go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-12-17 23:48:13 +02:00
Code Issues Releases Activity

adapting unit tests and fixing minor issues introduced with the derefing

Browse Source 
Signed-off-by: Jan Larwig <jan@larwig.com>
This commit is contained in:
Jan Larwig
2025-11-07 23:26:00 +01:00
parent 638fba417f
commit 137decb1ec
7 changed files with 103 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
pkg/apis/middleware/session.go
View File

@@ -41,7 +41,10 @@ func CreateTokenToSessionFunc(verify VerifyFunc) TokenToSessionFunc {
claims.Email = claims.Subject
}
if !ptr.Deref(claims.Verified, false) {
// Ensure email is verified
// If the email is not verified, return an error
// If the email_verified claim is missing, assume it is verified
if !ptr.Deref(claims.Verified, true) {
return nil, fmt.Errorf("email in id_token (%s) isn't verified", claims.Email)
}

44
pkg/apis/options/legacy_options.go
View File

@@ -96,6 +96,7 @@ func (l *LegacyOptions) ToOptions() (*Options, error) {
return nil, fmt.Errorf("error converting provider: %v", err)
}
l.Options.Providers = providers
l.Options.EnsureDefaults()
return &l.Options, nil
}
@@ -178,6 +179,10 @@ func (l *LegacyUpstreams) convert() (UpstreamConfig, error) {
upstream.URI = ""
upstream.InsecureSkipTLSVerify = ptr.Ptr(false)
upstream.DisableKeepAlives = ptr.Ptr(false)
upstream.PassHostHeader = nil
upstream.ProxyWebSockets = nil
upstream.FlushInterval = nil
upstream.Timeout = nil
case "unix":
upstream.Path = "/"
}
@@ -284,7 +289,8 @@ func getBasicAuthHeader(preferEmailToUser bool, basicAuthPassword string) Header
}
return Header{
Name: "Authorization",
Name: "Authorization",
PreserveRequestValue: ptr.Ptr(false),
Values: []HeaderValue{
{
ClaimSource: &ClaimSource{
@@ -302,7 +308,8 @@ func getBasicAuthHeader(preferEmailToUser bool, basicAuthPassword string) Header
func getPassUserHeaders(preferEmailToUser bool) []Header {
headers := []Header{
{
Name: "X-Forwarded-Groups",
Name: "X-Forwarded-Groups",
PreserveRequestValue: ptr.Ptr(false),
Values: []HeaderValue{
{
ClaimSource: &ClaimSource{
@@ -316,7 +323,8 @@ func getPassUserHeaders(preferEmailToUser bool) []Header {
if preferEmailToUser {
return append(headers,
Header{
Name: "X-Forwarded-User",
Name: "X-Forwarded-User",
PreserveRequestValue: ptr.Ptr(false),
Values: []HeaderValue{
{
ClaimSource: &ClaimSource{
@@ -330,7 +338,8 @@ func getPassUserHeaders(preferEmailToUser bool) []Header {
return append(headers,
Header{
