1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-12-04 10:34:59 +02:00
Commit Graph

43 Commits

Author SHA1 Message Date
Kobi Meirson
f753ec1ca5
feat: readiness check (#1839)
* feat: readiness check

* fix: no need for query param

* docs: add a note

* chore: move the readyness check to its own endpoint

* docs(cr): add godoc

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2022-12-23 09:08:12 +00:00
Joel Speed
0586a9e072
Update middleware tests 2022-10-29 12:49:52 +01:00
Joel Speed
54d42c5829
Implement refresh relying on obtaining lock 2022-02-16 10:16:13 +00:00
Kevin Kreitner
e2c7ff6ddd
Use session to lock to protect concurrent refreshes 2022-02-16 10:16:12 +00:00
Joel Speed
d8deaa124b
Improve error message when no cookie is found 2021-10-13 19:08:11 +01:00
Hedi Harzallah
ccbb98acd9
fix(1356): test if session variable is null (#1357)
* fix(1356): test if session variable is null

* fix(1356): adding changelog

Co-authored-by: Hedi Harzallah <hharzalla@talend.com>
2021-09-09 12:12:29 +01:00
JVecsei
8967873659
Updated dependency versions which include CVE fixes (#1276)
* switched to github.com/golang-jwt/jwt and updated golang.org/x/crypto to include CVE fixes

* added #1276 to changelog

Co-authored-by: Joshua Vécsei <git@vecsei.me>
2021-07-29 17:45:41 +01:00
Nick Meves
0b4bc36554
Upgrade go-oidc to v3 (#1264) 2021-07-17 09:55:05 -07:00
Nick Meves
ff914d7e17 Use ErrNotImplemented in default refresh implementation 2021-06-22 17:04:42 -07:00
Nick Meves
593125152d Standarize provider refresh implemention & logging 2021-06-22 17:04:30 -07:00
Nick Meves
7fa6d2d024 Manage session time fields centrally 2021-06-21 21:54:52 -07:00
Nick Meves
7e80e5596b RefreshSessions immediately when called 2021-06-21 21:54:52 -07:00
Rishi Kambil
41cd418a5d
Fix - Refresh Session not working for multiple cookies (#1209) (#1227)
* Fix - Refresh Session not working for multiple cookies (#1209)

* added comments for flattenheaders fix

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Updated Changelog.md

Co-authored-by: Rishi Kambil <rishi.kambil@lntinfotech.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-06-09 10:22:33 +01:00
Kevin Kreitner
f648c54d87
Add redis lock feature (#1063)
* Add sensible logging flag to default setup for logger

* Add Redis lock

* Fix default value flag for sensitive logging

* Split RefreshSessionIfNeeded in two methods and use Redis lock

* Small adjustments to doc and code

* Remove sensible logging

* Fix method names in ticket.go

* Revert "Fix method names in ticket.go"

This reverts commit 408ba1a1a5.

* Fix methods name in ticket.go

* Remove block in Redis client get

* Increase lock time to 1 second

* Perform retries, if session store is locked

* Reverse if condition, because it should return if session does not have to be refreshed

* Update go.sum

* Update MockStore

* Return error if loading session fails

* Fix and update tests

* Change validSession to session in docs and strings

* Change validSession to session in docs and strings

* Fix docs

* Fix wrong field name

* Fix linting

* Fix imports for linting

* Revert changes except from locking functionality

* Add lock feature on session state

* Update from master

* Remove errors package, because it is not used

* Only pass context instead of request to lock

* Use lock key

* By default use NoOpLock

* Remove debug output

* Update ticket_test.go

* Map internal error to sessions error

* Add ErrLockNotObtained

* Enable lock peek for all redis clients

* Use lock key prefix consistent

* Fix imports

* Use exists method for peek lock

* Fix imports

* Fix imports

* Fix imports

* Remove own Dockerfile

* Fix imports

* Fix tests for ticket and session store

* Fix session store test

* Update pkg/apis/sessions/interfaces.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Do not wrap lock method

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Use errors package for lock constants

* Use better naming for initLock function

* Add comments

* Add session store lock test

* Fix tests

* Fix tests

* Fix tests

* Fix tests

* Add cookies after saving session

* Add mock lock

* Fix imports for mock_lock.go

* Store mock lock for key

* Apply elapsed time on mock lock

* Check if lock is initially applied

* Reuse existing lock

* Test all lock methods

* Update CHANGELOG.md

* Use redis client methods in redis.lock for release an refresh

* Use lock key suffix instead of prefix for lock key

* Add comments for Lock interface

* Update comment for Lock interface

* Update CHANGELOG.md

* Change LockSuffix to const

* Check lock on already loaded session

* Use global var for loadedSession in lock tests

* Use lock instance for refreshing and releasing of lock

* Update possible error type for Refresh

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2021-06-02 19:08:19 +01:00
Joel Speed
64f0a9f580
Reinstate preferEmailToUser behaviour for basic auth sessions 2021-03-22 13:13:26 +00:00
Nick Meves
c1267bb92d
Request ID Logging (#1087)
* Add RequestID to the RequestScope

* Expose RequestID to auth & request loggers

* Use the RequestID in templated HTML pages

* Allow customizing the RequestID header

* Document new Request ID support

* Add more cases to scope/requestID tests

* Split Get vs Generate RequestID funtionality

* Add {{.RequestID}} to the request logger tests

* Move RequestID management to RequestScope

* Use HTML escape instead of sanitization for Request ID rendering
2021-03-21 18:20:57 +00:00
Nick Meves
602dac7852
Move Logging to Middleware Package (#1070)
* Use a specialized ResponseWriter in middleware

* Track User & Upstream in RequestScope

* Wrap responses in our custom ResponseWriter

* Add tests for logging middleware

* Inject upstream metadata into request scope

* Use custom ResponseWriter only in logging middleware

* Assume RequestScope is never nil
2021-03-06 17:27:16 +00:00
Stefan Sedich
220b3708fc
Add support for setting groups on session when using basic auth (#1064)
* Add support for setting groups on session when using basic auth

* Refactoring based on feedback

* Attribution
2021-02-25 13:02:23 -08:00
Sean Jones
a7c8a233ba
Add Prometheus metrics endpoint
Add the Prometheus http.Handler to serve metrics at MetricsPath ("/metrics"
by default). This allows Prometheus to scrape metrics from OAuth2 Proxy.

Add a new middleware NewRequestMetrics and attach it to the preAuth
chain. This will collect metrics on all requests made to OAuth2 Proxy

Collapse some calls to Prinf() and os.Exit(1) to Fatalf as they are
equivalent. main() has a strict 50 lines limit so brevity in these
calls appreciated
2021-02-15 13:45:26 +00:00
Joel Speed
b6cca79cb9
Ensure errors in tests are logged to the GinkgoWriter 2021-02-10 19:50:04 +00:00
Nick Meves
c3f31b4dd5
Flatten array-based response headers 2021-02-03 16:48:26 -08:00
Lida Li
b541805dc1
Use comma separated multiple values for header (#799)
* Use comma separated value for multiple claims

* Fix lint error

* Fix more tests

* Fix one more test

* Always flatten the headers

* Ensure we test the real multi-groups

* