2020-04-13 13:50:34 +01:00
|
|
|
package validation
|
2014-11-09 14:51:10 -05:00
|
|
|
|
|
|
|
|
import (
|
2017-05-09 11:20:35 -07:00
|
|
|
"context"
|
2017-03-29 10:57:07 -04:00
|
|
|
"crypto/tls"
|
2014-11-09 14:51:10 -05:00
|
|
|
"fmt"
|
2019-03-20 15:15:47 -07:00
|
|
|
"io/ioutil"
|
2016-07-19 20:51:25 +01:00
|
|
|
"net/http"
|
2014-11-09 14:51:10 -05:00
|
|
|
"net/url"
|
2015-08-20 03:07:02 -07:00
|
|
|
"os"
|
2015-03-15 12:23:13 -04:00
|
|
|
"strings"
|
2015-03-30 15:48:30 -04:00
|
|
|
|
2021-07-17 09:55:05 -07:00
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
2021-07-29 18:45:41 +02:00
|
|
|
"github.com/golang-jwt/jwt"
|
2017-09-12 18:59:00 -04:00
|
|
|
"github.com/mbland/hmacauth"
|
2020-09-30 01:44:42 +09:00
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
|
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/ip"
|
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
|
2022-02-15 17:12:22 +01:00
|
|
|
internaloidc "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/oidc"
|
2020-09-30 01:44:42 +09:00
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests"
|
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util"
|
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/providers"
|
2014-11-09 14:51:10 -05:00
|
|
|
)
|
|
|
|
|
|
2018-12-20 09:30:42 +00:00
|
|
|
// Validate checks that required options are set and validates those that they
|
|
|
|
|
// are of the correct format
|
2020-04-13 13:50:34 +01:00
|
|
|
func Validate(o *options.Options) error {
|
2020-05-25 12:43:24 +01:00
|
|
|
msgs := validateCookie(o.Cookie)
|
2020-07-14 15:02:10 -07:00
|
|
|
msgs = append(msgs, validateSessionCookieMinimal(o)...)
|
2020-08-06 15:43:01 -07:00
|
|
|
msgs = append(msgs, validateRedisSessionStore(o)...)
|
2020-07-23 10:47:31 +01:00
|
|
|
msgs = append(msgs, prefixValues("injectRequestHeaders: ", validateHeaders(o.InjectRequestHeaders)...)...)
|
2020-12-13 03:05:01 +09:00
|
|
|
msgs = append(msgs, prefixValues("injectResponseHeaders: ", validateHeaders(o.InjectResponseHeaders)...)...)
|
2021-04-03 19:06:30 +03:00
|
|
|
msgs = append(msgs, validateProviders(o)...)
|
2021-02-14 11:38:20 +00:00
|
|
|
msgs = configureLogger(o.Logging, msgs)
|
2021-03-14 09:47:44 -07:00
|
|
|
msgs = parseSignatureKey(o, msgs)
|
2020-05-24 11:16:45 +01:00
|
|
|
|
2017-05-09 11:20:35 -07:00
|
|
|
if o.SSLInsecureSkipVerify {
|
2020-07-20 18:49:45 -07:00
|
|
|
// InsecureSkipVerify is a configurable option we allow
|
2020-07-19 22:24:18 -07:00
|
|
|
/* #nosec G402 */
|
2017-05-09 11:20:35 -07:00
|
|
|
insecureTransport := &http.Transport{
|
|
|
|
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
|
|
|
|
}
|
|
|
|
|
http.DefaultClient = &http.Client{Transport: insecureTransport}
|
2021-04-03 19:06:30 +03:00
|
|
|
} else if len(o.Providers[0].CAFiles) > 0 {
|
|
|
|
|
pool, err := util.GetCertPool(o.Providers[0].CAFiles)
|
2020-07-03 16:09:17 +01:00
|
|
|
if err == nil {
|
2021-02-17 20:15:45 +00:00
|
|
|
transport := http.DefaultTransport.(*http.Transport).Clone()
|
|
|
|
|
transport.TLSClientConfig = &tls.Config{
|
|
|
|
|
RootCAs: pool,
|
|
|
|
|
MinVersion: tls.VersionTLS12,
|
2020-07-03 16:09:17 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
http.DefaultClient = &http.Client{Transport: transport}
|
|
|
|
|
} else {
|
|
|
|
|
msgs = append(msgs, fmt.Sprintf("unable to load provider CA file(s): %v", err))
|
|
|
|
|
}
|
2017-05-09 11:20:35 -07:00
|
|
|
}
|
|
|
|
|
|
2015-07-24 16:09:33 -04:00
|
|
|
if o.AuthenticatedEmailsFile == "" && len(o.EmailDomains) == 0 && o.HtpasswdFile == "" {
|
2017-08-05 12:54:31 -04:00
|
|
|
msgs = append(msgs, "missing setting for email validation: email-domain or authenticated-emails-file required."+
|
|
|
|
|
"\n use email-domain=* to authorize all email addresses")
|
2015-07-24 16:09:33 -04:00
|
|
|
}
|
2014-11-09 14:51:10 -05:00
|
|
|
|
2021-04-03 19:06:30 +03:00
|
|
|
if o.Providers[0].OIDCConfig.IssuerURL != "" {
|
2019-03-04 14:54:22 +01:00
|
|
|
|
|
|
|
|
ctx := context.Background()
|
|
|
|
|
|
2021-04-03 19:06:30 +03:00
|
|
|
if o.Providers[0].OIDCConfig.InsecureSkipIssuerVerification && !o.Providers[0].OIDCConfig.SkipDiscovery {
|
2020-04-19 04:19:21 -07:00
|
|
|
// go-oidc doesn't let us pass bypass the issuer check this in the oidc.NewProvider call
|
|
|
|
|
// (which uses discovery to get the URLs), so we'll do a quick check ourselves and if
|
|
|
|
|
// we get the URLs, we'll just use the non-discovery path.
