public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Remove GAP-Auth header usage

This commit is contained in:
Joel Speed 2020-10-04 17:08:47 +01:00
parent 2e72d151e2
commit b845867cd1
No known key found for this signature in database
GPG Key ID: 6E80578D6751DEFB
6 changed files with 10 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
logging_handler.go
View File

@ -40,9 +40,12 @@ func extractMetadata(rw http.ResponseWriter, req *http.Request) (string, string)
scope := middleware.GetRequestScope(req) scope := middleware.GetRequestScope(req)
upstream := scope.Upstream upstream := scope.Upstream
authInfo := rw.Header().Get("GAP-Auth") var authInfo string
if authInfo != "" { if scope.Session != nil {
rw.Header().Del("GAP-Auth") authInfo = scope.Session.Email
if authInfo == "" {
authInfo = scope.Session.User
}
} }
return authInfo, upstream return authInfo, upstream

15
oauthproxy.go
View File

@ -871,14 +871,13 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
// AuthenticateOnly checks whether the user is currently logged in // AuthenticateOnly checks whether the user is currently logged in
func (p *OAuthProxy) AuthenticateOnly(rw http.ResponseWriter, req *http.Request) { func (p *OAuthProxy) AuthenticateOnly(rw http.ResponseWriter, req *http.Request) {
session, err := p.getAuthenticatedSession(rw, req) _, err := p.getAuthenticatedSession(rw, req)
if err != nil { if err != nil {
http.Error(rw, "unauthorized request", http.StatusUnauthorized) http.Error(rw, "unauthorized request", http.StatusUnauthorized)
return return
} }
// we are authenticated // we are authenticated
p.addHeadersForProxying(rw, req, session)
p.headersChain.Then(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) { p.headersChain.Then(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
rw.WriteHeader(http.StatusAccepted) rw.WriteHeader(http.StatusAccepted)
})).ServeHTTP(rw, req) })).ServeHTTP(rw, req)
@ -892,11 +891,10 @@ func (p *OAuthProxy) SkipAuthProxy(rw http.ResponseWriter, req *http.Request) {
// Proxy proxies the user request if the user is authenticated else it prompts // Proxy proxies the user request if the user is authenticated else it prompts
// them to authenticate // them to authenticate
func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request) { func (p *OAuthProxy) Proxy(rw http.ResponseWriter, req *http.Request) {
session, err := p.getAuthenticatedSession(rw, req) _, err := p.getAuthenticatedSession(rw, req)
switch err { switch err {
case nil: case nil:
// we are authenticated // we are authenticated
p.addHeadersForProxying(rw, req, session)
p.headersChain.Then(p.serveMux).ServeHTTP(rw, req) p.headersChain.Then(p.serveMux).ServeHTTP(rw, req)
case ErrNeedsLogin: case ErrNeedsLogin:
// we need to send the user to a login screen // we need to send the user to a login screen
@ -952,15 +950,6 @@ func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.R
return session, nil return session, nil
} }
// addHeadersForProxying adds the appropriate headers the request / response for proxying
func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Request, session *sessionsapi.SessionState) {
if session.Email == "" {
rw.Header().Set("GAP-Auth", session.User)
} else {
rw.Header().Set("GAP-Auth", session.Email)
}
}
// isAjax checks if a request is an ajax request // isAjax checks if a request is an ajax request
func isAjax(req *http.Request) bool { func isAjax(req *http.Request) bool {
acceptValues := req.Header.Values("Accept") acceptValues := req.Header.Values("Accept")

2
pkg/upstream/http.go
View File

@ -36,7 +36,6 @@ var SignatureHeaders = []string{
"X-Forwarded-Preferred-User", "X-Forwarded-Preferred-User",
"X-Forwarded-Access-Token", "X-Forwarded-Access-Token",
"Cookie", "Cookie",
"Gap-Auth",
} }
// newHTTPUpstreamProxy creates a new httpUpstreamProxy that can serve requests // newHTTPUpstreamProxy creates a new httpUpstreamProxy that can serve requests
@ -85,7 +84,6 @@ func (h *httpUpstreamProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request)
scope.Upstream = h.upstream scope.Upstream = h.upstream
if h.auth != nil { if h.auth != nil {
req.Header.Set("GAP-Auth", rw.Header().Get("GAP-Auth"))
h.auth.SignRequest(req) h.auth.SignRequest(req)
} }
if h.wsHandler != nil && strings.EqualFold(req.Header.Get("Connection"), "upgrade") && req.Header.Get("Upgrade") == "websocket" { if h.wsHandler != nil && strings.EqualFold(req.Header.Get("Connection"), "upgrade") && req.Header.Get("Upgrade") == "websocket" {

3
pkg/upstream/http_test.go
View File

@ -226,8 +226,7 @@ var _ = Describe("HTTP Upstream Suite", func() {
Method: "GET", Method: "GET",
URL: "http://example.localhost/withSignature", URL: "http://example.localhost/withSignature",
Header: map[string][]string{ Header: map[string][]string{
gapAuth: {""}, gapSignature: {"sha256 md39qRfodR3ya5kMZxDS5nMXtG3BZoh4DUTkrXqLtow="},
gapSignature: {"sha256 osMWI8Rr0Zr5HgNq6wakrgJITVJQMmFN1fXCesrqrmM="},
}, },
Body: []byte{}, Body: []byte{},
Host: "example.localhost", Host: "example.localhost",

3
pkg/upstream/proxy_test.go
View File

@ -123,8 +123,7 @@ var _ = Describe("Proxy Suite", func() {
Method: "GET", Method: "GET",
URL: "http://example.localhost/http/1234", URL: "http://example.localhost/http/1234",
Header: map[string][]string{ Header: map[string][]string{
"Gap-Auth": {""}, "Gap-Signature": {"sha256 yu9y53XTRAnczM51Nv6LAbeU2mI577iUPeK8zHuY9MM="},
"Gap-Signature": {"sha256 ofB1u6+FhEUbFLc3/uGbJVkl7GaN4egFqVvyO3+2I1w="},
}, },
Body: []byte{}, Body: []byte{},
Host: "example.localhost", Host: "example.localhost",

1
pkg/upstream/upstream_suite_test.go
View File

@ -58,7 +58,6 @@ const (
acceptEncoding = "Accept-Encoding" acceptEncoding = "Accept-Encoding"
applicationJSON = "application/json" applicationJSON = "application/json"
textPlainUTF8 = "text/plain; charset=utf-8" textPlainUTF8 = "text/plain; charset=utf-8"
gapAuth = "Gap-Auth"
gapSignature = "Gap-Signature" gapSignature = "Gap-Signature"
) )