))
+			span.SetStatus(codes.Error, err.Error())
+			return nil, err
+		}
+		return s.authResponse(false, envoy_type.StatusCode_Found, headers, nil, "redirect to Idp"), nil
+	}
+
 	if !provider.DisablePassAuthorizationHeader {
 		slog.Debug("setting authorization header to upstream request")
 		headers = append(headers, s.setAuthorizationHeader(sessionData.IdToken))
@@ -457,6 +473,10 @@ func (s *Service) getSessionCookieData(ctx context.Context, req *auth.AttributeC
 		return "", nil
 	}
 
+	if sessionData.GetSourceAddress() == "" {
+		sessionData.SourceAddress = req.GetHeaders()["x-forwarded-for"]
+	}
+
 	return sessionToken, sessionData
 }
 
diff --git a/authz/config.go b/authz/config.go
index 0650264..8689fda 100644
--- a/authz/config.go
+++ b/authz/config.go
@@ -39,6 +39,7 @@ type OIDCProvider struct {
 	Scopes                         []string     `yaml:"scopes"`
 	DisableSecureCookie            bool         `yaml:"disableSecureCookie"`
 	DisablePassAuthorizationHeader bool         `yaml:"disablePassAuthorizationHeader"`
+	DisableSourceAddressCheck      bool         `yaml:"disableSourceAddressCheck"`
 }
 
 type HeaderMatch struct {
diff --git a/proto/session/v1/session.proto b/proto/session/v1/session.proto
index 4205da6..3866bd9 100644
--- a/proto/session/v1/session.proto
+++ b/proto/session/v1/session.proto
@@ -7,4 +7,5 @@ message SessionData {
   string access_token = 2;
   string refresh_token = 3;
   string id_token = 4;
+  string source_address = 5;
 }