|
|
|
|
|
|
|
|
|
|
logger.Printf("Performing OIDC Discovery...")
|
|
|
|
|
|
2021-04-03 19:06:30 +03:00
|
|
|
requestURL := strings.TrimSuffix(o.Providers[0].OIDCConfig.IssuerURL, "/") + "/.well-known/openid-configuration"
|
2020-07-03 19:27:25 +01:00
|
|
|
body, err := requests.New(requestURL).
|
|
|
|
|
WithContext(ctx).
|
2020-07-06 17:42:26 +01:00
|
|
|
Do().
|
2020-07-03 19:27:25 +01:00
|
|
|
UnmarshalJSON()
|
|
|
|
|
if err != nil {
|
2020-08-10 11:44:08 +01:00
|
|
|
logger.Errorf("error: failed to discover OIDC configuration: %v", err)
|
2020-04-19 04:19:21 -07:00
|
|
|
} else {
|
2020-07-03 19:27:25 +01:00
|
|
|
// Prefer manually configured URLs. It's a bit unclear
|
|
|
|
|
// why you'd be doing discovery and also providing the URLs
|
|
|
|
|
// explicitly though...
|
2021-04-03 19:06:30 +03:00
|
|
|
if o.Providers[0].LoginURL == "" {
|
|
|
|
|
o.Providers[0].LoginURL = body.Get("authorization_endpoint").MustString()
|
2020-07-03 19:27:25 +01:00
|
|
|
}
|
|
|
|
|
|
2021-04-03 19:06:30 +03:00
|
|
|
if o.Providers[0].RedeemURL == "" {
|
|
|
|
|
o.Providers[0].RedeemURL = body.Get("token_endpoint").MustString()
|
2020-07-03 19:27:25 +01:00
|
|
|
}
|
|
|
|
|
|
2021-04-03 19:06:30 +03:00
|
|
|
if o.Providers[0].OIDCConfig.JwksURL == "" {
|
|
|
|
|
o.Providers[0].OIDCConfig.JwksURL = body.Get("jwks_uri").MustString()
|
2020-07-03 19:27:25 +01:00
|
|
|
}
|
|
|
|
|
|
2021-04-03 19:06:30 +03:00
|
|
|
if o.Providers[0].ProfileURL == "" {
|
|
|
|
|
o.Providers[0].ProfileURL = body.Get("userinfo_endpoint").MustString()
|
2020-07-03 19:27:25 +01:00
|
|
|
}
|
|
|
|
|
|
2021-04-03 19:06:30 +03:00
|
|
|
o.Providers[0].OIDCConfig.SkipDiscovery = true
|
2020-04-19 04:19:21 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-15 17:12:22 +01:00
|
|
|
config := &oidc.Config{
|
|
|
|
|
ClientID: o.Providers[0].ClientID,
|
|
|
|
|
SkipIssuerCheck: o.Providers[0].OIDCConfig.InsecureSkipIssuerVerification,
|
|
|
|
|
SkipClientIDCheck: true, // client id check is done within oauth2-proxy: IDTokenVerifier.Verify
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
verificationOptions := &internaloidc.IDTokenVerificationOptions{
|
|
|
|
|
AudienceClaims: o.Providers[0].OIDCConfig.AudienceClaims,
|
|
|
|
|
ClientID: o.Providers[0].ClientID,
|
|
|
|
|
ExtraAudiences: o.Providers[0].OIDCConfig.ExtraAudiences,
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-04 14:54:22 +01:00
|
|
|
// Construct a manual IDTokenVerifier from issuer URL & JWKS URI
|
|
|
|
|
// instead of metadata discovery if we enable -skip-oidc-discovery.
|
|
|
|
|
// In this case we need to make sure the required endpoints for
|
|
|
|
|
// the provider are configured.
|
2021-04-03 19:06:30 +03:00
|
|
|
if o.Providers[0].OIDCConfig.SkipDiscovery {
|
|
|
|
|
if o.Providers[0].LoginURL == "" {
|
2019-03-04 14:54:22 +01:00
|
|
|
msgs = append(msgs, "missing setting: login-url")
|
|
|
|
|
}
|
2021-04-03 19:06:30 +03:00
|
|
|
if o.Providers[0].RedeemURL == "" {
|
2019-03-04 14:54:22 +01:00
|
|
|
msgs = append(msgs, "missing setting: redeem-url")
|
|
|
|
|
}
|
2021-04-03 19:06:30 +03:00
|
|
|
if o.Providers[0].OIDCConfig.JwksURL == "" {
|
2019-03-04 14:54:22 +01:00
|
|
|
msgs = append(msgs, "missing setting: oidc-jwks-url")
|
|
|
|
|
}
|
2021-04-03 19:06:30 +03:00
|
|
|
keySet := oidc.NewRemoteKeySet(ctx, o.Providers[0].OIDCConfig.JwksURL)
|
2022-02-15 17:12:22 +01:00
|
|
|
o.SetOIDCVerifier(internaloidc.NewVerifier(
|
|
|
|
|
oidc.NewVerifier(o.Providers[0].OIDCConfig.IssuerURL, keySet, config), verificationOptions))
|
2019-03-04 14:54:22 +01:00
|
|
|
} else {
|
|
|
|
|
// Configure discoverable provider data.
|
2021-04-03 19:06:30 +03:00
|
|
|
provider, err := oidc.NewProvider(ctx, o.Providers[0].OIDCConfig.IssuerURL)
|
2019-03-04 14:54:22 +01:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
2022-02-15 17:12:22 +01:00
|
|
|
o.SetOIDCVerifier(internaloidc.NewVerifier(provider.Verifier(config), verificationOptions))
|
2021-04-03 19:06:30 +03:00
|
|
|
o.Providers[0].LoginURL = provider.Endpoint().AuthURL
|
|
|
|
|
o.Providers[0].RedeemURL = provider.Endpoint().TokenURL
|
2017-05-09 11:20:35 -07:00
|
|
|
}
|
2021-04-03 19:06:30 +03:00
|
|
|
if o.Providers[0].Scope == "" {
|
|
|
|
|
o.Providers[0].Scope = "openid email profile"
|
2020-07-28 11:42:09 -07:00
|
|
|
|
2021-04-03 19:06:30 +03:00
|
|
|
if len(o.Providers[0].AllowedGroups) > 0 {
|
|
|
|
|
o.Providers[0].Scope += " groups"
|
2020-07-28 11:42:09 -07:00
|
|
|
}
|
2017-05-09 11:20:35 -07:00
|
|
|
}
|
2021-04-03 19:06:30 +03:00
|
|
|
if o.Providers[0].OIDCConfig.UserIDClaim == "" {
|
|
|
|
|
o.Providers[0].OIDCConfig.UserIDClaim = "email"
|
|
|
|
|
}
|
2017-05-09 11:20:35 -07:00
|
|
|
}
|
|
|
|
|
|
2019-01-17 12:49:14 -08:00
|
|
|
if o.SkipJwtBearerTokens {
|
|
|
|
|
// Configure extra issuers
|
|
|
|
|
if len(o.ExtraJwtIssuers) > 0 {
|
2019-06-05 16:09:29 -07:00
|
|
|
var jwtIssuers []jwtIssuer
|
2019-05-01 10:00:54 -07:00
|
|
|
jwtIssuers, msgs = parseJwtIssuers(o.ExtraJwtIssuers, msgs)
|
|
|
|
|
for _, jwtIssuer := range jwtIssuers {
|
2022-02-15 17:12:22 +01:00
|
|
|
verifier, err := newVerifierFromJwtIssuer(
|
|
|
|
|
o.Providers[0].OIDCConfig.AudienceClaims,
|
|
|
|
|
o.Providers[0].OIDCConfig.ExtraAudiences,
|
|
|
|
|
jwtIssuer,
|
|
|
|
|
)
|
2019-01-17 12:49:14 -08:00
|
|
|
if err != nil {
|
2019-05-01 10:00:54 -07:00
|
|
|
msgs = append(msgs, fmt.Sprintf("error building verifiers: %s", err))
|
2019-01-17 12:49:14 -08:00
|
|
|
}
|
2020-04-13 13:50:34 +01:00
|
|
|
o.SetJWTBearerVerifiers(append(o.GetJWTBearerVerifiers(), verifier))
|
2019-01-17 12:49:14 -08:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-13 13:50:34 +01:00
|
|
|
var redirectURL *url.URL
|
|
|
|
|
redirectURL, msgs = parseURL(o.RawRedirectURL, "redirect", msgs)
|
|
|
|
|
o.SetRedirectURL(redirectURL)
|
2021-02-14 11:38:20 +00:00
|
|
|
if o.RawRedirectURL == "" && !o.Cookie.Secure && !o.ReverseProxy {
|
|
|
|
|
logger.Print("WARNING: no explicit redirect URL: redirects will default to insecure HTTP")
|
|
|
|
|
}
|
2014-11-09 14:51:10 -05:00
|
|
|
|
2020-05-26 19:56:10 +01:00
|
|
|
msgs = append(msgs, validateUpstreams(o.UpstreamServers)...)
