1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-03-19 21:27:58 +02:00

Reinstate preferEmailToUser behaviour for basic auth sessions

This commit is contained in:
Joel Speed 2021-03-21 18:49:30 +00:00
parent b82182763e
commit 64f0a9f580
No known key found for this signature in database
GPG Key ID: 6E80578D6751DEFB
6 changed files with 32 additions and 6 deletions

View File

@ -16,6 +16,7 @@
## Changes since v7.0.1
- [#1116](https://github.com/oauth2-proxy/oauth2-proxy/pull/1116) Reinstate preferEmailToUser behaviour for basic auth sessions (@JoelSpeed)
- [#1115](https://github.com/oauth2-proxy/oauth2-proxy/pull/1115) Fix upstream proxy appending ? to requests (@JoelSpeed)
- [#1117](https://github.com/oauth2-proxy/oauth2-proxy/pull/1117) Deprecate GCP HealthCheck option (@JoelSpeed)
- [#1104](https://github.com/oauth2-proxy/oauth2-proxy/pull/1104) Allow custom robots text pages (@JoelSpeed)

View File

@ -343,7 +343,7 @@ func buildSessionChain(opts *options.Options, sessionStore sessionsapi.SessionSt
}
if validator != nil {
chain = chain.Append(middleware.NewBasicAuthSessionLoader(validator, opts.HtpasswdUserGroups))
chain = chain.Append(middleware.NewBasicAuthSessionLoader(validator, opts.HtpasswdUserGroups, opts.LegacyPreferEmailToUser))
}
chain = chain.Append(middleware.NewStoredSessionLoader(&middleware.StoredSessionLoaderOptions{

View File

@ -67,6 +67,8 @@ func (l *LegacyOptions) ToOptions() (*Options, error) {
l.Options.InjectRequestHeaders, l.Options.InjectResponseHeaders = l.LegacyHeaders.convert()
l.Options.Server, l.Options.MetricsServer = l.LegacyServer.convert()
l.Options.LegacyPreferEmailToUser = l.LegacyHeaders.PreferEmailToUser
return &l.Options, nil
}

View File

@ -104,6 +104,9 @@ type Options struct {
PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url"`
GCPHealthChecks bool `flag:"gcp-healthchecks" cfg:"gcp_healthchecks"`
// This is used for backwards compatibility for basic auth users
LegacyPreferEmailToUser bool `cfg:",internal"`
// internal values that are set after config validation
redirectURL *url.URL
provider providers.Provider

View File

@ -11,9 +11,9 @@ import (
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
)
func NewBasicAuthSessionLoader(validator basic.Validator, sessionGroups []string) alice.Constructor {
func NewBasicAuthSessionLoader(validator basic.Validator, sessionGroups []string, preferEmail bool) alice.Constructor {
return func(next http.Handler) http.Handler {
return loadBasicAuthSession(validator, sessionGroups, next)
return loadBasicAuthSession(validator, sessionGroups, preferEmail, next)
}
}
@ -22,7 +22,20 @@ func NewBasicAuthSessionLoader(validator basic.Validator, sessionGroups []string
// If no authorization header is found, or the header is invalid, no session
// will be loaded and the request will be passed to the next handler.
// If a session was loaded by a previous handler, it will not be replaced.
func loadBasicAuthSession(validator basic.Validator, sessionGroups []string, next http.Handler) http.Handler {
func loadBasicAuthSession(validator basic.Validator, sessionGroups []string, preferEmail bool, next http.Handler) http.Handler {
// This is a hack to be backwards compatible with the old PreferEmailToUser option.
// Long term we will have a rich static user configuration option and this will
// be removed.
// TODO(JoelSpeed): Remove this hack once rich static user config is implemented.
getSession := getBasicSession
if preferEmail {
getSession = func(validator basic.Validator, sessionGroups []string, req *http.Request) (*sessionsapi.SessionState, error) {
session, err := getBasicSession(validator, sessionGroups, req)
session.Email = session.User
return session, err
}
}
return http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
scope := middlewareapi.GetRequestScope(req)
// If scope is nil, this will panic.
@ -33,7 +46,7 @@ func loadBasicAuthSession(validator basic.Validator, sessionGroups []string, nex
return
}
session, err := getBasicSession(validator, sessionGroups, req)
session, err := getSession(validator, sessionGroups, req)
if err != nil {
logger.Errorf("Error retrieving session from token in Authorization header: %v", err)
}

View File

@ -26,6 +26,7 @@ var _ = Describe("Basic Auth Session Suite", func() {
type basicAuthSessionLoaderTableInput struct {
authorizationHeader string
preferEmail bool
sessionGroups []string
existingSession *sessionsapi.SessionState
expectedSession *sessionsapi.SessionState
@ -55,7 +56,7 @@ var _ = Describe("Basic Auth Session Suite", func() {
// Create the handler with a next handler that will capture the session
// from the scope
var gotSession *sessionsapi.SessionState
handler := NewBasicAuthSessionLoader(validator, in.sessionGroups)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
handler := NewBasicAuthSessionLoader(validator, in.sessionGroups, in.preferEmail)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
gotSession = middlewareapi.GetRequestScope(r).Session
}))
handler.ServeHTTP(rw, req)
@ -118,6 +119,12 @@ var _ = Describe("Basic Auth Session Suite", func() {
existingSession: nil,
expectedSession: &sessionsapi.SessionState{User: "admin", Groups: []string{"a", "b"}},
}),
Entry("Basic Base64(user1:<user1Password>) (with PreferEmailToUser)", basicAuthSessionLoaderTableInput{
authorizationHeader: "Basic dXNlcjE6VXNFck9uM1A0NTU=",
preferEmail: true,
existingSession: nil,
expectedSession: &sessionsapi.SessionState{User: "user1", Email: "user1"},
}),
)
})
})