1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-15 00:15:00 +02:00
Commit Graph

134 Commits

Author SHA1 Message Date
780ae4f3c9 Merge pull request from GHSA-4mf2-f3wh-gvf2 2021-02-01 18:04:33 +00:00
b541805dc1 Use comma separated multiple values for header (#799)
* Use comma separated value for multiple claims

* Fix lint error

* Fix more tests

* Fix one more test

* Always flatten the headers

* Ensure we test the real multi-groups

* Only update map when necessary

* Update CHANGELOG

* Move to the right location of change log

* Fix blank line
2021-01-22 08:48:34 +00:00
fa6a785eaf Improve handler vs helper organization in oauthproxy.go
Additionally, convert a lot of helper methods to be private
2021-01-16 13:55:49 -08:00
73fc7706bc Figure out final app redirect URL with proxy aware request utils 2021-01-16 13:55:49 -08:00
81bf1ef8ce Adapt isAjax to support mimetype lists
Fixes #988
2021-01-12 19:37:30 +01:00
1d74a51cd7 Use X-Forwarded-{Proto,Host,Uri} on redirect as last resort (#957) 2021-01-01 15:23:11 -08:00
65e15f24c1 Support only allowed_groups querystring 2020-12-24 12:05:12 -08:00
44d83e5f95 Use StatusForbidden to prevent infinite redirects 2020-12-24 12:04:01 -08:00
23b2355f85 Allow group authZ in AuthOnly endpoint via Querystring 2020-12-24 12:04:01 -08:00
5b003a5657 SecretSource.Value should be plain text in memory 2020-12-01 08:56:46 +00:00
e9f787957e Standardize provider interface method names 2020-11-28 10:25:11 -08:00
7407fbd3a7 Add more UserInfo test cases 2020-11-25 19:00:58 -08:00
2549b722d3 Add User & Groups to Userinfo 2020-11-25 18:19:48 -08:00
1b3b00443a Streamline ErrMissingCode in provider Redeem methods 2020-11-12 11:18:59 -08:00
b92fd4b0bb Streamline Google to use default Authorize 2020-11-12 11:18:58 -08:00
eb58ea2ed9 Move AllowedGroups to DefaultProvider for default Authorize usage 2020-11-12 11:18:15 -08:00
8059a812cd Integrate new header injectors with OAuth2 Proxy 2020-11-07 17:16:58 +00:00
2b9e1bbba0 Add EnrichSessionState as main post-Redeem session updater 2020-10-19 14:09:45 -07:00
b6061f0803 Adds tests for redeemCode and enrichSession 2020-10-19 14:09:02 -07:00
b7b7ade7c4 Improve AllowedRoute test table formatting 2020-10-07 10:13:41 -07:00
89a8ac8c1f Add startup logging for skipped auth routes 2020-10-07 10:13:41 -07:00
cfd3de807c Add tests for skip auth functionality 2020-10-07 10:13:41 -07:00
5c62690653 Rename test directory to testdata
See https://golang.org/cmd/go/#hdr-Test_packages
2020-10-06 21:37:25 +09:00
3fa42edb73 Fix import path for v7 (#800)
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
9d59519a96 Add support to ensure user belongs in required groups when using the OIDC provider 2020-09-21 10:43:54 -07:00
88ef888752 Preserve query when building redirect (fix for #695) (#696)
* Add test for GetRedirect to check query and fragments.

* Preserve query and fragment when building redirect.

* Add changelog entry for redirect fix
2020-07-21 16:38:13 +01:00
eb234011eb Integrate sessions middlewares 2020-07-19 17:24:12 +01:00
5dbcd73722 Configure OAuth2 Proxy to use new upstreams package and LegacyConfig 2020-07-19 08:17:53 +01:00
abeb0236d8 Strip X-Forwarded auth headers from whitelisted paths (#624)
* Strip X-Forwarded auth headers from whitelisted paths

For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).

Only x-Forwarded headers stripped, left the Authorization header
untouched.

* Strip authorization header if it would be set

* Improve TestStripAuthHeaders test table

* Improve --skip-auth-strip-headers flag documentation
2020-07-14 23:46:44 +01:00
a09eecc6a2 Reduce SessionState size better with MessagePack + LZ4 (#632)
* Encode sessions with MsgPack + LZ4

Assumes ciphers are now mandatory per #414. Cookie & Redis sessions
can fallback to V5 style JSON in error cases. TODO: session_state.go
unit tests & new unit tests for Legacy fallback scenarios.

* Only compress encoded sessions with Cookie Store

* Cleanup msgpack + lz4 error handling

* Change NewBase64Cipher to take in an existing Cipher

* Add msgpack & lz4 session state tests

* Add required options for oauthproxy tests

More aggressively assert.NoError on all
validation.Validate(opts) calls to enforce legal
options in all our tests.
Add additional NoError checks wherever error return
values were ignored.

* Remove support for uncompressed session state fields

* Improve error verbosity & add session state tests

* Ensure all marshalled sessions are valid

Invalid CFB decryptions can result in garbage data
that 1/100 times might cause message pack unmarshal
to not fail and instead return an empty session.
This adds more rigor to make sure legacy sessions
cause appropriate errors.

* Add tests for legacy V5 session decoding

Refactor common legacy JSON test cases to a
legacy helpers area under session store tests.

