From 07aba7db094d829460cc7d67108c8221ab597fe4 Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Fri, 18 Feb 2022 13:31:16 +0000 Subject: [PATCH 1/2] Tidy go mod file --- go.mod | 1 - 1 file changed, 1 deletion(-) diff --git a/go.mod b/go.mod index 08a2e390..1df17f69 100644 --- a/go.mod +++ b/go.mod @@ -61,7 +61,6 @@ require ( github.com/prometheus/common v0.15.0 // indirect github.com/prometheus/procfs v0.2.0 // indirect github.com/spf13/afero v1.1.2 // indirect - github.com/spf13/cast v1.3.0 // indirect github.com/spf13/jwalterweatherman v1.0.0 // indirect github.com/subosito/gotenv v1.2.0 // indirect github.com/vmihailenco/tagparser v0.1.1 // indirect From 25ef843115cb42da196db1e5a676cee02ad6e42e Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Fri, 18 Feb 2022 14:09:07 +0000 Subject: [PATCH 2/2] Ensure claim extractor does not attempt profile call when URL is empty --- CHANGELOG.md | 1 + pkg/providers/util/claim_extractor.go | 2 +- pkg/providers/util/claim_extractor_test.go | 18 ++++++++++++++++++ 3 files changed, 20 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e1e112c1..4de29d7b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ ## Changes since v7.2.1 - [#1561](https://github.com/oauth2-proxy/oauth2-proxy/pull/1561) Add ppc64le support (@mgiessing) +- [#1563](https://github.com/oauth2-proxy/oauth2-proxy/pull/1563) Ensure claim extractor does not attempt profile call when URL is empty (@JoelSpeed) - [#1560](https://github.com/oauth2-proxy/oauth2-proxy/pull/1560) Fix provider data initialisation (@JoelSpeed) - [#1555](https://github.com/oauth2-proxy/oauth2-proxy/pull/1555) Refactor provider configuration into providers package (@JoelSpeed) - [#1394](https://github.com/oauth2-proxy/oauth2-proxy/pull/1394) Add generic claim extractor to get claims from ID Tokens (@JoelSpeed) diff --git a/pkg/providers/util/claim_extractor.go b/pkg/providers/util/claim_extractor.go index f0fe320e..883cc64f 100644 --- a/pkg/providers/util/claim_extractor.go +++ b/pkg/providers/util/claim_extractor.go @@ -86,7 +86,7 @@ func (c *claimExtractor) GetClaim(claim string) (interface{}, bool, error) { // loadProfileClaims will fetch the profileURL using the provided headers as // authentication. func (c *claimExtractor) loadProfileClaims() (*simplejson.Json, error) { - if c.profileURL == nil || c.requestHeaders == nil { + if c.profileURL == nil || c.profileURL.String() == "" || c.requestHeaders == nil { // When no profileURL is set, we return a non-empty map so that // we don't attempt to populate the profile claims again. // If there are no headers, the request would be unauthorized so we also skip diff --git a/pkg/providers/util/claim_extractor_test.go b/pkg/providers/util/claim_extractor_test.go index fb6220fe..50275438 100644 --- a/pkg/providers/util/claim_extractor_test.go +++ b/pkg/providers/util/claim_extractor_test.go @@ -259,6 +259,24 @@ var _ = Describe("Claim Extractor Suite", func() { Expect(counter).To(BeEquivalentTo(1)) }) + It("GetClaim should not return an error with a non-nil empty ProfileURL", func() { + claims, serverClose, err := newTestClaimExtractor(testClaimExtractorOpts{ + idTokenPayload: "{}", + profileRequestHeaders: newAuthorizedHeader(), + }) + Expect(err).ToNot(HaveOccurred()) + if serverClose != nil { + defer serverClose() + } + // Set the ProfileURL to be empty, but not nil + claims.(*claimExtractor).profileURL = &url.URL{} + + value, exists, err := claims.GetClaim("user") + Expect(err).ToNot(HaveOccurred()) + Expect(exists).To(BeFalse()) + Expect(value).To(BeNil()) + }) + type getClaimIntoTableInput struct { testClaimExtractorOpts into interface{}