|
2015-03-30 15:48:30 -04:00
|
|
|
msgs = parseProviderInfo(o, msgs)
|
2015-01-12 14:48:41 +05:30
|
|
|
|
2020-05-12 19:41:25 +02:00
|
|
|
if o.ReverseProxy {
|
2020-05-23 15:17:41 +01:00
|
|
|
parser, err := ip.GetRealClientIPParser(o.RealClientIPHeader)
|
2020-05-12 19:41:25 +02:00
|
|
|
if err != nil {
|
|
|
|
|
msgs = append(msgs, fmt.Sprintf("real_client_ip_header (%s) not accepted parameter value: %v", o.RealClientIPHeader, err))
|
|
|
|
|
}
|
2020-04-13 13:50:34 +01:00
|
|
|
o.SetRealClientIPParser(parser)
|
2020-05-12 00:32:30 +01:00
|
|
|
|
|
|
|
|
// Allow the logger to get client IPs
|
|
|
|
|
logger.SetGetClientFunc(func(r *http.Request) string {
|
|
|
|
|
return ip.GetClientString(o.GetRealClientIPParser(), r, false)
|
|
|
|
|
})
|
2020-05-12 19:41:25 +02:00
|
|
|
}
|
|
|
|
|
|
2020-09-22 18:54:32 -07:00
|
|
|
// Do this after ReverseProxy validation for TrustedIP coordinated checks
|
|
|
|
|
msgs = append(msgs, validateAllowlists(o)...)
|
2020-07-11 12:10:58 +02:00
|
|
|
|
2015-03-15 12:23:13 -04:00
|
|
|
if len(msgs) != 0 {
|
2020-04-14 17:36:44 +09:00
|
|
|
return fmt.Errorf("invalid configuration:\n %s",
|
2015-03-15 12:23:13 -04:00
|
|
|
strings.Join(msgs, "\n "))
|
|
|
|
|
}
|
2014-11-09 14:51:10 -05:00
|
|
|
return nil
|
|
|
|
|
}
|
2015-03-30 15:48:30 -04:00
|
|
|
|
2020-04-13 13:50:34 +01:00
|
|
|
func parseProviderInfo(o *options.Options, msgs []string) []string {
|
2015-07-25 16:27:49 -07:00
|
|
|
p := &providers.ProviderData{
|
2021-04-03 19:06:30 +03:00
|
|
|
Scope: o.Providers[0].Scope,
|
|
|
|
|
ClientID: o.Providers[0].ClientID,
|
|
|
|
|
ClientSecret: o.Providers[0].ClientSecret,
|
|
|
|
|
ClientSecretFile: o.Providers[0].ClientSecretFile,
|
|
|
|
|
Prompt: o.Providers[0].Prompt,
|
|
|
|
|
ApprovalPrompt: o.Providers[0].ApprovalPrompt,
|
|
|
|
|
AcrValues: o.Providers[0].AcrValues,
|
2015-07-25 16:27:49 -07:00
|
|
|
}
|
2021-04-03 19:06:30 +03:00
|
|
|
p.LoginURL, msgs = parseURL(o.Providers[0].LoginURL, "login", msgs)
|
|
|
|
|
p.RedeemURL, msgs = parseURL(o.Providers[0].RedeemURL, "redeem", msgs)
|
|
|
|
|
p.ProfileURL, msgs = parseURL(o.Providers[0].ProfileURL, "profile", msgs)
|
|
|
|
|
p.ValidateURL, msgs = parseURL(o.Providers[0].ValidateURL, "validate", msgs)
|
|
|
|
|
p.ProtectedResource, msgs = parseURL(o.Providers[0].ProtectedResource, "resource", msgs)
|
2015-05-20 23:23:48 -04:00
|
|
|
|
2020-11-27 16:17:59 -08:00
|
|
|
// Make the OIDC options available to all providers that support it
|
2021-04-03 19:06:30 +03:00
|
|
|
p.AllowUnverifiedEmail = o.Providers[0].OIDCConfig.InsecureAllowUnverifiedEmail
|
|
|
|
|
p.EmailClaim = o.Providers[0].OIDCConfig.EmailClaim
|
|
|
|
|
p.GroupsClaim = o.Providers[0].OIDCConfig.GroupsClaim
|
2020-11-15 18:57:48 -08:00
|
|
|
p.Verifier = o.GetOIDCVerifier()
|
|
|
|
|
|
2020-11-28 12:33:05 -08:00
