sso_*: prevent copying of session between upstreams

[Jusshersmith]

Problem

We only revalidate group membership when the session is refreshed or revalidated, which means that if a user were to successfully authorize with upstream 'foo', then they can effectively skip group membership validation on a different upstream by making the request with a slightly altered version of the saved cookie from the 'foo' upstream (providing the session is still valid and hasn't expired).

Solution

Add a new AuthorizedUpstream value to the session which is used to compare the upstream the session has been validated against, to the requested upstream.
The AuthorizedUpstream value is checked against the request host on each request. For the time being, when caught this check will re-trigger the start of the oauth flow, primarily to help introduce this additional check in a graceful manner.

Example log line when triggered:

{"authorized_upstream":"upstream-1.foo.io","level":"warning","msg":"session authorized against different upstream; restarting authentication","proxy_host":"upstream-2.foo.io","remote_address":"x.x.x.x","service":"sso-proxy","time":"2020-01-02 13:26:31.502","user":"foo.bar@email.com"}

upstream-1.foo.io being the original upstream the session was used against, and upstream-2.foo.io being the newly
requested upstream.

Notes

• This change was originally made and approved as part of sso_proxy: reduce direct calls to ValidateGroup() and clean up logic #275, however that pull request was found to also introduce some bugs, so this smaller change has been pulled out to reduce the complexity there and allow for easier troubleshooting. (the bugs are not present in this pull request!)

[codecov]

Codecov Report

Merging #299 into master will increase coverage by 0.03%.
The diff coverage is 85.71%.

@@            Coverage Diff             @@
##           master     #299      +/-   ##
==========================================
+ Coverage   61.94%   61.98%   +0.03%     
==========================================
  Files          57       57              
  Lines        4638     4645       +7     
==========================================
+ Hits         2873     2879       +6     
- Misses       1553     1554       +1     
  Partials      212      212              

Impacted Files	Coverage Δ
internal/pkg/sessions/session_state.go	85.00% <ø> (ø)
internal/proxy/oauthproxy.go	55.05% <85.71%> (+0.51%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 0060ecd...a94ea18. Read the comment docs.

[Integralist]

Question: will this invalidate the current validated session for 'foo' upstream?

[Jusshersmith]

It doesn't invalidate the session on the original upstream - and because it restarts the oauth flow for the new request/upstream the UX should be pretty seamless when this is triggered.