trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

providers/proxy: envoy v2 (#3029) 

* add path prefix

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* use prefix correctly

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>

* only set redirect if session doesn't have a redirect yet

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens L 2022-06-03 10:32:52 +02:00 committed by GitHub
parent 09f92e5bad
commit 8447e9b9c2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 17 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
internal/outpost/proxyv2/application/application.go
View File

@ -136,7 +136,6 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
"type": "app", "type": "app",
"method": r.Method, "method": r.Method,
"host": web.GetHost(r), "host": web.GetHost(r),
"scheme": r.URL.Scheme,
}).Observe(float64(after)) }).Observe(float64(after))
}) })
}) })

25
internal/outpost/proxyv2/application/mode_forward.go
View File

@ -11,6 +11,10 @@ import (
"goauthentik.io/internal/utils/web" "goauthentik.io/internal/utils/web"
) )
const (
envoyPrefix = "/outpost.goauthentik.io/auth/envoy"
)
func (a *Application) configureForward() error { func (a *Application) configureForward() error {
a.mux.HandleFunc("/outpost.goauthentik.io/auth", func(rw http.ResponseWriter, r *http.Request) { a.mux.HandleFunc("/outpost.goauthentik.io/auth", func(rw http.ResponseWriter, r *http.Request) {
if _, ok := r.URL.Query()["traefik"]; ok { if _, ok := r.URL.Query()["traefik"]; ok {
@ -21,7 +25,7 @@ func (a *Application) configureForward() error {
}) })
a.mux.HandleFunc("/outpost.goauthentik.io/auth/traefik", a.forwardHandleTraefik) a.mux.HandleFunc("/outpost.goauthentik.io/auth/traefik", a.forwardHandleTraefik)
a.mux.HandleFunc("/outpost.goauthentik.io/auth/nginx", a.forwardHandleNginx) a.mux.HandleFunc("/outpost.goauthentik.io/auth/nginx", a.forwardHandleNginx)
a.mux.PathPrefix("/").HandlerFunc(a.forwardHandleEnvoy) a.mux.PathPrefix(envoyPrefix).HandlerFunc(a.forwardHandleEnvoy)
return nil return nil
} }
@ -130,6 +134,7 @@ func (a *Application) forwardHandleNginx(rw http.ResponseWriter, r *http.Request
func (a *Application) forwardHandleEnvoy(rw http.ResponseWriter, r *http.Request) { func (a *Application) forwardHandleEnvoy(rw http.ResponseWriter, r *http.Request) {
a.log.WithField("header", r.Header).Trace("tracing headers for debug") a.log.WithField("header", r.Header).Trace("tracing headers for debug")
r.URL.Path = strings.TrimPrefix(r.URL.Path, envoyPrefix)
fwd := r.URL fwd := r.URL
claims, err := a.getClaims(r) claims, err := a.getClaims(r)
@ -163,18 +168,14 @@ func (a *Application) forwardHandleEnvoy(rw http.ResponseWriter, r *http.Request
// to a (possibly) different domain, but we want to be redirected back // to a (possibly) different domain, but we want to be redirected back
// to the application // to the application
// X-Forwarded-Uri is only the path, so we need to build the entire URL // X-Forwarded-Uri is only the path, so we need to build the entire URL
s.Values[constants.SessionRedirect] = fwd.String() if _, redirectSet := s.Values[constants.SessionRedirect]; !redirectSet {
err = s.Save(r, rw) s.Values[constants.SessionRedirect] = fwd.String()
if err != nil { err = s.Save(r, rw)
a.log.WithError(err).Warning("failed to save session before redirect") if err != nil {
a.log.WithError(err).Warning("failed to save session before redirect")
}
} }
// We mostly can't rely on X-Forwarded-Proto here since in most cases that will come from the rdFinal := fmt.Sprintf("//%s%s", host, "/outpost.goauthentik.io/start")
// local Envoy sidecar, so we re-used the same proto as the original URL had
scheme := r.Header.Get("X-Forwarded-Proto")
if scheme == "" {
scheme = "http:"
}
rdFinal := fmt.Sprintf("%s//%s%s", scheme, host, "/outpost.goauthentik.io/start")
a.log.WithField("url", rdFinal).Debug("Redirecting to login") a.log.WithField("url", rdFinal).Debug("Redirecting to login")
http.Redirect(rw, r, rdFinal, http.StatusTemporaryRedirect) http.Redirect(rw, r, rdFinal, http.StatusTemporaryRedirect)
} }

4
internal/outpost/proxyv2/application/mode_forward_envoy_test.go
View File

@ -29,7 +29,7 @@ func TestForwardHandleEnvoy_Single_Headers(t *testing.T) {
assert.Equal(t, rr.Code, http.StatusTemporaryRedirect) assert.Equal(t, rr.Code, http.StatusTemporaryRedirect)
loc, _ := rr.Result().Location() loc, _ := rr.Result().Location()
assert.Equal(t, loc.String(), "http://test.goauthentik.io/outpost.goauthentik.io/start") assert.Equal(t, loc.String(), "//test.goauthentik.io/outpost.goauthentik.io/start")
s, _ := a.sessions.Get(req, constants.SessionName) s, _ := a.sessions.Get(req, constants.SessionName)
assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect]) assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])
@ -91,7 +91,7 @@ func TestForwardHandleEnvoy_Domain_Header(t *testing.T) {
assert.Equal(t, http.StatusTemporaryRedirect, rr.Code) assert.Equal(t, http.StatusTemporaryRedirect, rr.Code)
loc, _ := rr.Result().Location() loc, _ := rr.Result().Location()
assert.Equal(t, "http://auth.test.goauthentik.io/outpost.goauthentik.io/start", loc.String()) assert.Equal(t, "//auth.test.goauthentik.io/outpost.goauthentik.io/start", loc.String())
s, _ := a.sessions.Get(req, constants.SessionName) s, _ := a.sessions.Get(req, constants.SessionName)
assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect]) assert.Equal(t, "http://test.goauthentik.io/app", s.Values[constants.SessionRedirect])

2
internal/outpost/proxyv2/metrics/metrics.go
View File

@ -15,7 +15,7 @@ var (
Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{ Requests = promauto.NewHistogramVec(prometheus.HistogramOpts{
Name: "authentik_outpost_proxy_requests", Name: "authentik_outpost_proxy_requests",
Help: "The total number of configured providers", Help: "The total number of configured providers",
}, []string{"outpost_name", "method", "scheme", "host", "type"}) }, []string{"outpost_name", "method", "host", "type"})
UpstreamTiming = promauto.NewHistogramVec(prometheus.HistogramOpts{ UpstreamTiming = promauto.NewHistogramVec(prometheus.HistogramOpts{
Name: "authentik_outpost_proxy_upstream_time", Name: "authentik_outpost_proxy_upstream_time",
Help: "A summary of the duration we wait for the upstream reply", Help: "A summary of the duration we wait for the upstream reply",

1
website/docs/providers/proxy/_envoy_istio.md
View File

@ -14,6 +14,7 @@ spec:
# Replace with <service-name>.<namespace>.svc.cluster.local # Replace with <service-name>.<namespace>.svc.cluster.local
service: "ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local" service: "ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local"
port: "9000" port: "9000"
pathPrefix: "/outpost.goauthentik.io/auth/envoy"
headersToDownstreamOnAllow: headersToDownstreamOnAllow:
- cookie - cookie
headersToUpstreamOnAllow: headersToUpstreamOnAllow: