forked from gravitational/teleport
/
assertion_replay.go
58 lines (47 loc) · 2.05 KB
/
assertion_replay.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
/*
Copyright 2022 Gravitational, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package local
import (
"context"
"time"
"github.com/gravitational/trace"
"github.com/zmb3/teleport/lib/backend"
)
const assertionReplayPrefix = "recognized_assertions"
// AssertionReplayService tracks used SSO assertions to mitigate replay attacks.
// Assertions are automatically derecognized when their signed expiry passes.
type AssertionReplayService struct {
bk backend.Backend
}
// NewAssertionReplayService creates a new instance of AssertionReplayService.
func NewAssertionReplayService(bk backend.Backend) *AssertionReplayService {
return &AssertionReplayService{bk: bk}
}
// RecognizeSSOAssertion will remember a new assertion until it becomes invalid.
// This will error with `trace.AlreadyExists` if the assertion has been previously recognized.
//
// `safeAfter` must be either at or after the point in time that a given SSO assertion becomes invalid in order to mitigate replay attacks.
// This function shouldn't be used if the assertion never verifiably expires.
func (s *AssertionReplayService) RecognizeSSOAssertion(ctx context.Context, connectorID string, assertionID string, user string, safeAfter time.Time) error {
key := backend.Key(assertionReplayPrefix, connectorID, assertionID)
item := backend.Item{Key: key, Value: []byte(user), Expires: safeAfter}
_, err := s.bk.Create(ctx, item)
switch {
case trace.IsAlreadyExists(err):
return trace.AlreadyExists("Assertion %q already recognized for user %v", assertionID, user)
case err != nil:
return trace.Wrap(err)
default:
return nil
}
}