go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-01-22 05:19:26 +02:00
Code Issues Releases Activity

Let authentication fail when session validation fails (fixes #1396) (#1433)

Browse Source 
* Error page for session validation failure

* Fix existing tests

* Add test-case for session validation failure

* Simplify test

* Add changelog entry for PR

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
This commit is contained in:
Stephan Aßmus 2021-11-12 19:36:29 +01:00 committed by GitHub
parent 9caf8c7040
commit 2c668a52d4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 33 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGELOG.md
View File

@ -8,6 +8,8 @@
## Changes since v7.2.0 ## Changes since v7.2.0
- [#1433](https://github.com/oauth2-proxy/oauth2-proxy/pull/1433) Let authentication fail when session validation fails ((@stippi2)
# V7.2.0 # V7.2.0
## Release Highlights ## Release Highlights

6
oauthproxy.go
View File

@ -755,7 +755,11 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
} }
csrf.SetSessionNonce(session) csrf.SetSessionNonce(session)
p.provider.ValidateSession(req.Context(), session) if !p.provider.ValidateSession(req.Context(), session) {
logger.PrintAuthf(session.Email, req, logger.AuthFailure, "Session validation failed: %s", session)
p.ErrorPage(rw, req, http.StatusForbidden, "Session validation failed")
return
}
if !p.redirectValidator.IsValidRedirect(appRedirect) { if !p.redirectValidator.IsValidRedirect(appRedirect) {
appRedirect = "/" appRedirect = "/"

28
oauthproxy_test.go
View File

@ -26,6 +26,7 @@ import (
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/validation" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/validation"
"github.com/oauth2-proxy/oauth2-proxy/v7/providers" "github.com/oauth2-proxy/oauth2-proxy/v7/providers"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
) )
const ( const (
@ -322,6 +323,7 @@ type PassAccessTokenTest struct {
type PassAccessTokenTestOptions struct { type PassAccessTokenTestOptions struct {
PassAccessToken bool PassAccessToken bool
ValidToken bool
ProxyUpstream options.Upstream ProxyUpstream options.Upstream
} }
@ -385,7 +387,9 @@ func NewPassAccessTokenTest(opts PassAccessTokenTestOptions) (*PassAccessTokenTe
providerURL, _ := url.Parse(patt.providerServer.URL) providerURL, _ := url.Parse(patt.providerServer.URL)
const emailAddress = "michael.bland@gsa.gov" const emailAddress = "michael.bland@gsa.gov"
patt.opts.SetProvider(NewTestProvider(providerURL, emailAddress)) testProvider := NewTestProvider(providerURL, emailAddress)
testProvider.ValidToken = opts.ValidToken
patt.opts.SetProvider(testProvider)
patt.proxy, err = NewOAuthProxy(patt.opts, func(email string) bool { patt.proxy, err = NewOAuthProxy(patt.opts, func(email string) bool {
return email == emailAddress return email == emailAddress
}) })
@ -428,7 +432,11 @@ func (patTest *PassAccessTokenTest) getCallbackEndpoint() (httpCode int, cookie
patTest.proxy.ServeHTTP(rw, req) patTest.proxy.ServeHTTP(rw, req)
return rw.Code, rw.Header().Values("Set-Cookie")[1] if len(rw.Header().Values("Set-Cookie")) >= 2 {
cookie = rw.Header().Values("Set-Cookie")[1]
}
return rw.Code, cookie
} }
// getEndpointWithCookie makes a requests againt the oauthproxy with passed requestPath // getEndpointWithCookie makes a requests againt the oauthproxy with passed requestPath
@ -470,6 +478,7 @@ func (patTest *PassAccessTokenTest) getEndpointWithCookie(cookie string, endpoin
func TestForwardAccessTokenUpstream(t *testing.T) { func TestForwardAccessTokenUpstream(t *testing.T) {
patTest, err := NewPassAccessTokenTest(PassAccessTokenTestOptions{ patTest, err := NewPassAccessTokenTest(PassAccessTokenTestOptions{
PassAccessToken: true, PassAccessToken: true,
ValidToken: true,
}) })
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -496,6 +505,7 @@ func TestForwardAccessTokenUpstream(t *testing.T) {
func TestStaticProxyUpstream(t *testing.T) { func TestStaticProxyUpstream(t *testing.T) {
patTest, err := NewPassAccessTokenTest(PassAccessTokenTestOptions{ patTest, err := NewPassAccessTokenTest(PassAccessTokenTestOptions{
PassAccessToken: true, PassAccessToken: true,
ValidToken: true,
ProxyUpstream: options.Upstream{ ProxyUpstream: options.Upstream{
ID: "static-proxy", ID: "static-proxy",
Path: "/static-proxy", Path: "/static-proxy",
@ -526,6 +536,7 @@ func TestStaticProxyUpstream(t *testing.T) {
func TestDoNotForwardAccessTokenUpstream(t *testing.T) { func TestDoNotForwardAccessTokenUpstream(t *testing.T) {
patTest, err := NewPassAccessTokenTest(PassAccessTokenTestOptions{ patTest, err := NewPassAccessTokenTest(PassAccessTokenTestOptions{
PassAccessToken: false, PassAccessToken: false,
ValidToken: true,
}) })
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
@ -548,6 +559,19 @@ func TestDoNotForwardAccessTokenUpstream(t *testing.T) {
assert.Equal(t, "No access token found.", payload) assert.Equal(t, "No access token found.", payload)
} }
func TestSessionValidationFailure(t *testing.T) {
patTest, err := NewPassAccessTokenTest(PassAccessTokenTestOptions{
ValidToken: false,
})
require.NoError(t, err)
t.Cleanup(patTest.Close)
// An unsuccessful validation will return 403 and not set the auth cookie.
code, cookie := patTest.getCallbackEndpoint()
assert.Equal(t, http.StatusForbidden, code)
assert.Equal(t, "", cookie)
}
type SignInPageTest struct { type SignInPageTest struct {
opts *options.Options opts *options.Options
proxy *OAuthProxy proxy *OAuthProxy