Name: "X-Forwarded-User",
Name: "X-Forwarded-User",
PreserveRequestValue: ptr.Ptr(false),
Values: []HeaderValue{
{
ClaimSource: &ClaimSource{
@@ -340,7 +349,8 @@ func getPassUserHeaders(preferEmailToUser bool) []Header {
},
},
Header{
Name: "X-Forwarded-Email",
Name: "X-Forwarded-Email",
PreserveRequestValue: ptr.Ptr(false),
Values: []HeaderValue{
{
ClaimSource: &ClaimSource{
@@ -354,7 +364,8 @@ func getPassUserHeaders(preferEmailToUser bool) []Header {
func getPassAccessTokenHeader() Header {
return Header{
Name: "X-Forwarded-Access-Token",
Name: "X-Forwarded-Access-Token",
PreserveRequestValue: ptr.Ptr(false),
Values: []HeaderValue{
{
ClaimSource: &ClaimSource{
@@ -367,7 +378,8 @@ func getPassAccessTokenHeader() Header {
func getAuthorizationHeader() Header {
return Header{
Name: "Authorization",
Name: "Authorization",
PreserveRequestValue: ptr.Ptr(false),
Values: []HeaderValue{
{
ClaimSource: &ClaimSource{
@@ -381,7 +393,8 @@ func getAuthorizationHeader() Header {
func getPreferredUsernameHeader() Header {
return Header{
Name: "X-Forwarded-Preferred-Username",
Name: "X-Forwarded-Preferred-Username",
PreserveRequestValue: ptr.Ptr(false),
Values: []HeaderValue{
{
ClaimSource: &ClaimSource{
@@ -395,7 +408,8 @@ func getPreferredUsernameHeader() Header {
func getXAuthRequestHeaders() []Header {
headers := []Header{
{
Name: "X-Auth-Request-User",
Name: "X-Auth-Request-User",
PreserveRequestValue: ptr.Ptr(false),
Values: []HeaderValue{
{
ClaimSource: &ClaimSource{
@@ -405,7 +419,8 @@ func getXAuthRequestHeaders() []Header {
},
},
{
Name: "X-Auth-Request-Email",
Name: "X-Auth-Request-Email",
PreserveRequestValue: ptr.Ptr(false),
Values: []HeaderValue{
{
ClaimSource: &ClaimSource{
@@ -415,7 +430,8 @@ func getXAuthRequestHeaders() []Header {
},
},
{
Name: "X-Auth-Request-Preferred-Username",
Name: "X-Auth-Request-Preferred-Username",
PreserveRequestValue: ptr.Ptr(false),
Values: []HeaderValue{
{
ClaimSource: &ClaimSource{
@@ -425,7 +441,8 @@ func getXAuthRequestHeaders() []Header {
},
},
{
Name: "X-Auth-Request-Groups",
Name: "X-Auth-Request-Groups",
PreserveRequestValue: ptr.Ptr(false),
Values: []HeaderValue{
{
ClaimSource: &ClaimSource{
@@ -441,7 +458,8 @@ func getXAuthRequestHeaders() []Header {
func getXAuthRequestAccessTokenHeader() Header {
return Header{
Name: "X-Auth-Request-Access-Token",
Name: "X-Auth-Request-Access-Token",
PreserveRequestValue: ptr.Ptr(false),
Values: []HeaderValue{
{
ClaimSource: &ClaimSource{

