From 3b068610b96dd2fffcc54995a4bd8bc21ad47372 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 1 Dec 2021 20:05:56 +0100 Subject: [PATCH] outposts/proxy: clean up header setting (don't copy all headers) Signed-off-by: Jens Langhammer --- .../proxyv2/application/mode_common.go | 34 +++++++------------ .../proxyv2/application/mode_forward.go | 8 ++--- .../outpost/proxyv2/application/mode_proxy.go | 2 +- 3 files changed, 18 insertions(+), 26 deletions(-) diff --git a/internal/outpost/proxyv2/application/mode_common.go b/internal/outpost/proxyv2/application/mode_common.go index b49438e20..795ba5e41 100644 --- a/internal/outpost/proxyv2/application/mode_common.go +++ b/internal/outpost/proxyv2/application/mode_common.go @@ -7,22 +7,22 @@ import ( "strings" ) -func (a *Application) addHeaders(r *http.Request, c *Claims) { +func (a *Application) addHeaders(headers http.Header, c *Claims) { // https://goauthentik.io/docs/providers/proxy/proxy // Legacy headers, remove after 2022.1 - r.Header.Set("X-Auth-Username", c.PreferredUsername) - r.Header.Set("X-Auth-Groups", strings.Join(c.Groups, "|")) - r.Header.Set("X-Forwarded-Email", c.Email) - r.Header.Set("X-Forwarded-Preferred-Username", c.PreferredUsername) - r.Header.Set("X-Forwarded-User", c.Sub) + headers.Set("X-Auth-Username", c.PreferredUsername) + headers.Set("X-Auth-Groups", strings.Join(c.Groups, "|")) + headers.Set("X-Forwarded-Email", c.Email) + headers.Set("X-Forwarded-Preferred-Username", c.PreferredUsername) + headers.Set("X-Forwarded-User", c.Sub) // New headers, unique prefix - r.Header.Set("X-authentik-username", c.PreferredUsername) - r.Header.Set("X-authentik-groups", strings.Join(c.Groups, "|")) - r.Header.Set("X-authentik-email", c.Email) - r.Header.Set("X-authentik-name", c.Name) - r.Header.Set("X-authentik-uid", c.Sub) + headers.Set("X-authentik-username", c.PreferredUsername) + headers.Set("X-authentik-groups", strings.Join(c.Groups, "|")) + headers.Set("X-authentik-email", c.Email) + headers.Set("X-authentik-name", c.Name) + headers.Set("X-authentik-uid", c.Sub) userAttributes := c.Proxy.UserAttributes // Attempt to set basic auth based on user's attributes @@ -39,7 +39,7 @@ func (a *Application) addHeaders(r *http.Request, c *Claims) { } authVal := base64.StdEncoding.EncodeToString([]byte(username + ":" + password)) a.log.WithField("username", username).Trace("setting http basic auth") - r.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)} + headers.Set("Authorization", fmt.Sprintf("Basic %s", authVal)) } // Check if user has additional headers set that we should sent if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]interface{}); ok { @@ -48,15 +48,7 @@ func (a *Application) addHeaders(r *http.Request, c *Claims) { return } for key, value := range additionalHeaders { - r.Header.Set(key, toString(value)) - } - } -} - -func copyHeadersToResponse(rw http.ResponseWriter, r *http.Request) { - for headerKey, headers := range r.Header { - for _, value := range headers { - rw.Header().Set(headerKey, value) + headers.Set(key, toString(value)) } } } diff --git a/internal/outpost/proxyv2/application/mode_forward.go b/internal/outpost/proxyv2/application/mode_forward.go index c5e25cb55..6a4a83193 100644 --- a/internal/outpost/proxyv2/application/mode_forward.go +++ b/internal/outpost/proxyv2/application/mode_forward.go @@ -26,8 +26,8 @@ func (a *Application) configureForward() error { func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Request) { claims, err := a.getClaims(r) if claims != nil && err == nil { - a.addHeaders(r, claims) - copyHeadersToResponse(rw, r) + a.addHeaders(rw.Header(), claims) + a.log.WithField("headers", rw.Header()).Trace("headers written to forward_auth") return } else if claims == nil && a.IsAllowlisted(r) { a.log.Trace("path can be accessed without authentication") @@ -69,9 +69,9 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request) { claims, err := a.getClaims(r) if claims != nil && err == nil { - a.addHeaders(r, claims) - copyHeadersToResponse(rw, r) + a.addHeaders(rw.Header(), claims) rw.WriteHeader(200) + a.log.WithField("headers", rw.Header()).Trace("headers written to forward_auth") return } else if claims == nil && a.IsAllowlisted(r) { a.log.Trace("path can be accessed without authentication") diff --git a/internal/outpost/proxyv2/application/mode_proxy.go b/internal/outpost/proxyv2/application/mode_proxy.go index 7c25f0932..72d831157 100644 --- a/internal/outpost/proxyv2/application/mode_proxy.go +++ b/internal/outpost/proxyv2/application/mode_proxy.go @@ -39,7 +39,7 @@ func (a *Application) configureProxy() error { a.redirectToStart(rw, r) return } else { - a.addHeaders(r, claims) + a.addHeaders(r.Header, claims) } before := time.Now() rp.ServeHTTP(rw, r)