2020-04-13 14:50:34 +02:00
|
|
|
package validation
|
2014-11-09 21:51:10 +02:00
|
|
|
|
|
|
|
|
import (
|
2017-05-09 20:20:35 +02:00
|
|
|
"context"
|
2017-03-29 16:57:07 +02:00
|
|
|
"crypto/tls"
|
2014-11-09 21:51:10 +02:00
|
|
|
"fmt"
|
2016-07-19 21:51:25 +02:00
|
|
|
"net/http"
|
2014-11-09 21:51:10 +02:00
|
|
|
"net/url"
|
2015-03-15 18:23:13 +02:00
|
|
|
"strings"
|
2015-03-30 21:48:30 +02:00
|
|
|
|
2017-09-13 00:59:00 +02:00
|
|
|
"github.com/mbland/hmacauth"
|
2020-09-29 18:44:42 +02:00
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
|
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/ip"
|
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
|
2022-02-15 19:24:48 +02:00
|
|
|
internaloidc "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/providers/oidc"
|
2020-09-29 18:44:42 +02:00
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util"
|
2014-11-09 21:51:10 +02:00
|
|
|
)
|
|
|
|
|
|
2018-12-20 11:30:42 +02:00
|
|
|
// Validate checks that required options are set and validates those that they
|
|
|
|
|
// are of the correct format
|
2020-04-13 14:50:34 +02:00
|
|
|
func Validate(o *options.Options) error {
|
2020-05-25 13:43:24 +02:00
|
|
|
msgs := validateCookie(o.Cookie)
|
2020-07-15 00:02:10 +02:00
|
|
|
msgs = append(msgs, validateSessionCookieMinimal(o)...)
|
2020-08-07 00:43:01 +02:00
|
|
|
msgs = append(msgs, validateRedisSessionStore(o)...)
|
2020-07-23 11:47:31 +02:00
|
|
|
msgs = append(msgs, prefixValues("injectRequestHeaders: ", validateHeaders(o.InjectRequestHeaders)...)...)
|
2020-12-12 20:05:01 +02:00
|
|
|
msgs = append(msgs, prefixValues("injectResponseHeaders: ", validateHeaders(o.InjectResponseHeaders)...)...)
|
2021-04-03 18:06:30 +02:00
|
|
|
msgs = append(msgs, validateProviders(o)...)
|
2021-02-14 13:38:20 +02:00
|
|
|
msgs = configureLogger(o.Logging, msgs)
|
2021-03-14 18:47:44 +02:00
|
|
|
msgs = parseSignatureKey(o, msgs)
|
2020-05-24 12:16:45 +02:00
|
|
|
|
2017-05-09 20:20:35 +02:00
|
|
|
if o.SSLInsecureSkipVerify {
|
2020-07-21 03:49:45 +02:00
|
|
|
// InsecureSkipVerify is a configurable option we allow
|
2020-07-20 07:24:18 +02:00
|
|
|
/* #nosec G402 */
|
2017-05-09 20:20:35 +02:00
|
|
|
insecureTransport := &http.Transport{
|
|
|
|
|
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
|
|
|
|
|
}
|
|
|
|
|
http.DefaultClient = &http.Client{Transport: insecureTransport}
|
2021-04-03 18:06:30 +02:00
|
|
|
} else if len(o.Providers[0].CAFiles) > 0 {
|
|
|
|
|
pool, err := util.GetCertPool(o.Providers[0].CAFiles)
|
2020-07-03 17:09:17 +02:00
|
|
|
if err == nil {
|
2021-02-17 22:15:45 +02:00
|
|
|
transport := http.DefaultTransport.(*http.Transport).Clone()
|
|
|
|
|
transport.TLSClientConfig = &tls.Config{
|
|
|
|
|
RootCAs: pool,
|
|
|
|
|
MinVersion: tls.VersionTLS12,
|
2020-07-03 17:09:17 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
http.DefaultClient = &http.Client{Transport: transport}
|
|
|
|
|
} else {
|
|
|
|
|
msgs = append(msgs, fmt.Sprintf("unable to load provider CA file(s): %v", err))
|
|
|
|
|
}
|
2017-05-09 20:20:35 +02:00
|
|
|
}
|
|
|
|
|
|
2015-07-24 22:09:33 +02:00
|
|
|
if o.AuthenticatedEmailsFile == "" && len(o.EmailDomains) == 0 && o.HtpasswdFile == "" {
|
2017-08-05 18:54:31 +02:00
|
|
|
msgs = append(msgs, "missing setting for email validation: email-domain or authenticated-emails-file required."+
|
|
|
|
|
"\n use email-domain=* to authorize all email addresses")
|
2015-07-24 22:09:33 +02:00
|
|
|
}
|
2014-11-09 21:51:10 +02:00
|
|
|
|
2019-01-17 22:49:14 +02:00
|
|
|
if o.SkipJwtBearerTokens {
|
|
|
|
|
// Configure extra issuers
|
|
|
|
|
if len(o.ExtraJwtIssuers) > 0 {
|
2019-06-06 01:09:29 +02:00
|
|
|
var jwtIssuers []jwtIssuer
|
2019-05-01 19:00:54 +02:00
|
|
|
