From 6458b1dbf88dff30dbbb7cd9dbd2f3c3779b42e5 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 23 Sep 2020 12:20:09 +0200 Subject: [PATCH] providers/proxy: make upstream SSL Validation configurable --- passbook/providers/proxy/api.py | 2 ++ passbook/providers/proxy/forms.py | 1 + .../migrations/0007_auto_20200923_1017.py | 23 +++++++++++++++++++ passbook/providers/proxy/models.py | 8 ++++--- swagger.yaml | 12 ++++++++-- 5 files changed, 41 insertions(+), 5 deletions(-) create mode 100644 passbook/providers/proxy/migrations/0007_auto_20200923_1017.py diff --git a/passbook/providers/proxy/api.py b/passbook/providers/proxy/api.py index d75733539..63af2967a 100644 --- a/passbook/providers/proxy/api.py +++ b/passbook/providers/proxy/api.py @@ -54,6 +54,7 @@ class ProxyProviderSerializer(ModelSerializer): "name", "internal_host", "external_host", + "internal_host_ssl_validation", "certificate", "skip_path_regex", ] @@ -89,6 +90,7 @@ class ProxyOutpostConfigSerializer(ModelSerializer): "name", "internal_host", "external_host", + "internal_host_ssl_validation", "client_id", "client_secret", "oidc_configuration", diff --git a/passbook/providers/proxy/forms.py b/passbook/providers/proxy/forms.py index 1d1b4dd7d..de45349c8 100644 --- a/passbook/providers/proxy/forms.py +++ b/passbook/providers/proxy/forms.py @@ -33,6 +33,7 @@ class ProxyProviderForm(forms.ModelForm): "name", "authorization_flow", "internal_host", + "internal_host_ssl_validation", "external_host", "certificate", "skip_path_regex", diff --git a/passbook/providers/proxy/migrations/0007_auto_20200923_1017.py b/passbook/providers/proxy/migrations/0007_auto_20200923_1017.py new file mode 100644 index 000000000..7de35d2af --- /dev/null +++ b/passbook/providers/proxy/migrations/0007_auto_20200923_1017.py @@ -0,0 +1,23 @@ +# Generated by Django 3.1.1 on 2020-09-23 10:17 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('passbook_providers_proxy', '0006_proxyprovider_skip_path_regex'), + ] + + operations = [ + migrations.AddField( + model_name='proxyprovider', + name='internal_host_ssl_validation', + field=models.BooleanField(default=True, help_text='Validate SSL Certificates of upstream servers'), + ), + migrations.AlterField( + model_name='proxyprovider', + name='skip_path_regex', + field=models.TextField(blank=True, default='', help_text='Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression.'), + ), + ] diff --git a/passbook/providers/proxy/models.py b/passbook/providers/proxy/models.py index b1831ac8a..c54450cc1 100644 --- a/passbook/providers/proxy/models.py +++ b/passbook/providers/proxy/models.py @@ -46,15 +46,15 @@ class ProxyProvider(OutpostModel, OAuth2Provider): external_host = models.TextField( validators=[DomainlessURLValidator(schemes=("http", "https"))] ) - - cookie_secret = models.TextField(default=get_cookie_secret) + internal_host_ssl_validation = models.BooleanField( + default=True, help_text=_("Validate SSL Certificates of upstream servers")) skip_path_regex = models.TextField( default="", blank=True, help_text=_( ( - "Regular expression for which authentication is not required. " + "Regular expressions for which authentication is not required. " "Each new line is interpreted as a new Regular Expression." ) ), @@ -64,6 +64,8 @@ class ProxyProvider(OutpostModel, OAuth2Provider): CertificateKeyPair, on_delete=models.SET_NULL, null=True, blank=True, ) + cookie_secret = models.TextField(default=get_cookie_secret) + def form(self) -> Type[ModelForm]: from passbook.providers.proxy.forms import ProxyProviderForm diff --git a/swagger.yaml b/swagger.yaml index d5a317a40..a39a79ed6 100755 --- a/swagger.yaml +++ b/swagger.yaml @@ -6215,6 +6215,10 @@ definitions: title: External host type: string minLength: 1 + internal_host_ssl_validation: + title: Internal host ssl validation + description: Validate SSL Certificates of upstream servers + type: boolean client_id: title: Client ID type: string @@ -6237,7 +6241,7 @@ definitions: x-nullable: true skip_path_regex: title: Skip path regex - description: Regular expression for which authentication is not required. + description: Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression. type: string Policy: @@ -6700,6 +6704,10 @@ definitions: title: External host type: string minLength: 1 + internal_host_ssl_validation: + title: Internal host ssl validation + description: Validate SSL Certificates of upstream servers + type: boolean certificate: title: Certificate type: string @@ -6707,7 +6715,7 @@ definitions: x-nullable: true skip_path_regex: title: Skip path regex - description: Regular expression for which authentication is not required. + description: Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression. type: string SAMLProvider: