outposts/proxy: fix allowlist for forward_auth

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> #1970
2021-12-21 15:49:25 +01:00 · 2021-12-21 15:49:25 +01:00 · f742c73e24
parent ca314c262c
commit f742c73e24
1 changed files with 27 additions and 2 deletions
--- a/internal/outpost/proxyv2/application/mode_common.go
+++ b/internal/outpost/proxyv2/application/mode_common.go
@ -4,6 +4,7 @@ import (
 	"encoding/base64"
 	"fmt"
 	"net/http"
 	"net/url"
 	"strings"
 	"goauthentik.io/api"
@ -64,13 +65,37 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) {
 	}
 }
 func (a *Application) getTraefikForwardUrl(r *http.Request) *url.URL {
 	u, err := url.Parse(fmt.Sprintf(
 		"%s://%s%s",
 		r.Header.Get("X-Forwarded-Proto"),
 		r.Header.Get("X-Forwarded-Host"),
 		r.Header.Get("X-Forwarded-Uri"),
 	))
 	if err != nil {
 		a.log.WithError(err).Warning("Failed to parse URL from traefik")
 		return r.URL
 	}
 	return u
 }
 func (a *Application) IsAllowlisted(r *http.Request) bool {
 	url := r.URL
 	// In Forward auth mode, we can't directly match against the requested URL
 	// Since that would be /akprox/auth/...
 	if a.Mode() == api.PROXYMODE_FORWARD_SINGLE || a.Mode() == api.PROXYMODE_FORWARD_DOMAIN {
 		// For traefik, we can get the Upstream URL from headers
 		// For nginx we can attempt to as well, but it's not guranteed to work.
 		if strings.HasPrefix(r.URL.Path, "/akprox/auth") {
 			url = a.getTraefikForwardUrl(r)
 		}
 	}
 	for _, u := range a.UnauthenticatedRegex {
 		var testString string
 		if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
-			testString = r.URL.Path
+			testString = url.Path
 		} else {
-			testString = r.URL.String()
+			testString = url.String()
 		}
 		a.log.WithField("regex", u.String()).WithField("url", testString).Trace("Matching URL against allow list")
 		if u.MatchString(testString) {