public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Streamline error page usage

This commit is contained in:
Nick Meves 2020-07-20 18:34:37 -07:00
parent 1c8c5b08d7
commit 2bb0160bf3
No known key found for this signature in database
GPG Key ID: 93BA8A3CEDCDD1CF
1 changed files with 38 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

75
oauthproxy.go
View File

@ -363,12 +363,13 @@ func (p *OAuthProxy) SaveSession(rw http.ResponseWriter, req *http.Request, s *s
// RobotsTxt disallows scraping pages from the OAuthProxy // RobotsTxt disallows scraping pages from the OAuthProxy
func (p *OAuthProxy) RobotsTxt(rw http.ResponseWriter) { func (p *OAuthProxy) RobotsTxt(rw http.ResponseWriter) {
rw.WriteHeader(http.StatusOK)
_, err := fmt.Fprintf(rw, "User-agent: *\nDisallow: /") _, err := fmt.Fprintf(rw, "User-agent: *\nDisallow: /")
if err != nil { if err != nil {
logger.Printf("Error writing robots.txt: %s", err.Error()) logger.Printf("Error writing robots.txt: %v", err)
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
return
} }
rw.WriteHeader(http.StatusOK)
} }
// ErrorPage writes an error response // ErrorPage writes an error response
@ -385,7 +386,7 @@ func (p *OAuthProxy) ErrorPage(rw http.ResponseWriter, code int, title string, m
} }
err := p.templates.ExecuteTemplate(rw, "error.html", t) err := p.templates.ExecuteTemplate(rw, "error.html", t)
if err != nil { if err != nil {
logger.Printf("Error rendering error.html template: %s", err.Error()) logger.Printf("Error rendering error.html template: %v", err)
http.Error(rw, "Internal Server Error", http.StatusInternalServerError) http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
} }
} }
@ -395,16 +396,16 @@ func (p *OAuthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code
prepareNoCache(rw) prepareNoCache(rw)
err := p.ClearSessionCookie(rw, req) err := p.ClearSessionCookie(rw, req)
if err != nil { if err != nil {
logger.Printf("Error clearing session cookie: %s", err.Error()) logger.Printf("Error clearing session cookie: %v", err)
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
return return
} }
rw.WriteHeader(code) rw.WriteHeader(code)
redirectURL, err := p.GetRedirect(req) redirectURL, err := p.GetRedirect(req)
if err != nil { if err != nil {
logger.Printf("Error obtaining redirect: %s", err.Error()) logger.Printf("Error obtaining redirect: %v", err)
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
return return
} }
@ -434,8 +435,8 @@ func (p *OAuthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code
} }
err = p.templates.ExecuteTemplate(rw, "sign_in.html", t) err = p.templates.ExecuteTemplate(rw, "sign_in.html", t)
if err != nil { if err != nil {
logger.Printf("Error rendering sign_in.html template: %s", err.Error()) logger.Printf("Error rendering sign_in.html template: %v", err)
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
} }
} }
@ -645,7 +646,7 @@ func (p *OAuthProxy) SignIn(rw http.ResponseWriter, req *http.Request) {
redirect, err := p.GetRedirect(req) redirect, err := p.GetRedirect(req)
if err != nil { if err != nil {
logger.Printf("Error obtaining redirect: %s", err.Error()) logger.Printf("Error obtaining redirect: %s", err.Error())
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
return return
} }
@ -655,7 +656,7 @@ func (p *OAuthProxy) SignIn(rw http.ResponseWriter, req *http.Request) {
err = p.SaveSession(rw, req, session) err = p.SaveSession(rw, req, session)
if err != nil { if err != nil {
logger.Printf("Error saving session: %s", err.Error()) logger.Printf("Error saving session: %s", err.Error())
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
return return
} }
http.Redirect(rw, req, redirect, http.StatusFound) http.Redirect(rw, req, redirect, http.StatusFound)
@ -687,8 +688,8 @@ func (p *OAuthProxy) UserInfo(rw http.ResponseWriter, req *http.Request) {
rw.WriteHeader(http.StatusOK) rw.WriteHeader(http.StatusOK)
err = json.NewEncoder(rw).Encode(userInfo) err = json.NewEncoder(rw).Encode(userInfo)
if err != nil { if err != nil {
logger.Printf("Error encoding user info: %s", err.Error()) logger.Printf("Error encoding user info: %v", err)
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
} }
} }
@ -696,14 +697,14 @@ func (p *OAuthProxy) UserInfo(rw http.ResponseWriter, req *http.Request) {
func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) { func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) {
redirect, err := p.GetRedirect(req) redirect, err := p.GetRedirect(req)
if err != nil { if err != nil {
logger.Printf("Error obtaining redirect: %s", err.Error()) logger.Printf("Error obtaining redirect: %v", err)
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
return return
} }
err = p.ClearSessionCookie(rw, req) err = p.ClearSessionCookie(rw, req)
if err != nil { if err != nil {
logger.Printf("Error clearing session cookie: %s", err.Error()) logger.Printf("Error clearing session cookie: %v", err)
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
return return
} }
http.Redirect(rw, req, redirect, http.StatusFound) http.Redirect(rw, req, redirect, http.StatusFound)
