Add header Injector

2025-07-15 01:44:22 +02:00 · 2020-07-26 04:50:18 +01:00
parent d9ed1e7d45
commit ca5fd3c39f
7 changed files with 725 additions and 0 deletions
--- a/pkg/apis/options/util/util.go
+++ b/pkg/apis/options/util/util.go
@ -0,0 +1,26 @@
+package util
+
+import (
+	"encoding/base64"
+	"errors"
+	"io/ioutil"
+	"os"
+
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
+)
+
+// GetSecretValue returns the value of the Secret from its source
+func GetSecretValue(source *options.SecretSource) ([]byte, error) {
+	switch {
+	case len(source.Value) > 0 && source.FromEnv == "" && source.FromFile == "":
+		value := make([]byte, base64.StdEncoding.DecodedLen(len(source.Value)))
+		decoded, err := base64.StdEncoding.Decode(value, source.Value)
+		return value[:decoded], err
+	case len(source.Value) == 0 && source.FromEnv != "" && source.FromFile == "":
+		return []byte(os.Getenv(source.FromEnv)), nil
+	case len(source.Value) == 0 && source.FromEnv == "" && source.FromFile != "":
+		return ioutil.ReadFile(source.FromFile)
+	default:
+		return nil, errors.New("secret source is invalid: exactly one entry required, specify either value, fromEnv or fromFile")
+	}
+}
--- a/pkg/apis/options/util/util_suite_test.go
+++ b/pkg/apis/options/util/util_suite_test.go
@ -0,0 +1,16 @@
+package util
+
+import (
+	"testing"
+
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestUtilSuite(t *testing.T) {
+	logger.SetOutput(GinkgoWriter)
+
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Options Util Suite")
+}
--- a/pkg/apis/options/util/util_test.go
+++ b/pkg/apis/options/util/util_test.go
@ -0,0 +1,88 @@
+package util
+
+import (
+	"encoding/base64"
+	"io/ioutil"
+	"os"
+	"path"
+
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("GetSecretValue", func() {
+	var fileDir string
+	const secretEnvKey = "SECRET_ENV_KEY"
+	const secretEnvValue = "secret-env-value"
+	var secretFileValue = []byte("secret-file-value")
+
+	BeforeEach(func() {
+		os.Setenv(secretEnvKey, secretEnvValue)
+
+		var err error
+		fileDir, err = ioutil.TempDir("", "oauth2-proxy-util-get-secret-value")
+		Expect(err).ToNot(HaveOccurred())
+		Expect(ioutil.WriteFile(path.Join(fileDir, "secret-file"), secretFileValue, 0600)).To(Succeed())
+	})
+
+	AfterEach(func() {
+		os.Unsetenv(secretEnvKey)
+		os.RemoveAll(fileDir)
+	})
+
+	It("returns the correct value from base64", func() {
+		originalValue := []byte("secret-value-1")
+		b64Value := base64.StdEncoding.EncodeToString((originalValue))
+
+		// Once encoded, the originalValue could have a decoded length longer than
+		// its actual length, ensure we trim this.
+		// This assertion ensures we are testing the triming
+		Expect(len(originalValue)).To(BeNumerically("<", base64.StdEncoding.DecodedLen(len(b64Value))))
+
+		value, err := GetSecretValue(&options.SecretSource{
+			Value: []byte(b64Value),
+		})
+		Expect(err).ToNot(HaveOccurred())
+		Expect(value).To(Equal(originalValue))
+	})
+
+	It("returns the correct value from the environment", func() {
+		value, err := GetSecretValue(&options.SecretSource{
+			FromEnv: secretEnvKey,
+		})
+		Expect(err).ToNot(HaveOccurred())
+		Expect(value).To(BeEquivalentTo(secretEnvValue))
+	})
+
+	It("returns the correct value from a file", func() {
+		value, err := GetSecretValue(&options.SecretSource{
+			FromFile: path.Join(fileDir, "secret-file"),
+		})
+		Expect(err).ToNot(HaveOccurred())
+		Expect(value).To(Equal(secretFileValue))
+	})
+
+	It("when the file does not exist", func() {
+		value, err := GetSecretValue(&options.SecretSource{
+			FromFile: path.Join(fileDir, "not-exist"),
+		})
+		Expect(err).To(HaveOccurred())
+		Expect(value).To(BeEmpty())
+	})
+
+	It("with no source set", func() {
+		value, err := GetSecretValue(&options.SecretSource{})
+		Expect(err).To(MatchError("secret source is invalid: exactly one entry required, specify either value, fromEnv or fromFile"))
+		Expect(value).To(BeEmpty())
+	})
+
+	It("with multiple sources set", func() {
+		value, err := GetSecretValue(&options.SecretSource{
+			FromEnv:  secretEnvKey,
+			FromFile: path.Join(fileDir, "secret-file"),
+		})
+		Expect(err).To(MatchError("secret source is invalid: exactly one entry required, specify either value, fromEnv or fromFile"))
+		Expect(value).To(BeEmpty())
+	})
+})
--- a/pkg/apis/sessions/session_state.go
+++ b/pkg/apis/sessions/session_state.go
@ -8,6 +8,7 @@ import (
 	"io"
 	"io/ioutil"
 	"reflect"
+	"strings"
 	"time"
 	"unicode/utf8"

@ -69,6 +70,34 @@ func (s *SessionState) String() string {
 	return o + "}"
 }

+func (s *SessionState) GetClaim(claim string) string {
+	if s == nil {
+		return ""
+	}
+	switch claim {
+	case "access_token":
+		return s.AccessToken
+	case "id_token":
+		return s.IDToken
+	case "created_at":
+		return s.CreatedAt.String()
+	case "expires_on":
+		return s.ExpiresOn.String()
+	case "refresh_token":
+		return s.RefreshToken
+	case "email":
+		return s.Email
+	case "user":
+		return s.User
+	case "groups":
+		return strings.Join(s.Groups, ",")
+	case "preferred_username":
+		return s.PreferredUsername
+	default:
+		return ""
+	}
+}
+
 // EncodeSessionState returns an encrypted, lz4 compressed, MessagePack encoded session
 func (s *SessionState) EncodeSessionState(c encryption.Cipher, compress bool) ([]byte, error) {
 	packed, err := msgpack.Marshal(s)