86
pkg/apis/options/legacy_options_test.go
View File

@@ -122,16 +122,19 @@ var _ = Describe("Legacy Options", func() {
BindAddress: "127.0.0.1:4180",
}
opts.Providers[0].ClientID = "oauth-proxy"
opts.Providers[0].ID = "google=oauth-proxy"
opts.Providers[0].OIDCConfig.InsecureSkipNonce = ptr.Ptr(true)
opts.Providers[0].ClientID = "oauth-proxy"
opts.Providers[0].OIDCConfig.AudienceClaims = []string{"aud"}
opts.Providers[0].OIDCConfig.ExtraAudiences = []string{}
opts.Providers[0].OIDCConfig.InsecureSkipNonce = ptr.Ptr(true)
opts.Providers[0].OIDCConfig.InsecureSkipIssuerVerification = ptr.Ptr(false)
opts.Providers[0].LoginURLParameters = []LoginURLParameter{
{Name: "approval_prompt", Default: []string{"force"}},
}
converted, err := legacyOpts.ToOptions()
opts.EnsureDefaults()
Expect(err).ToNot(HaveOccurred())
Expect(converted).To(EqualOpts(opts))
})
@@ -944,37 +947,50 @@ var _ = Describe("Legacy Options", func() {
{Name: "approval_prompt", Default: []string{"force"}},
}
defaultProvider := Provider{
ID: "google=" + clientID,
ClientID: clientID,
Type: "google",
LoginURLParameters: defaultURLParams,
defaultOIDCOptions := OIDCOptions{
SkipDiscovery: ptr.Ptr(false),
InsecureSkipNonce: ptr.Ptr(false),
InsecureAllowUnverifiedEmail: ptr.Ptr(false),
InsecureSkipIssuerVerification: ptr.Ptr(false),
}
defaultGoogleOptions := GoogleOptions{
UseApplicationDefaultCredentials: ptr.Ptr(false),
}
defaultLegacyProvider := LegacyProvider{
ClientID: clientID,
ProviderType: "google",
}
defaultProviderWithPrompt := Provider{
ID: "google=" + clientID,
ClientID: clientID,
Type: "google",
LoginURLParameters: []LoginURLParameter{
{Name: "prompt", Default: []string{"switch_user"}},
},
defaultProvider := Provider{
ID: "google=" + clientID,
ClientID: clientID,
Type: "google",
OIDCConfig: defaultOIDCOptions,
GoogleConfig: defaultGoogleOptions,
LoginURLParameters: defaultURLParams,
UseSystemTrustStore: ptr.Ptr(false),
SkipClaimsFromProfileURL: ptr.Ptr(false),
}
defaultLegacyProviderWithPrompt := LegacyProvider{
ClientID: clientID,
ProviderType: "google",
Prompt: "switch_user",
}
displayNameProvider := Provider{
ID: "displayName",
Name: "displayName",
ClientID: clientID,
Type: "google",
LoginURLParameters: defaultURLParams,
defaultProviderWithPrompt := Provider{
ID: "google=" + clientID,
ClientID: clientID,
Type: "google",
OIDCConfig: defaultOIDCOptions,
GoogleConfig: defaultGoogleOptions,
LoginURLParameters: []LoginURLParameter{
{Name: "prompt", Default: []string{"switch_user"}},
},
UseSystemTrustStore: ptr.Ptr(false),
SkipClaimsFromProfileURL: ptr.Ptr(false),
}
displayNameLegacyProvider := LegacyProvider{
@@ -983,16 +999,32 @@ var _ = Describe("Legacy Options", func() {
ProviderType: "google",
}
displayNameProvider := Provider{
ID: "displayName",
Name: "displayName",
ClientID: clientID,
Type: "google",
OIDCConfig: defaultOIDCOptions,
GoogleConfig: defaultGoogleOptions,
LoginURLParameters: defaultURLParams,
UseSystemTrustStore: ptr.Ptr(false),
SkipClaimsFromProfileURL: ptr.Ptr(false),
}
internalConfigProvider := Provider{
ID: "google=" + clientID,
ClientID: clientID,
Type: "google",
ID: "google=" + clientID,
ClientID: clientID,
Type: "google",
OIDCConfig: defaultOIDCOptions,
GoogleConfig: GoogleOptions{
AdminEmail: "email@email.com",
ServiceAccountJSON: "test.json",
Groups: []string{"1", "2"},
AdminEmail: "email@email.com",
ServiceAccountJSON: "test.json",
Groups: []string{"1", "2"},
UseApplicationDefaultCredentials: ptr.Ptr(false),
},
LoginURLParameters: defaultURLParams,
LoginURLParameters: defaultURLParams,
UseSystemTrustStore: ptr.Ptr(false),
SkipClaimsFromProfileURL: ptr.Ptr(false),
}
internalConfigLegacyProvider := LegacyProvider{

2
pkg/apis/options/providers.go
View File

@@ -43,7 +43,7 @@ const (
// DefaultUseSystemTrustStore is the default value
// for Provider.UseSystemTrustStore
DefaultUseSystemTrustStore bool = true
DefaultUseSystemTrustStore bool = false
)
// OIDCAudienceClaims is the generic audience claim list used by the OIDC provider.