* Make ValidateSession a struct method & add CHANGELOG entry

* Improve SessionState error & comments verbosity

* Move legacy session test helpers to sessions pkg

Placing these helpers under the sessions pkg removed
all the circular import uses in housing it under the
session store area.

* Improve SignatureAuthenticator test helper formatting

* Make redis.legacyV5DecodeSession internal

* Make LegacyV5TestCase test table public for linter
2020-07-13 20:56:05 +01:00
64ae31b5a0 Implements --trusted-ip option (#552)
* Implements --ip-whitelist option

* Included IPWhitelist option to allow one-or-more selected CIDR ranges
  to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.

* Renamed IPWhitelist ipCIDRSet

* Fixed unessesary pointer usage in ipCIDRSet

* Update CHANGELOG.md

* Update CHANGELOG.md

* Updated to not use err.Error() in printf statements

* Imrpoved language for --ip-whitelist descriptions.

* Improve IP whitelist options error messages

* Clarify options single-host normalization

* Wrote a book about ipCIDRSet

* Added comment to IsWhitelistedIP in oauthproxy.go

* Rewrite oauthproxy test case as table driven

* oops

* Support whitelisting by low-level remote address

* Added more test-cases, improved descriptions

* Move ip_cidr_set.go to pkg/ip/net_set.go

* Add more whitelist test use cases.

* Oops

* Use subtests for TestIPWhitelist

* Add minimal tests for ip.NetSet

* Use switch statment

* Renamed ip-whitelist to whitelist-ip

* Update documentation with a warning.

* Update pkg/apis/options/options.go

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix fmt

* Move ParseIPNet into abstraction

* Add warning in case of --reverse-proxy

* Update pkg/validation/options_test.go

* Rename --whitelist-ip to --trusted-ip

* Update oauthproxy.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-11 11:10:58 +01:00
4c1047866b fix: do not add Cache-Control header to response from auth only endpoint
fix #661
related #453
2020-07-06 19:04:31 +09:00
6e1b3b9660 Switch to in session store initialisation 2020-06-28 12:50:55 +01:00
5ce9e75c21 Initialise Session Storage in NewOAuthProxy instead of validation 2020-06-28 12:32:06 +01:00
6b43b41638 Fix tests broken by security advisory 2020-06-27 12:41:46 +01:00
ee5662e0f5 Merge pull request from GHSA-5m6c-jp6f-2vcv
* Add more Open Redirect test cases

* Add whitelisted domain to test

* Add more test cases

* Improve invalid redirect regex
2020-06-27 12:07:24 +01:00
c2c1caa404 Set User = Subject in ExtraJWTBearer sessions 2020-06-19 11:48:23 -07:00
f7b28cb1d3 Improvements to Session State code (#536)
* Drop SessionStateJSON wrapper
* Use EncrpytInto/DecryptInto to reduce sessionstate

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-30 08:53:38 +01:00
276d1c6f19 Always encrypt sessions regardless of configuration 2020-05-24 21:23:04 +01:00
44b27e0208 Move Options and Validation to package 2020-05-21 22:43:42 +01:00
7e5c8bb579 Fix secretBytes adding unintended padding (#556)
* Fix secretBytes adding unintended padding

* Add more SecretBytes test scenarios

* Add CHANGELOG entry about breaking secret padding change

* Add SecretBytes tests explanation comments
2020-05-21 19:29:45 +01:00
4e3dd09cf2 Drop fallback to email when user is empty (#537) 2020-05-12 16:04:51 +01:00
e642daef4e Support context in providers (#519)
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-10 13:34:59 +01:00
0d5fa211df Merge pull request from GHSA-j7px-6hwj-hpjg 2020-05-06 12:42:02 +01:00
e49f8542bc Rename Session Options to improve structure 2020-04-29 19:51:24 +01:00
458710149c Rename Cookie Options to remove extra 'Cookie' 2020-04-29 19:51:24 +01:00
dd05e7ff0b Add new linters (#486)
* add new linters and fix issues

* fix deprecated warnings

* simplify return

* update CHANGELOG

* fix staticcheck issues

* remove a deprecated linter, minor fixes of variable initialization
2020-04-14 09:36:44 +01:00
a659b9558e Allow multiple cookie domains to be specified (#412)
* Allow multiple cookie domains to be specified

* Use X-Forwarded-Host, if it exists, when selecting cookie domain

* Perform cookie domain sorting in config validation phase

* Extract get domain cookies to a single function

* Update pkg/cookies/cookies.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 12:00:44 +01:00
b0b87563dc Add set basic auth param (#413)
* addint redirect capability to sign_out

* updating changelog

* Add a new param to set the Authorization header to up-stream systems as Basic user:password

* Resolving code review

* mutual exclusiv changes for Basic and Bearer Authorization header

* Fixed the merge mixup and comment error

* Updated changelog and fixed typo

* Adding the new entry in changelog

Co-authored-by: Costel Moraru <costel.moraru-germany@ibm.com>
2020-04-10 14:41:28 +01:00
7efc162aaa Prevent browser caching during auth flow (#453)
* Prevent browser caching during auth flow

* simplify no-cache logic, add tests and update changelog

* checking noCacheHeaders does not exists in response headers from upstream

* remove unnecessary codes

* add no-cache headers in SignInPage and OAuthStart for proxy mode

https://github.com/oauth2-proxy/oauth2-proxy/pull/453#discussion_r405072222
2020-04-09 15:39:07 +01:00