oauth2-proxy/providers/internal_util.go

package providers

import (
	"io/ioutil"
	"net/http"
	"net/url"

	"github.com/pusher/oauth2_proxy/pkg/logger"
	"github.com/pusher/oauth2_proxy/pkg/requests"
)

// stripToken is a helper function to obfuscate "access_token"
// query parameters
func stripToken(endpoint string) string {
	return stripParam("access_token", endpoint)
}

// stripParam generalizes the obfuscation of a particular
// query parameter - typically 'access_token' or 'client_secret'
// The parameter's second half is replaced by '...' and returned
// as part of the encoded query parameters.
// If the target parameter isn't found, the endpoint is returned
// unmodified.
func stripParam(param, endpoint string) string {
	u, err := url.Parse(endpoint)
	if err != nil {
		logger.Printf("error attempting to strip %s: %s", param, err)
		return endpoint
	}

	if u.RawQuery != "" {
		values, err := url.ParseQuery(u.RawQuery)
		if err != nil {
			logger.Printf("error attempting to strip %s: %s", param, err)
			return u.String()
		}

		if val := values.Get(param); val != "" {
			values.Set(param, val[:(len(val)/2)]+"...")
			u.RawQuery = values.Encode()
			return u.String()
		}
	}

	return endpoint
}

// validateToken returns true if token is valid
func validateToken(p Provider, accessToken string, header http.Header) bool {
	if accessToken == "" || p.Data().ValidateURL == nil || p.Data().ValidateURL.String() == "" {
		return false
	}
	endpoint := p.Data().ValidateURL.String()
	if len(header) == 0 {
		params := url.Values{"access_token": {accessToken}}
		endpoint = endpoint + "?" + params.Encode()
	}
	resp, err := requests.RequestUnparsedResponse(endpoint, header)
	if err != nil {
		logger.Printf("GET %s", stripToken(endpoint))
		logger.Printf("token validation request failed: %s", err)
		return false
	}

	body, _ := ioutil.ReadAll(resp.Body)
	resp.Body.Close()
	logger.Printf("%d GET %s %s", resp.StatusCode, stripToken(endpoint), body)

	if resp.StatusCode == 200 {
		return true
	}
	logger.Printf("token validation request failed: status %d - %s", resp.StatusCode, body)
	return false
}
Move ValidateToken() to Provider 2015-05-12 21:48:13 -04:00			`package providers`

			`import (`
cookie refresh: validation fixes, interval changes * refresh now calculated as duration from cookie set 2015-06-22 15:10:08 -04:00			`"io/ioutil"`
Move ValidateToken() to Provider 2015-05-12 21:48:13 -04:00			`"net/http"`
cookie refresh: validation fixes, interval changes * refresh now calculated as duration from cookie set 2015-06-22 15:10:08 -04:00			`"net/url"`

Move logger to pkg/logger 2019-05-24 17:08:48 +01:00			`"github.com/pusher/oauth2_proxy/pkg/logger"`
Move api to pkg/requests 2019-05-24 16:55:12 +01:00			`"github.com/pusher/oauth2_proxy/pkg/requests"`
Move ValidateToken() to Provider 2015-05-12 21:48:13 -04:00			`)`

add stripParam and stripToken methods to obfuscate log output 2016-08-02 20:27:50 -06:00			`// stripToken is a helper function to obfuscate "access_token"`
			`// query parameters`
			`func stripToken(endpoint string) string {`
			`return stripParam("access_token", endpoint)`
			`}`

			`// stripParam generalizes the obfuscation of a particular`
			`// query parameter - typically 'access_token' or 'client_secret'`
			`// The parameter's second half is replaced by '...' and returned`
			`// as part of the encoded query parameters.`
			`// If the target parameter isn't found, the endpoint is returned`
			`// unmodified.`
			`func stripParam(param, endpoint string) string {`
			`u, err := url.Parse(endpoint)`
			`if err != nil {`
Auth and standard logging with file rolling 2019-02-10 08:37:45 -08:00			`logger.Printf("error attempting to strip %s: %s", param, err)`
add stripParam and stripToken methods to obfuscate log output 2016-08-02 20:27:50 -06:00			`return endpoint`
			`}`