jwtIssuers, msgs = parseJwtIssuers(o.ExtraJwtIssuers, msgs)
|
|
|
|
|
for _, jwtIssuer := range jwtIssuers {
|
2022-02-15 18:12:22 +02:00
|
|
|
verifier, err := newVerifierFromJwtIssuer(
|
|
|
|
|
o.Providers[0].OIDCConfig.AudienceClaims,
|
|
|
|
|
o.Providers[0].OIDCConfig.ExtraAudiences,
|
|
|
|
|
jwtIssuer,
|
|
|
|
|
)
|
2019-01-17 22:49:14 +02:00
|
|
|
if err != nil {
|
2019-05-01 19:00:54 +02:00
|
|
|
msgs = append(msgs, fmt.Sprintf("error building verifiers: %s", err))
|
2019-01-17 22:49:14 +02:00
|
|
|
}
|
2020-04-13 14:50:34 +02:00
|
|
|
o.SetJWTBearerVerifiers(append(o.GetJWTBearerVerifiers(), verifier))
|
2019-01-17 22:49:14 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-04-13 14:50:34 +02:00
|
|
|
var redirectURL *url.URL
|
|
|
|
|
redirectURL, msgs = parseURL(o.RawRedirectURL, "redirect", msgs)
|
|
|
|
|
o.SetRedirectURL(redirectURL)
|
2021-02-14 13:38:20 +02:00
|
|
|
if o.RawRedirectURL == "" && !o.Cookie.Secure && !o.ReverseProxy {
|
|
|
|
|
logger.Print("WARNING: no explicit redirect URL: redirects will default to insecure HTTP")
|
|
|
|
|
}
|
2014-11-09 21:51:10 +02:00
|
|
|
|
2020-05-26 20:56:10 +02:00
|
|
|
msgs = append(msgs, validateUpstreams(o.UpstreamServers)...)
|
2015-01-12 11:18:41 +02:00
|
|
|
|
2020-05-12 19:41:25 +02:00
|
|
|
if o.ReverseProxy {
|
2020-05-23 16:17:41 +02:00
|
|
|
parser, err := ip.GetRealClientIPParser(o.RealClientIPHeader)
|
2020-05-12 19:41:25 +02:00
|
|
|
if err != nil {
|
|
|
|
|
msgs = append(msgs, fmt.Sprintf("real_client_ip_header (%s) not accepted parameter value: %v", o.RealClientIPHeader, err))
|
|
|
|
|
}
|
2020-04-13 14:50:34 +02:00
|
|
|
o.SetRealClientIPParser(parser)
|
2020-05-12 01:32:30 +02:00
|
|
|
|
|
|
|
|
// Allow the logger to get client IPs
|
|
|
|
|
logger.SetGetClientFunc(func(r *http.Request) string {
|
|
|
|
|
return ip.GetClientString(o.GetRealClientIPParser(), r, false)
|
|
|
|
|
})
|
2020-05-12 19:41:25 +02:00
|
|
|
}
|
|
|
|
|
|
2020-09-23 03:54:32 +02:00
|
|
|
// Do this after ReverseProxy validation for TrustedIP coordinated checks
|
|
|
|
|
msgs = append(msgs, validateAllowlists(o)...)
|
2020-07-11 12:10:58 +02:00
|
|
|
|
2015-03-15 18:23:13 +02:00
|
|
|
if len(msgs) != 0 {
|
2020-04-14 10:36:44 +02:00
|
|
|
return fmt.Errorf("invalid configuration:\n %s",
|
2015-03-15 18:23:13 +02:00
|
|
|
strings.Join(msgs, "\n "))
|
|
|
|
|
}
|
2014-11-09 21:51:10 +02:00
|
|
|
return nil
|
|
|
|
|
}
|
2015-03-30 21:48:30 +02:00
|
|
|
|
2020-04-13 14:50:34 +02:00
|
|
|
func parseSignatureKey(o *options.Options, msgs []string) []string {
|
2015-11-16 05:08:30 +02:00
|
|
|
if o.SignatureKey == "" {
|
|
|
|
|
return msgs
|
|
|
|
|
}
|
|
|
|
|
|
2021-03-14 18:47:44 +02:00
|
|
|
logger.Print("WARNING: `--signature-key` is deprecated. It will be removed in a future release")
|
|
|
|
|
|
2015-11-16 05:08:30 +02:00
|
|
|
components := strings.Split(o.SignatureKey, ":")
|
|
|
|
|
if len(components) != 2 {
|
|
|
|
|
return append(msgs, "invalid signature hash:key spec: "+
|
|
|
|
|
o.SignatureKey)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
algorithm, secretKey := components[0], components[1]
|
2021-03-14 18:47:44 +02:00
|
|
|
hash, err := hmacauth.DigestNameToCryptoHash(algorithm)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return append(msgs, "unsupported signature hash algorithm: "+o.SignatureKey)
|
2015-11-16 05:08:30 +02:00
|
|
|
}
|
2020-04-13 14:50:34 +02:00
|
|
|
o.SetSignatureData(&options.SignatureData{Hash: hash, Key: secretKey})
|
2015-11-16 05:08:30 +02:00
|
|
|
return msgs
|
|
|
|
|
}
|
2016-06-20 13:17:39 +02:00
|
|
|
|
2019-05-01 19:00:54 +02:00
|
|
|
// parseJwtIssuers takes in an array of strings in the form of issuer=audience
|
2019-06-06 01:09:29 +02:00
|
|
|
// and parses to an array of jwtIssuer structs.
