outposts: fix oauth state when using signature routing (#3616)

* fix oauth state when using signature routing

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* more retires

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L 2022-09-19 21:38:34 +02:00 committed by GitHub
parent 9fb5092fdc
commit 47daaf969a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 14 additions and 14 deletions

View File

@ -37,9 +37,11 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
http.Error(rw, "configuration error", http.StatusInternalServerError) http.Error(rw, "configuration error", http.StatusInternalServerError)
return return
} }
tr := r.Clone(r.Context())
tr.URL = fwd
if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") { if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") {
a.log.Debug("handling OAuth Callback from querystring signature") a.log.Debug("handling OAuth Callback from querystring signature")
a.handleAuthCallback(rw, r) a.handleAuthCallback(rw, tr)
return return
} else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") { } else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") {
a.log.Debug("handling OAuth Logout from querystring signature") a.log.Debug("handling OAuth Logout from querystring signature")
@ -57,8 +59,6 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
a.log.Trace("path can be accessed without authentication") a.log.Trace("path can be accessed without authentication")
return return
} }
tr := r.Clone(r.Context())
tr.URL = fwd
a.handleAuthStart(rw, r) a.handleAuthStart(rw, r)
// set the redirect flag to the current URL we have, since we redirect // set the redirect flag to the current URL we have, since we redirect
// to a (possibly) different domain, but we want to be redirected back // to a (possibly) different domain, but we want to be redirected back
@ -88,9 +88,11 @@ func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request
http.Error(rw, "configuration error", http.StatusInternalServerError) http.Error(rw, "configuration error", http.StatusInternalServerError)
return return
} }
tr := r.Clone(r.Context())
tr.URL = fwd
if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") { if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") {
a.log.Debug("handling OAuth Callback from querystring signature") a.log.Debug("handling OAuth Callback from querystring signature")
a.handleAuthCallback(rw, r) a.handleAuthCallback(rw, tr)
return return
} else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") { } else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") {
a.log.Debug("handling OAuth Logout from querystring signature") a.log.Debug("handling OAuth Logout from querystring signature")
@ -108,8 +110,6 @@ func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request
a.log.Trace("path can be accessed without authentication") a.log.Trace("path can be accessed without authentication")
return return
} }
tr := r.Clone(r.Context())
tr.URL = fwd
a.handleAuthStart(rw, r) a.handleAuthStart(rw, r)
// set the redirect flag to the current URL we have, since we redirect // set the redirect flag to the current URL we have, since we redirect
// to a (possibly) different domain, but we want to be redirected back // to a (possibly) different domain, but we want to be redirected back

View File

@ -78,7 +78,7 @@ func (a *Application) handleAuthCallback(rw http.ResponseWriter, r *http.Request
http.Redirect(rw, r, a.proxyConfig.ExternalHost, http.StatusFound) http.Redirect(rw, r, a.proxyConfig.ExternalHost, http.StatusFound)
return return
} }
claims, err := a.redeemCallback(r, state.([]string)) claims, err := a.redeemCallback(state.([]string), r.URL, r.Context())
if err != nil { if err != nil {
a.log.WithError(err).Warning("failed to redeem code") a.log.WithError(err).Warning("failed to redeem code")
rw.WriteHeader(400) rw.WriteHeader(400)

View File

@ -3,14 +3,14 @@ package application
import ( import (
"context" "context"
"fmt" "fmt"
"net/http" "net/url"
log "github.com/sirupsen/logrus" log "github.com/sirupsen/logrus"
"golang.org/x/oauth2" "golang.org/x/oauth2"
) )
func (a *Application) redeemCallback(r *http.Request, states []string) (*Claims, error) { func (a *Application) redeemCallback(states []string, u *url.URL, c context.Context) (*Claims, error) {
state := r.URL.Query().Get("state") state := u.Query().Get("state")
if len(states) < 1 { if len(states) < 1 {
return nil, fmt.Errorf("no states") return nil, fmt.Errorf("no states")
} }
@ -29,12 +29,12 @@ func (a *Application) redeemCallback(r *http.Request, states []string) (*Claims,
return nil, fmt.Errorf("invalid state") return nil, fmt.Errorf("invalid state")
} }
code := r.URL.Query().Get("code") code := u.Query().Get("code")
if code == "" { if code == "" {
return nil, fmt.Errorf("blank code") return nil, fmt.Errorf("blank code")
} }
ctx := context.WithValue(r.Context(), oauth2.HTTPClient, a.httpClient) ctx := context.WithValue(c, oauth2.HTTPClient, a.httpClient)
// Verify state and errors. // Verify state and errors.
oauth2Token, err := a.oauthConfig.Exchange(ctx, code) oauth2Token, err := a.oauthConfig.Exchange(ctx, code)
if err != nil { if err != nil {

View File

@ -19,7 +19,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH
COPY --from=builder /go/ldap / COPY --from=builder /go/ldap /
HEALTHCHECK --interval=5s --retries=10 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ] HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
EXPOSE 3389 6636 9300 EXPOSE 3389 6636 9300

View File

@ -32,7 +32,7 @@ COPY --from=web-builder /static/security.txt /web/security.txt
COPY --from=web-builder /static/dist/ /web/dist/ COPY --from=web-builder /static/dist/ /web/dist/
COPY --from=web-builder /static/authentik/ /web/authentik/ COPY --from=web-builder /static/authentik/ /web/authentik/
HEALTHCHECK --interval=5s --retries=10 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ] HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
EXPOSE 9000 9300 9443 EXPOSE 9000 9300 9443