|
|
|
// TODO (@NickMeves) - Remove This
|
|
|
|
|
// Backwards Compatibility for Deprecated UserIDClaim option
|
2021-04-03 19:06:30 +03:00
|
|
|
if o.Providers[0].OIDCConfig.EmailClaim == providers.OIDCEmailClaim &&
|
|
|
|
|
o.Providers[0].OIDCConfig.UserIDClaim != providers.OIDCEmailClaim {
|
|
|
|
|
p.EmailClaim = o.Providers[0].OIDCConfig.UserIDClaim
|
2020-11-28 12:33:05 -08:00
|
|
|
}
|
|
|
|
|
|
2021-04-03 19:06:30 +03:00
|
|
|
p.SetAllowedGroups(o.Providers[0].AllowedGroups)
|
2020-09-26 19:00:44 -07:00
|
|
|
|
2021-04-03 19:06:30 +03:00
|
|
|
provider := providers.New(o.Providers[0].Type, p)
|
2020-11-11 00:53:56 -05:00
|
|
|
if provider == nil {
|
2021-04-03 19:06:30 +03:00
|
|
|
msgs = append(msgs, fmt.Sprintf("invalid setting: provider '%s' is not available", o.Providers[0].Type))
|
2020-11-11 00:53:56 -05:00
|
|
|
return msgs
|
|
|
|
|
}
|
|
|
|
|
o.SetProvider(provider)
|
|
|
|
|
|
2020-04-13 13:50:34 +01:00
|
|
|
switch p := o.GetProvider().(type) {
|
2015-11-09 09:28:34 +01:00
|
|
|
case *providers.AzureProvider:
|
2021-04-03 19:06:30 +03:00
|
|
|
p.Configure(o.Providers[0].AzureConfig.Tenant)
|
2021-06-13 10:00:12 +02:00
|
|
|
case *providers.ADFSProvider:
|
|
|
|
|
p.Configure(o.Providers[0].ADFSConfig.SkipScope)
|
2015-05-20 23:23:48 -04:00
|
|
|
case *providers.GitHubProvider:
|
2021-04-03 19:06:30 +03:00
|
|
|
p.SetOrgTeam(o.Providers[0].GitHubConfig.Org, o.Providers[0].GitHubConfig.Team)
|
|
|
|
|
p.SetRepo(o.Providers[0].GitHubConfig.Repo, o.Providers[0].GitHubConfig.Token)
|
|
|
|
|
p.SetUsers(o.Providers[0].GitHubConfig.Users)
|
2019-07-28 15:54:39 +02:00
|
|
|
case *providers.KeycloakProvider:
|
2020-12-12 12:57:32 -08:00
|
|
|
// Backwards compatibility with `--keycloak-group` option
|
2021-04-03 19:06:30 +03:00
|
|
|
if len(o.Providers[0].KeycloakConfig.Groups) > 0 {
|
|
|
|
|
p.SetAllowedGroups(o.Providers[0].KeycloakConfig.Groups)
|
2020-12-12 12:57:32 -08:00
|
|
|
}
|
2021-03-14 10:20:59 -07:00
|
|
|
case *providers.KeycloakOIDCProvider:
|
|
|
|
|
if p.Verifier == nil {
|
|
|
|
|
msgs = append(msgs, "keycloak-oidc provider requires an oidc issuer URL")
|
|
|
|
|
}
|
2021-03-14 18:32:24 -07:00
|
|
|
p.AddAllowedRoles(o.Providers[0].KeycloakConfig.Roles)
|
2015-08-20 03:07:02 -07:00
|
|
|
case *providers.GoogleProvider:
|
2021-04-03 19:06:30 +03:00
|
|
|
if o.Providers[0].GoogleConfig.ServiceAccountJSON != "" {
|
|
|
|
|
file, err := os.Open(o.Providers[0].GoogleConfig.ServiceAccountJSON)
|
2015-08-20 03:07:02 -07:00
|
|
|
if err != nil {
|
2021-04-03 19:06:30 +03:00
|
|
|
msgs = append(msgs, "invalid Google credentials file: "+o.Providers[0].GoogleConfig.ServiceAccountJSON)
|
2015-08-20 03:07:02 -07:00
|
|
|
} else {
|
2021-04-03 19:06:30 +03:00
|
|
|
groups := o.Providers[0].AllowedGroups
|
2020-09-26 19:24:06 -07:00
|
|
|