@ -714,15 +715,15 @@ func (p *OAuthProxy) OAuthStart(rw http.ResponseWriter, req *http.Request) {
prepareNoCache(rw) prepareNoCache(rw)
nonce, err := encryption.Nonce() nonce, err := encryption.Nonce()
if err != nil { if err != nil {
logger.Printf("Error obtaining nonce: %s", err.Error()) logger.Printf("Error obtaining nonce: %v", err)
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
return return
} }
p.SetCSRFCookie(rw, req, nonce) p.SetCSRFCookie(rw, req, nonce)
redirect, err := p.GetRedirect(req) redirect, err := p.GetRedirect(req)
if err != nil { if err != nil {
logger.Printf("Error obtaining redirect: %s", err.Error()) logger.Printf("Error obtaining redirect: %v", err)
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
return return
} }
redirectURI := p.GetRedirectURI(req.Host) redirectURI := p.GetRedirectURI(req.Host)
@ -737,42 +738,42 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
// finish the oauth cycle // finish the oauth cycle
err := req.ParseForm() err := req.ParseForm()
if err != nil { if err != nil {
logger.Printf("Error while parsing OAuth2 callback: %s" + err.Error()) logger.Printf("Error while parsing OAuth2 callback: %v", err)
p.ErrorPage(rw, 500, "Internal Error", err.Error()) p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
return return
} }
errorString := req.Form.Get("error") errorString := req.Form.Get("error")
if errorString != "" { if errorString != "" {
logger.Printf("Error while parsing OAuth2 callback: %s ", errorString) logger.Printf("Error while parsing OAuth2 callback: %s", errorString)
p.ErrorPage(rw, 403, "Permission Denied", errorString) p.ErrorPage(rw, http.StatusForbidden, "Permission Denied", errorString)
return return
} }
session, err := p.redeemCode(req.Context(), req.Host, req.Form.Get("code")) session, err := p.redeemCode(req.Context(), req.Host, req.Form.Get("code"))
if err != nil { if err != nil {
logger.Printf("Error redeeming code during OAuth2 callback: %s ", err.Error()) logger.Printf("Error redeeming code during OAuth2 callback: %v", err)
p.ErrorPage(rw, 500, "Internal Error", "Internal Error") p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", "Internal Error")
return return
} }
s := strings.SplitN(req.Form.Get("state"), ":", 2) s := strings.SplitN(req.Form.Get("state"), ":", 2)
if len(s) != 2 { if len(s) != 2 {
logger.Printf("Error while parsing OAuth2 state: invalid length") logger.Printf("Error while parsing OAuth2 state: invalid length")
p.ErrorPage(rw, 500, "Internal Error", "Invalid State") p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", "Invalid State")
return return
} }
nonce := s[0] nonce := s[0]
redirect := s[1] redirect := s[1]
c, err := req.Cookie(p.CSRFCookieName) c, err := req.Cookie(p.CSRFCookieName)
if err != nil { if err != nil {
logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authentication via OAuth2: unable too obtain CSRF cookie") logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authentication via OAuth2: unable to obtain CSRF cookie")
p.ErrorPage(rw, 403, "Permission Denied", err.Error()) p.ErrorPage(rw, http.StatusForbidden, "Permission Denied", err.Error())
return return
} }
p.ClearCSRFCookie(rw, req) p.ClearCSRFCookie(rw, req)
if c.Value != nonce { if c.Value != nonce {
logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authentication via OAuth2: csrf token mismatch, potential attack") logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authentication via OAuth2: CSRF token mismatch, potential attack")
p.ErrorPage(rw, 403, "Permission Denied", "csrf failed") p.ErrorPage(rw, http.StatusForbidden, "Permission Denied", "CSRF Failed")
return return
} }
@ -785,14 +786,14 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
logger.PrintAuthf(session.Email, req, logger.AuthSuccess, "Authenticated via OAuth2: %s", session) logger.PrintAuthf(session.Email, req, logger.AuthSuccess, "Authenticated via OAuth2: %s", session)
err := p.SaveSession(rw, req, session) err := p.SaveSession(rw, req, session)
if err != nil { if err != nil {
logger.Printf("%s %s", remoteAddr, err) logger.Printf("Error saving session state for %s: %v", remoteAddr, err)
p.ErrorPage(rw, 500, "Internal Error", "Internal Error") p.ErrorPage(rw, http.StatusInternalServerError, "Internal Server Error", err.Error())
return return
} }
http.Redirect(rw, req, redirect, http.StatusFound) http.Redirect(rw, req, redirect, http.StatusFound)
} else { } else {
logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authentication via OAuth2: unauthorized") logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Invalid authentication via OAuth2: unauthorized")
p.ErrorPage(rw, 403, "Permission Denied", "Invalid Account") p.ErrorPage(rw, http.StatusForbidden, "Permission Denied", "Invalid Account")
} }
} }
@ -870,7 +871,7 @@ func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.R
// Invalid session, clear it // Invalid session, clear it
err := p.ClearSessionCookie(rw, req) err := p.ClearSessionCookie(rw, req)
if err != nil { if err != nil {
logger.Printf("Error clearing session cookie: %s", err.Error()) logger.Printf("Error clearing session cookie: %v", err)
} }
return nil, ErrNeedsLogin return nil, ErrNeedsLogin
} }