From 8fd7312a9007d67f2f15bd4177850787addb0f37 Mon Sep 17 00:00:00 2001 From: tuunit Date: Sat, 5 Oct 2024 17:29:37 +0200 Subject: [PATCH 1/3] fix: self signed certificate handling --- pkg/requests/http.go | 12 +++++++----- pkg/validation/options.go | 13 +++++++------ 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/pkg/requests/http.go b/pkg/requests/http.go index ed335b86..222b92d3 100644 --- a/pkg/requests/http.go +++ b/pkg/requests/http.go @@ -7,20 +7,22 @@ import ( ) type userAgentTransport struct { - next http.RoundTripper + Next http.RoundTripper userAgent string } func (t *userAgentTransport) RoundTrip(req *http.Request) (*http.Response, error) { r := req.Clone(req.Context()) setDefaultUserAgent(r.Header, t.userAgent) - return t.next.RoundTrip(r) + return t.Next.RoundTrip(r) } -var DefaultHTTPClient = &http.Client{Transport: &userAgentTransport{ - next: http.DefaultTransport, +var DefaultHTTPClient = &http.Client{Transport: &DefaultTransport} + +var DefaultTransport = userAgentTransport{ + Next: http.DefaultTransport, userAgent: "oauth2-proxy/" + version.VERSION, -}} +} func setDefaultUserAgent(header http.Header, userAgent string) { if header != nil && len(header.Values("User-Agent")) == 0 { diff --git a/pkg/validation/options.go b/pkg/validation/options.go index b14439a7..caf896c5 100644 --- a/pkg/validation/options.go +++ b/pkg/validation/options.go @@ -13,6 +13,7 @@ import ( "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/ip" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger" internaloidc "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/providers/oidc" + "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/requests" "github.com/oauth2-proxy/oauth2-proxy/v7/pkg/util" ) @@ -30,20 +31,20 @@ func Validate(o *options.Options) error { msgs = parseSignatureKey(o, msgs) if o.SSLInsecureSkipVerify { - insecureTransport := &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // #nosec G402 -- InsecureSkipVerify is a configurable option we allow - } - http.DefaultClient = &http.Client{Transport: insecureTransport} + transport := requests.DefaultTransport.Next.(*http.Transport).Clone() + transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} // #nosec G402 -- InsecureSkipVerify is a configurable option we allow + + requests.DefaultHTTPClient = &http.Client{Transport: transport} } else if len(o.Providers[0].CAFiles) > 0 { pool, err := util.GetCertPool(o.Providers[0].CAFiles, o.Providers[0].UseSystemTrustStore) if err == nil { - transport := http.DefaultTransport.(*http.Transport).Clone() + transport := requests.DefaultTransport.Next.(*http.Transport).Clone() transport.TLSClientConfig = &tls.Config{ RootCAs: pool, MinVersion: tls.VersionTLS12, } - http.DefaultClient = &http.Client{Transport: transport} + requests.DefaultHTTPClient = &http.Client{Transport: transport} } else { msgs = append(msgs, fmt.Sprintf("unable to load provider CA file(s): %v", err)) } From bae168f06acdab5b29d7167d4bdf48f4de02aaae Mon Sep 17 00:00:00 2001 From: tuunit Date: Sun, 6 Oct 2024 21:43:38 +0200 Subject: [PATCH 2/3] better handling of default transport modification --- pkg/requests/http.go | 14 +++++++------- pkg/validation/options.go | 8 ++------ 2 files changed, 9 insertions(+), 13 deletions(-) diff --git a/pkg/requests/http.go b/pkg/requests/http.go index 222b92d3..c0035e0a 100644 --- a/pkg/requests/http.go +++ b/pkg/requests/http.go @@ -7,22 +7,22 @@ import ( ) type userAgentTransport struct { - Next http.RoundTripper + next http.RoundTripper userAgent string } func (t *userAgentTransport) RoundTrip(req *http.Request) (*http.Response, error) { r := req.Clone(req.Context()) setDefaultUserAgent(r.Header, t.userAgent) - return t.Next.RoundTrip(r) + return t.next.RoundTrip(r) } -var DefaultHTTPClient = &http.Client{Transport: &DefaultTransport} - -var DefaultTransport = userAgentTransport{ - Next: http.DefaultTransport, +var DefaultHTTPClient = &http.Client{Transport: &userAgentTransport{ + next: DefaultTransport, userAgent: "oauth2-proxy/" + version.VERSION, -} +}} + +var DefaultTransport = http.DefaultTransport func setDefaultUserAgent(header http.Header, userAgent string) { if header != nil && len(header.Values("User-Agent")) == 0 { diff --git a/pkg/validation/options.go b/pkg/validation/options.go index caf896c5..c720f47e 100644 --- a/pkg/validation/options.go +++ b/pkg/validation/options.go @@ -31,20 +31,16 @@ func Validate(o *options.Options) error { msgs = parseSignatureKey(o, msgs) if o.SSLInsecureSkipVerify { - transport := requests.DefaultTransport.Next.(*http.Transport).Clone() + transport := requests.DefaultTransport.(*http.Transport) transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} // #nosec G402 -- InsecureSkipVerify is a configurable option we allow - - requests.DefaultHTTPClient = &http.Client{Transport: transport} } else if len(o.Providers[0].CAFiles) > 0 { pool, err := util.GetCertPool(o.Providers[0].CAFiles, o.Providers[0].UseSystemTrustStore) if err == nil { - transport := requests.DefaultTransport.Next.(*http.Transport).Clone() + transport := requests.DefaultTransport.(*http.Transport) transport.TLSClientConfig = &tls.Config{ RootCAs: pool, MinVersion: tls.VersionTLS12, } - - requests.DefaultHTTPClient = &http.Client{Transport: transport} } else { msgs = append(msgs, fmt.Sprintf("unable to load provider CA file(s): %v", err)) } From 4bd920b208c7389adce0a56c0d865ecc2a602a9a Mon Sep 17 00:00:00 2001 From: tuunit Date: Sun, 6 Oct 2024 21:55:45 +0200 Subject: [PATCH 3/3] add changelog entry --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index eba447f3..1a61dde4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ ## Changes since v7.7.0 +- [#2803](https://github.com/oauth2-proxy/oauth2-proxy/pull/2803) fix: self signed certificate handling in v7.7.0 (@tuunit) + # V7.7.0 ## Release Highlights