// Backwards compatibility with `--google-group` option
|
2021-04-03 19:06:30 +03:00
|
|
|
if len(o.Providers[0].GoogleConfig.Groups) > 0 {
|
|
|
|
|
groups = o.Providers[0].GoogleConfig.Groups
|
2020-09-26 19:24:06 -07:00
|
|
|
p.SetAllowedGroups(groups)
|
|
|
|
|
}
|
2021-04-03 19:06:30 +03:00
|
|
|
p.SetGroupRestriction(groups, o.Providers[0].GoogleConfig.AdminEmail, file)
|
2015-08-20 03:07:02 -07:00
|
|
|
}
|
|
|
|
|
}
|
2019-08-16 15:53:22 +02:00
|
|
|
case *providers.BitbucketProvider:
|
2021-04-03 19:06:30 +03:00
|
|
|
p.SetTeam(o.Providers[0].BitbucketConfig.Team)
|
|
|
|
|
p.SetRepository(o.Providers[0].BitbucketConfig.Repository)
|
2017-05-09 11:20:35 -07:00
|
|
|
case *providers.OIDCProvider:
|
2021-04-21 02:33:27 -07:00
|
|
|
p.SkipNonce = o.Providers[0].OIDCConfig.InsecureSkipNonce
|
2020-11-15 18:57:48 -08:00
|
|
|
if p.Verifier == nil {
|
2017-05-09 11:20:35 -07:00
|
|
|
msgs = append(msgs, "oidc provider requires an oidc issuer URL")
|
|
|
|
|
}
|
2019-08-06 13:20:54 +02:00
|
|
|
case *providers.GitLabProvider:
|
2021-06-13 14:29:56 -07:00
|
|
|
p.SetAllowedGroups(o.Providers[0].GitLabConfig.Group)
|
|
|
|
|
err := p.SetAllowedProjects(o.Providers[0].GitLabConfig.Projects)
|
2020-12-05 19:57:33 +01:00
|
|
|
if err != nil {
|
|
|
|
|
msgs = append(msgs, "failed to setup gitlab project access level")
|
|
|
|
|
}
|
2019-08-06 13:20:54 +02:00
|
|
|
|
2020-11-15 18:57:48 -08:00
|
|
|
if p.Verifier == nil {
|
2019-08-06 13:20:54 +02:00
|
|
|
// Initialize with default verifier for gitlab.com
|
|
|
|
|
ctx := context.Background()
|
|
|
|
|
|
|
|
|
|
provider, err := oidc.NewProvider(ctx, "https://gitlab.com")
|
|
|
|
|
if err != nil {
|
|
|
|
|
msgs = append(msgs, "failed to initialize oidc provider for gitlab.com")
|
|
|
|
|
} else {
|
2022-02-15 17:12:22 +01:00
|
|
|
verificationOptions := &internaloidc.IDTokenVerificationOptions{
|
|
|
|
|
AudienceClaims: o.Providers[0].OIDCConfig.AudienceClaims,
|
|
|
|
|
ClientID: o.Providers[0].ClientID,
|
|
|
|
|
ExtraAudiences: o.Providers[0].OIDCConfig.ExtraAudiences,
|
|
|
|
|
}
|
|
|
|
|
p.Verifier = internaloidc.NewVerifier(provider.Verifier(&oidc.Config{
|
2021-04-03 19:06:30 +03:00
|
|
|
ClientID: o.Providers[0].ClientID,
|
2022-02-15 17:12:22 +01:00
|
|
|
}), verificationOptions)
|
2019-08-06 13:20:54 +02:00
|
|
|
|
|
|
|
|
p.LoginURL, msgs = parseURL(provider.Endpoint().AuthURL, "login", msgs)
|
|
|
|
|
p.RedeemURL, msgs = parseURL(provider.Endpoint().TokenURL, "redeem", msgs)
|
|
|
|
|
}
|
|
|
|
|
}
|
2019-03-20 06:44:51 -07:00
|
|
|
case *providers.LoginGovProvider:
|
2021-04-03 19:06:30 +03:00
|
|
|
p.PubJWKURL, msgs = parseURL(o.Providers[0].LoginGovConfig.PubJWKURL, "pubjwk", msgs)
|
2019-03-20 15:15:47 -07:00
|
|
|
|
|
|
|
|
// JWT key can be supplied via env variable or file in the filesystem, but not both.