			`if u.RawQuery != "" {`
			`values, err := url.ParseQuery(u.RawQuery)`
			`if err != nil {`
Auth and standard logging with file rolling 2019-02-10 08:37:45 -08:00			`logger.Printf("error attempting to strip %s: %s", param, err)`
add stripParam and stripToken methods to obfuscate log output 2016-08-02 20:27:50 -06:00			`return u.String()`
			`}`

			`if val := values.Get(param); val != "" {`
			`values.Set(param, val[:(len(val)/2)]+"...")`
			`u.RawQuery = values.Encode()`
			`return u.String()`
			`}`
			`}`

			`return endpoint`
			`}`

SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`// validateToken returns true if token is valid`
Lint for non-comment linter errors 2018-11-29 14:26:41 +00:00			`func validateToken(p Provider, accessToken string, header http.Header) bool {`
Only validate tokens if ValidateURL resolves to a non-empty string Fix an unsupported protocol scheme error when validating tokens by ensuring that the ValidateURL generates a non-empty string. The Azure provider doesn't define any ValidateURL and therefore uses the default value of `url.Parse("")` which is not `nil`. The following log summary shows the issue: 2019/06/14 12:26:04 oauthproxy.go:799: 10.244.1.3:34112 ("10.244.1.1") refreshing 16h26m29s old session cookie for Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true} (refresh after 1h0m0s) 2019/06/14 12:26:04 internal_util.go:60: GET ?access_token=eyJ0... 2019/06/14 12:26:04 internal_util.go:61: token validation request failed: Get ?access_token=eyJ0...: unsupported protocol scheme "" 2019/06/14 12:26:04 oauthproxy.go:822: 10.244.1.3:34112 ("10.244.1.1") removing session. error validating Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true} 2019-06-14 11:33:05 -04:00			`if accessToken == "" \|\| p.Data().ValidateURL == nil \|\| p.Data().ValidateURL.String() == "" {`
Move ValidateToken() to Provider 2015-05-12 21:48:13 -04:00			`return false`
			`}`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-09 00:47:44 +01:00			`endpoint := p.Data().ValidateURL.String()`
Move ValidateToken() to Provider 2015-05-12 21:48:13 -04:00			`if len(header) == 0 {`
Lint for non-comment linter errors 2018-11-29 14:26:41 +00:00			`params := url.Values{"access_token": {accessToken}}`
cookie refresh: validation fixes, interval changes * refresh now calculated as duration from cookie set 2015-06-22 15:10:08 -04:00			`endpoint = endpoint + "?" + params.Encode()`
Move ValidateToken() to Provider 2015-05-12 21:48:13 -04:00			`}`
Move api to pkg/requests 2019-05-24 16:55:12 +01:00			`resp, err := requests.RequestUnparsedResponse(endpoint, header)`
cookie refresh: validation fixes, interval changes * refresh now calculated as duration from cookie set 2015-06-22 15:10:08 -04:00			`if err != nil {`
Auth and standard logging with file rolling 2019-02-10 08:37:45 -08:00			`logger.Printf("GET %s", stripToken(endpoint))`
			`logger.Printf("token validation request failed: %s", err)`
Move ValidateToken() to Provider 2015-05-12 21:48:13 -04:00			`return false`
			`}`
cookie refresh: validation fixes, interval changes * refresh now calculated as duration from cookie set 2015-06-22 15:10:08 -04:00
			`body, _ := ioutil.ReadAll(resp.Body)`
			`resp.Body.Close()`
Auth and standard logging with file rolling 2019-02-10 08:37:45 -08:00			`logger.Printf("%d GET %s %s", resp.StatusCode, stripToken(endpoint), body)`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00
cookie refresh: validation fixes, interval changes * refresh now calculated as duration from cookie set 2015-06-22 15:10:08 -04:00			`if resp.StatusCode == 200 {`
			`return true`
			`}`
Auth and standard logging with file rolling 2019-02-10 08:37:45 -08:00			`logger.Printf("token validation request failed: status %d - %s", resp.StatusCode, body)`
cookie refresh: validation fixes, interval changes * refresh now calculated as duration from cookie set 2015-06-22 15:10:08 -04:00			`return false`
Move ValidateToken() to Provider 2015-05-12 21:48:13 -04:00			`}`