public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Remove failed bearer tokens from logs

This commit is contained in:
Nick Meves 2020-11-26 11:47:44 -08:00
parent 22f60e9b63
commit 5f8f856260
No known key found for this signature in database
GPG Key ID: 93BA8A3CEDCDD1CF
2 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/middleware/jwt_session.go
View File

@ -1,6 +1,7 @@
package middleware package middleware
import ( import (
"errors"
"fmt" "fmt"
"net/http" "net/http"
"regexp" "regexp"
@ -9,7 +10,7 @@ import (
middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware" middlewareapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/middleware"
sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions" sessionsapi "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
"k8s.io/apimachinery/pkg/util/errors" k8serrors "k8s.io/apimachinery/pkg/util/errors"
) )
const jwtRegexFormat = `^ey[IJ][a-zA-Z0-9_-]*\.ey[IJ][a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+$` const jwtRegexFormat = `^ey[IJ][a-zA-Z0-9_-]*\.ey[IJ][a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+$`
@ -70,17 +71,18 @@ func (j *jwtSessionLoader) getJwtSession(req *http.Request) (*sessionsapi.Sessio
return nil, err return nil, err
} }
errs := []error{fmt.Errorf("unable to verify jwt token: %q", req.Header.Get("Authorization"))} // This leading error message only occurs if all session loaders fail
errs := []error{errors.New("unable to verify bearer token")}
for _, loader := range j.sessionLoaders { for _, loader := range j.sessionLoaders {
session, err := loader(req.Context(), token) session, err := loader(req.Context(), token)
if err == nil { if err != nil {
return session, nil
} else {
errs = append(errs, err) errs = append(errs, err)
continue
} }
return session, nil
} }
return nil, errors.NewAggregate(errs) return nil, k8serrors.NewAggregate(errs)
} }
// findTokenFromHeader finds a valid JWT token from the Authorization header of a given request. // findTokenFromHeader finds a valid JWT token from the Authorization header of a given request.

4
pkg/middleware/jwt_session_test.go
View File

@ -225,7 +225,7 @@ Nnc3a3lGVWFCNUMxQnNJcnJMTWxka1dFaHluYmI4Ongtb2F1dGgtYmFzaWM=`
Entry("Bearer <nonVerifiedToken>", getJWTSessionTableInput{ Entry("Bearer <nonVerifiedToken>", getJWTSessionTableInput{
authorizationHeader: fmt.Sprintf("Bearer %s", nonVerifiedToken), authorizationHeader: fmt.Sprintf("Bearer %s", nonVerifiedToken),
expectedErr: k8serrors.NewAggregate([]error{ expectedErr: k8serrors.NewAggregate([]error{
errors.New("unable to verify jwt token: \"Bearer eyJfoobar.eyJfoobar.12345asdf\""), errors.New("unable to verify bearer token"),
errors.New("oidc: malformed jwt: illegal base64 data at input byte 8"), errors.New("oidc: malformed jwt: illegal base64 data at input byte 8"),
}), }),
expectedSession: nil, expectedSession: nil,
@ -238,7 +238,7 @@ Nnc3a3lGVWFCNUMxQnNJcnJMTWxka1dFaHluYmI4Ongtb2F1dGgtYmFzaWM=`
Entry("Basic Base64(<nonVerifiedToken>:) (No password)", getJWTSessionTableInput{ Entry("Basic Base64(<nonVerifiedToken>:) (No password)", getJWTSessionTableInput{
authorizationHeader: "Basic ZXlKZm9vYmFyLmV5SmZvb2Jhci4xMjM0NWFzZGY6", authorizationHeader: "Basic ZXlKZm9vYmFyLmV5SmZvb2Jhci4xMjM0NWFzZGY6",
expectedErr: k8serrors.NewAggregate([]error{ expectedErr: k8serrors.NewAggregate([]error{
errors.New("unable to verify jwt token: \"Basic ZXlKZm9vYmFyLmV5SmZvb2Jhci4xMjM0NWFzZGY6\""), errors.New("unable to verify bearer token"),
errors.New("oidc: malformed jwt: illegal base64 data at input byte 8"), errors.New("oidc: malformed jwt: illegal base64 data at input byte 8"),
}), }),
expectedSession: nil, expectedSession: nil,