|
|
|
|
|
switch {
|
2021-04-03 19:06:30 +03:00
|
|
|
case o.Providers[0].LoginGovConfig.JWTKey != "" && o.Providers[0].LoginGovConfig.JWTKeyFile != "":
|
2019-03-20 15:15:47 -07:00
|
|
|
msgs = append(msgs, "cannot set both jwt-key and jwt-key-file options")
|
2021-04-03 19:06:30 +03:00
|
|
|
case o.Providers[0].LoginGovConfig.JWTKey == "" && o.Providers[0].LoginGovConfig.JWTKeyFile == "":
|
2019-03-20 06:44:51 -07:00
|
|
|
msgs = append(msgs, "login.gov provider requires a private key for signing JWTs")
|
2021-04-03 19:06:30 +03:00
|
|
|
case o.Providers[0].LoginGovConfig.JWTKey != "":
|
2019-03-20 15:15:47 -07:00
|
|
|
// The JWT Key is in the commandline argument
|
2021-04-03 19:06:30 +03:00
|
|
|
signKey, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(o.Providers[0].LoginGovConfig.JWTKey))
|
2019-03-20 06:44:51 -07:00
|
|
|
if err != nil {
|
|
|
|
|
msgs = append(msgs, "could not parse RSA Private Key PEM")
|
|
|
|
|
} else {
|
|
|
|
|
p.JWTKey = signKey
|
|
|
|
|
}
|
2021-04-03 19:06:30 +03:00
|
|
|
case o.Providers[0].LoginGovConfig.JWTKeyFile != "":
|
2019-03-20 15:15:47 -07:00
|
|
|
// The JWT key is in the filesystem
|
2021-04-03 19:06:30 +03:00
|
|
|
keyData, err := ioutil.ReadFile(o.Providers[0].LoginGovConfig.JWTKeyFile)
|
2019-03-20 15:15:47 -07:00
|
|
|
if err != nil {
|
2021-04-03 19:06:30 +03:00
|
|
|
msgs = append(msgs, "could not read key file: "+o.Providers[0].LoginGovConfig.JWTKeyFile)
|
2019-03-20 15:15:47 -07:00
|
|
|
}
|
|
|
|
|
signKey, err := jwt.ParseRSAPrivateKeyFromPEM(keyData)
|
|
|
|
|
if err != nil {
|
2021-04-03 19:06:30 +03:00
|
|
|
msgs = append(msgs, "could not parse private key from PEM file:"+o.Providers[0].LoginGovConfig.JWTKeyFile)
|
2019-03-20 15:15:47 -07:00
|
|
|
} else {
|
|
|
|
|
p.JWTKey = signKey
|
|
|
|
|
}
|
2019-03-20 06:44:51 -07:00
|
|
|
}
|
2015-05-20 23:23:48 -04:00
|
|
|
}
|
2015-03-30 15:48:30 -04:00
|
|
|
return msgs
|
|
|
|
|
}
|
2015-11-15 22:08:30 -05:00
|
|
|
|
2020-04-13 13:50:34 +01:00
|
|
|
func parseSignatureKey(o *options.Options, msgs []string) []string {
|
2015-11-15 22:08:30 -05:00
|
|
|
if o.SignatureKey == "" {
|
|
|
|
|
return msgs
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-14 09:47:44 -07:00
|
|
|
logger.Print("WARNING: `--signature-key` is deprecated. It will be removed in a future release")
|
|
|
|
|
|
2015-11-15 22:08:30 -05:00
|
|
|
components := strings.Split(o.SignatureKey, ":")
|
|
|
|
|
if len(components) != 2 {
|
|
|
|
|
return append(msgs, "invalid signature hash:key spec: "+
|
|
|
|
|
o.SignatureKey)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
algorithm, secretKey := components[0], components[1]
|
2021-03-14 09:47:44 -07:00
|
|
|
hash, err := hmacauth.DigestNameToCryptoHash(algorithm)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return append(msgs, "unsupported signature hash algorithm: "+o.SignatureKey)
|
2015-11-15 22:08:30 -05:00
|
|
|
}
|
2020-04-13 13:50:34 +01:00
|
|
|
o.SetSignatureData(&options.SignatureData{Hash: hash, Key: secretKey})
|
2015-11-15 22:08:30 -05:00
|
|
|
return msgs
|
|
|
|
|
}
|
2016-06-20 07:17:39 -04:00
|
|
|
|
2019-05-01 10:00:54 -07:00
|
|
|
// parseJwtIssuers takes in an array of strings in the form of issuer=audience
|
2019-06-05 16:09:29 -07:00
|
|
|
// and parses to an array of jwtIssuer structs.
