oauth2-proxy/pkg/util/util.go

package util

import (
	"crypto/x509"
	"fmt"
	"io/ioutil"
	"net/http"
)

func GetCertPool(paths []string) (*x509.CertPool, error) {
	if len(paths) == 0 {
		return nil, fmt.Errorf("invalid empty list of Root CAs file paths")
	}
	pool := x509.NewCertPool()
	for _, path := range paths {
		// Cert paths are a configurable option
		data, err := ioutil.ReadFile(path) // #nosec G304
		if err != nil {
			return nil, fmt.Errorf("certificate authority file (%s) could not be read - %s", path, err)
		}
		if !pool.AppendCertsFromPEM(data) {
			return nil, fmt.Errorf("loading certificate authority (%s) failed", path)
		}
	}
	return pool, nil
}

// GetRequestHost return the request host header or X-Forwarded-Host if present
func GetRequestHost(req *http.Request) string {
	host := req.Header.Get("X-Forwarded-Host")
	if host == "" {
		host = req.Host
	}
	return host
}
Fix #635: Support specifying alternative provider TLS trust source(s) (#645) * Fix #635: Support specifying alternative provider TLS trust source(s) * Update pkg/apis/options/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/validation/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Address review comments * upd CHANGELOG.md * refactor test to assert textual subjects + add openssl gen cmd Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-07-03 17:09:17 +02:00			`package util`

			`import (`
			`"crypto/x509"`
			`"fmt"`
			`"io/ioutil"`
Use X-Forwarded-Host consistently 2020-08-22 04:50:32 +02:00			`"net/http"`
Fix #635: Support specifying alternative provider TLS trust source(s) (#645) * Fix #635: Support specifying alternative provider TLS trust source(s) * Update pkg/apis/options/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/validation/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Address review comments * upd CHANGELOG.md * refactor test to assert textual subjects + add openssl gen cmd Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-07-03 17:09:17 +02:00			`)`

			`func GetCertPool(paths []string) (*x509.CertPool, error) {`
			`if len(paths) == 0 {`
			`return nil, fmt.Errorf("invalid empty list of Root CAs file paths")`
			`}`
			`pool := x509.NewCertPool()`
			`for _, path := range paths {`
Document GoSec nosec skip comments 2020-07-21 03:49:45 +02:00			`// Cert paths are a configurable option`
Address gosec findings Mostly handling unhandled errors appropriately. If logging to STDERR fails, we panic. Added #nosec comments to findings we are OK with. 2020-07-20 07:24:18 +02:00			`data, err := ioutil.ReadFile(path) // #nosec G304`
Fix #635: Support specifying alternative provider TLS trust source(s) (#645) * Fix #635: Support specifying alternative provider TLS trust source(s) * Update pkg/apis/options/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/validation/options.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Address review comments * upd CHANGELOG.md * refactor test to assert textual subjects + add openssl gen cmd Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-07-03 17:09:17 +02:00			`if err != nil {`
			`return nil, fmt.Errorf("certificate authority file (%s) could not be read - %s", path, err)`
			`}`
			`if !pool.AppendCertsFromPEM(data) {`
			`return nil, fmt.Errorf("loading certificate authority (%s) failed", path)`
			`}`
			`}`
			`return pool, nil`
			`}`
Use X-Forwarded-Host consistently 2020-08-22 04:50:32 +02:00
			`// GetRequestHost return the request host header or X-Forwarded-Host if present`
			`func GetRequestHost(req *http.Request) string {`
			`host := req.Header.Get("X-Forwarded-Host")`
			`if host == "" {`
			`host = req.Host`
			`}`
			`return host`
			`}`