|
|
|
|
|
func parseJwtIssuers(issuers []string, msgs []string) ([]jwtIssuer, []string) {
|
2020-04-14 10:36:44 +02:00
|
|
|
parsedIssuers := make([]jwtIssuer, 0, len(issuers))
|
2019-05-01 19:00:54 +02:00
|
|
|
for _, jwtVerifier := range issuers {
|
2019-01-17 22:49:14 +02:00
|
|
|
components := strings.Split(jwtVerifier, "=")
|
|
|
|
|
if len(components) < 2 {
|
2019-05-01 19:00:54 +02:00
|
|
|
msgs = append(msgs, fmt.Sprintf("invalid jwt verifier uri=audience spec: %s", jwtVerifier))
|
|
|
|
|
continue
|
2019-01-17 22:49:14 +02:00
|
|
|
}
|
|
|
|
|
uri, audience := components[0], strings.Join(components[1:], "=")
|
2019-06-06 01:09:29 +02:00
|
|
|
parsedIssuers = append(parsedIssuers, jwtIssuer{issuerURI: uri, audience: audience})
|
2019-01-17 22:49:14 +02:00
|
|
|
}
|
2019-05-01 19:00:54 +02:00
|
|
|
return parsedIssuers, msgs
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-06 01:09:29 +02:00
|
|
|
// newVerifierFromJwtIssuer takes in issuer information in jwtIssuer info and returns
|
2019-05-01 19:00:54 +02:00
|
|
|
// a verifier for that issuer.
|
2022-02-16 17:55:44 +02:00
|
|
|
func newVerifierFromJwtIssuer(audienceClaims []string, extraAudiences []string, jwtIssuer jwtIssuer) (internaloidc.IDTokenVerifier, error) {
|
|
|
|
|
pvOpts := internaloidc.ProviderVerifierOptions{
|
2022-02-15 18:12:22 +02:00
|
|
|
AudienceClaims: audienceClaims,
|
|
|
|
|
ClientID: jwtIssuer.audience,
|
|
|
|
|
ExtraAudiences: extraAudiences,
|
2022-02-16 17:55:44 +02:00
|
|
|
IssuerURL: jwtIssuer.issuerURI,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pv, err := internaloidc.NewProviderVerifier(context.TODO(), pvOpts)
|
|
|
|
|
if err != nil {
|
|
|
|
|
// If the discovery didn't work, try again without discovery
|
|
|
|
|
pvOpts.JWKsURL = strings.TrimSuffix(jwtIssuer.issuerURI, "/") + "/.well-known/jwks.json"
|
|
|
|
|
pvOpts.SkipDiscovery = true
|
|
|
|
|
|
|
|
|
|
pv, err = internaloidc.NewProviderVerifier(context.TODO(), pvOpts)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("could not construct provider verifier for JWT Issuer: %v", err)
|
|
|
|
|
}
|
2022-02-15 18:12:22 +02:00
|
|
|
}
|
2022-02-16 17:55:44 +02:00
|
|
|
|
|
|
|
|
return pv.Verifier(), nil
|
2019-01-17 22:49:14 +02:00
|
|
|
}
|
|
|
|
|
|
2020-04-13 14:50:34 +02:00
|
|
|
// jwtIssuer hold parsed JWT issuer info that's used to construct a verifier.
|
|
|
|
|
type jwtIssuer struct {
|
|
|
|
|
issuerURI string
|
|
|
|
|
audience string
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func parseURL(toParse string, urltype string, msgs []string) (*url.URL, []string) {
|
|
|
|
|
parsed, err := url.Parse(toParse)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, append(msgs, fmt.Sprintf(
|
|
|
|
|
"error parsing %s-url=%q %s", urltype, toParse, err))
|
|
|
|
|
}
|
|
|
|
|
return parsed, msgs
|
|
|
|
|
}
|