|
|
|
|
|
func parseJwtIssuers(issuers []string, msgs []string) ([]jwtIssuer, []string) {
|
2020-04-14 17:36:44 +09:00
|
|
|
parsedIssuers := make([]jwtIssuer, 0, len(issuers))
|
2019-05-01 10:00:54 -07:00
|
|
|
for _, jwtVerifier := range issuers {
|
2019-01-17 12:49:14 -08:00
|
|
|
components := strings.Split(jwtVerifier, "=")
|
|
|
|
|
if len(components) < 2 {
|
2019-05-01 10:00:54 -07:00
|
|
|
msgs = append(msgs, fmt.Sprintf("invalid jwt verifier uri=audience spec: %s", jwtVerifier))
|
|
|
|
|
continue
|
2019-01-17 12:49:14 -08:00
|
|
|
}
|
|
|
|
|
uri, audience := components[0], strings.Join(components[1:], "=")
|
2019-06-05 16:09:29 -07:00
|
|
|
parsedIssuers = append(parsedIssuers, jwtIssuer{issuerURI: uri, audience: audience})
|
2019-01-17 12:49:14 -08:00
|
|
|
}
|
2019-05-01 10:00:54 -07:00
|
|
|
return parsedIssuers, msgs
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-05 16:09:29 -07:00
|
|
|
// newVerifierFromJwtIssuer takes in issuer information in jwtIssuer info and returns
|
2019-05-01 10:00:54 -07:00
|
|
|
// a verifier for that issuer.
|
2022-02-15 17:12:22 +01:00
|
|
|
func newVerifierFromJwtIssuer(audienceClaims []string, extraAudiences []string, jwtIssuer jwtIssuer) (*internaloidc.IDTokenVerifier, error) {
|
2019-05-01 10:00:54 -07:00
|
|
|
config := &oidc.Config{
|
2022-02-15 17:12:22 +01:00
|
|
|
ClientID: jwtIssuer.audience,
|
|
|
|
|
SkipClientIDCheck: true, // client id check is done within oauth2-proxy: IDTokenVerifier.Verify
|
2019-05-01 10:00:54 -07:00
|
|
|
}
|
|
|
|
|
// Try as an OpenID Connect Provider first
|
|
|
|
|
var verifier *oidc.IDTokenVerifier
|
|
|
|
|
provider, err := oidc.NewProvider(context.Background(), jwtIssuer.issuerURI)
|
|
|
|
|
if err != nil {
|
|
|
|
|
// Try as JWKS URI
|
|
|
|
|
jwksURI := strings.TrimSuffix(jwtIssuer.issuerURI, "/") + "/.well-known/jwks.json"
|
2020-07-06 17:42:26 +01:00
|
|
|
if err := requests.New(jwksURI).Do().Error(); err != nil {
|
2019-05-01 10:00:54 -07:00
|
|
|
return nil, err
|
|
|
|
|
}
|
2020-07-03 19:27:25 +01:00
|
|
|
|
2019-05-01 10:00:54 -07:00
|
|
|
verifier = oidc.NewVerifier(jwtIssuer.issuerURI, oidc.NewRemoteKeySet(context.Background(), jwksURI), config)
|
|
|
|
|
} else {
|
|
|
|
|
verifier = provider.Verifier(config)
|
|
|
|
|
}
|
2022-02-15 17:12:22 +01:00
|
|
|
verificationOptions := &internaloidc.IDTokenVerificationOptions{
|
|
|
|
|
AudienceClaims: audienceClaims,
|
|
|
|
|
ClientID: jwtIssuer.audience,
|
|
|
|
|
ExtraAudiences: extraAudiences,
|
|
|
|
|
// ExtraAudiences: o.Providers[0].OIDCConfig.ExtraAudiences,
|
|
|
|
|
}
|
|
|
|
|
return internaloidc.NewVerifier(verifier, verificationOptions), nil
|
2019-01-17 12:49:14 -08:00
|
|
|
}
|
|
|
|
|
|
2020-04-13 13:50:34 +01:00
|
|
|
// jwtIssuer hold parsed JWT issuer info that's used to construct a verifier.
|
|
|
|
|
type jwtIssuer struct {
|
|
|
|
|
issuerURI string
|
|
|
|
|
audience string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func parseURL(toParse string, urltype string, msgs []string) (*url.URL, []string) {
|
|
|
|
|
parsed, err := url.Parse(toParse)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, append(msgs, fmt.Sprintf(
|
|
|
|
|
"error parsing %s-url=%q %s", urltype, toParse, err))
|
|
|
|
|
}
|
|
|
|
|
return parsed, msgs
|
|
|
|
|
}
|
