From b845867cd14948c0dc73a4b0e3740534c522c7dd Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Sun, 4 Oct 2020 17:08:47 +0100 Subject: [PATCH] Remove GAP-Auth header usage --- logging_handler.go | 9 ++++++--- oauthproxy.go | 15 ++------------- pkg/upstream/http.go | 2 -- pkg/upstream/http_test.go | 3 +-- pkg/upstream/proxy_test.go | 3 +-- pkg/upstream/upstream_suite_test.go | 1 - 6 files changed, 10 insertions(+), 23 deletions(-) diff --git a/logging_handler.go b/logging_handler.go index d463c03b..9fd00cc6 100644 --- a/logging_handler.go +++ b/logging_handler.go @@ -40,9 +40,12 @@ func extractMetadata(rw http.ResponseWriter, req *http.Request) (string, string) scope := middleware.GetRequestScope(req) upstream := scope.Upstream - authInfo := rw.Header().Get("GAP-Auth") - if authInfo != "" { - rw.Header().Del("GAP-Auth") + var authInfo string + if scope.Session != nil { + authInfo = scope.Session.Email + if authInfo == "" { + authInfo = scope.Session.User + } } return authInfo, upstream diff --git a/oauthproxy.go b/oauthproxy.go index a48f15df..0c6a812e 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -871,14 +871,13 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) { // AuthenticateOnly checks whether the user is currently logged in func (p *OAuthProxy) AuthenticateOnly(rw http.ResponseWriter, req *http.Request) { - session, err := p.getAuthenticatedSession(rw, req) + _, err := p.getAuthenticatedSession(rw, req) if err != nil { http.Error(rw, "unauthorized request", http.StatusUnauthorized) return } // we are authenticated - p.addHeadersForProxying(rw, req, session) p.headersChain.Then(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { rw.WriteHeader(http.StatusAccepted) })).ServeHTTP(rw, req) @@ -892,11 +891,10 @@ func (p *OAuthProxy) SkipAuthProxy(rw http.ResponseWriter, req *http.Request) { // Proxy proxies the user request if the user is authenticated else it prompts // them to authenticate func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request) { - session, err := p.getAuthenticatedSession(rw, req) + _, err := p.getAuthenticatedSession(rw, req) switch err { case nil: // we are authenticated - p.addHeadersForProxying(rw, req, session) p.headersChain.Then(p.serveMux).ServeHTTP(rw, req) case ErrNeedsLogin: // we need to send the user to a login screen @@ -952,15 +950,6 @@ func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.R return session, nil } -// addHeadersForProxying adds the appropriate headers the request / response for proxying -func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Request, session *sessionsapi.SessionState) { - if session.Email == "" { - rw.Header().Set("GAP-Auth", session.User) - } else { - rw.Header().Set("GAP-Auth", session.Email) - } -} - // isAjax checks if a request is an ajax request func isAjax(req *http.Request) bool { acceptValues := req.Header.Values("Accept") diff --git a/pkg/upstream/http.go b/pkg/upstream/http.go index dd66e4ef..216ad709 100644 --- a/pkg/upstream/http.go +++ b/pkg/upstream/http.go @@ -36,7 +36,6 @@ var SignatureHeaders = []string{ "X-Forwarded-Preferred-User", "X-Forwarded-Access-Token", "Cookie", - "Gap-Auth", } // newHTTPUpstreamProxy creates a new httpUpstreamProxy that can serve requests @@ -85,7 +84,6 @@ func (h *httpUpstreamProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) scope.Upstream = h.upstream if h.auth != nil { - req.Header.Set("GAP-Auth", rw.Header().Get("GAP-Auth")) h.auth.SignRequest(req) } if h.wsHandler != nil && strings.EqualFold(req.Header.Get("Connection"), "upgrade") && req.Header.Get("Upgrade") == "websocket" { diff --git a/pkg/upstream/http_test.go b/pkg/upstream/http_test.go index f2136fb6..1e832f8d 100644 --- a/pkg/upstream/http_test.go +++ b/pkg/upstream/http_test.go @@ -226,8 +226,7 @@ var _ = Describe("HTTP Upstream Suite", func() { Method: "GET", URL: "http://example.localhost/withSignature", Header: map[string][]string{ - gapAuth: {""}, - gapSignature: {"sha256 osMWI8Rr0Zr5HgNq6wakrgJITVJQMmFN1fXCesrqrmM="}, + gapSignature: {"sha256 md39qRfodR3ya5kMZxDS5nMXtG3BZoh4DUTkrXqLtow="}, }, Body: []byte{}, Host: "example.localhost", diff --git a/pkg/upstream/proxy_test.go b/pkg/upstream/proxy_test.go index 818e3f41..cb37e7d0 100644 --- a/pkg/upstream/proxy_test.go +++ b/pkg/upstream/proxy_test.go @@ -123,8 +123,7 @@ var _ = Describe("Proxy Suite", func() { Method: "GET", URL: "http://example.localhost/http/1234", Header: map[string][]string{ - "Gap-Auth": {""}, - "Gap-Signature": {"sha256 ofB1u6+FhEUbFLc3/uGbJVkl7GaN4egFqVvyO3+2I1w="}, + "Gap-Signature": {"sha256 yu9y53XTRAnczM51Nv6LAbeU2mI577iUPeK8zHuY9MM="}, }, Body: []byte{}, Host: "example.localhost", diff --git a/pkg/upstream/upstream_suite_test.go b/pkg/upstream/upstream_suite_test.go index 2d93a9c7..a9c14b51 100644 --- a/pkg/upstream/upstream_suite_test.go +++ b/pkg/upstream/upstream_suite_test.go @@ -58,7 +58,6 @@ const ( acceptEncoding = "Accept-Encoding" applicationJSON = "application/json" textPlainUTF8 = "text/plain; charset=utf-8" - gapAuth = "Gap-Auth" gapSignature = "Gap-Signature" )