From 4c45d35507dea94a83b15ec0e2ed868d8cb2c05d Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sat, 14 Jan 2023 21:44:28 +0100 Subject: [PATCH] outposts/proxy: fix error handling, remove requirement for profile/etc scopes Signed-off-by: Jens Langhammer --- .../outpost/proxyv2/application/application.go | 17 ++++++----------- .../outpost/proxyv2/application/auth_bearer.go | 4 ---- .../outpost/proxyv2/application/mode_common.go | 3 +++ .../outpost/proxyv2/application/mode_proxy.go | 18 +++++++++--------- 4 files changed, 18 insertions(+), 24 deletions(-) diff --git a/internal/outpost/proxyv2/application/application.go b/internal/outpost/proxyv2/application/application.go index 73e7d4f13..b9d15260b 100644 --- a/internal/outpost/proxyv2/application/application.go +++ b/internal/outpost/proxyv2/application/application.go @@ -104,23 +104,18 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore } a.sessions = a.getStore(p, externalHost) mux.Use(web.NewLoggingHandler(muxLogger, func(l *log.Entry, r *http.Request) *log.Entry { - s, err := a.sessions.Get(r, constants.SessionName) - if err != nil { + c := a.getClaimsFromSession(r) + if c == nil { return l } - claims, ok := s.Values[constants.SessionClaims] - if claims == nil || !ok { - return l + if c.PreferredUsername != "" { + return l.WithField("request_username", c.PreferredUsername) } - c, ok := claims.(Claims) - if !ok { - return l - } - return l.WithField("request_username", c.PreferredUsername) + return l.WithField("request_username", c.Sub) })) mux.Use(func(inner http.Handler) http.Handler { return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { - c, _ := a.checkAuth(rw, r) + c := a.getClaimsFromSession(r) user := "" if c != nil { user = c.PreferredUsername diff --git a/internal/outpost/proxyv2/application/auth_bearer.go b/internal/outpost/proxyv2/application/auth_bearer.go index 7d188f990..70cd2c381 100644 --- a/internal/outpost/proxyv2/application/auth_bearer.go +++ b/internal/outpost/proxyv2/application/auth_bearer.go @@ -52,10 +52,6 @@ func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenInt a.log.Warning("token is not active") return nil } - if !strings.Contains(intro.Scope, "openid") || !strings.Contains(intro.Scope, "profile") { - a.log.Error("token missing openid or profile scope") - return nil - } intro.RawToken = token a.log.Trace("successfully introspected bearer token") return &intro diff --git a/internal/outpost/proxyv2/application/mode_common.go b/internal/outpost/proxyv2/application/mode_common.go index 5e30f1501..883686032 100644 --- a/internal/outpost/proxyv2/application/mode_common.go +++ b/internal/outpost/proxyv2/application/mode_common.go @@ -29,6 +29,9 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) { headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug) headers.Set("X-authentik-meta-version", constants.OutpostUserAgent()) + if c.Proxy == nil { + return + } userAttributes := c.Proxy.UserAttributes // Attempt to set basic auth based on user's attributes if *a.proxyConfig.BasicAuthEnabled { diff --git a/internal/outpost/proxyv2/application/mode_proxy.go b/internal/outpost/proxyv2/application/mode_proxy.go index db534d914..79ad0ad5a 100644 --- a/internal/outpost/proxyv2/application/mode_proxy.go +++ b/internal/outpost/proxyv2/application/mode_proxy.go @@ -33,6 +33,13 @@ func (a *Application) configureProxy() error { rp.ErrorHandler = a.newProxyErrorHandler() rp.ModifyResponse = a.proxyModifyResponse a.mux.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { + defer func() { + err := recover() + if err == nil || err == http.ErrAbortHandler { + return + } + log.WithError(err.(error)).Error("recover in reverse proxy") + }() claims, err := a.checkAuth(rw, r) if claims == nil && a.IsAllowlisted(r.URL) { a.log.Trace("path can be accessed without authentication") @@ -45,13 +52,6 @@ func (a *Application) configureProxy() error { } before := time.Now() rp.ServeHTTP(rw, r) - defer func() { - err := recover() - if err == nil || err == http.ErrAbortHandler { - return - } - log.WithError(err.(error)).Error("recover in reverse proxy") - }() after := time.Since(before) metrics.UpstreamTiming.With(prometheus.Labels{ @@ -68,9 +68,9 @@ func (a *Application) configureProxy() error { func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) { return func(r *http.Request) { r.Header.Set("X-Forwarded-Host", r.Host) - claims, _ := a.checkAuth(nil, r) r.URL.Scheme = ou.Scheme r.URL.Host = ou.Host + claims := a.getClaimsFromSession(r) if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" { u, err := url.Parse(claims.Proxy.BackendOverride) if err != nil { @@ -85,6 +85,6 @@ func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) { } func (a *Application) proxyModifyResponse(res *http.Response) error { - res.Header.Set("X-Powered-By", "authentik_proxy2") + res.Header.Set("X-Powered-By", "goauthentik.io") return nil }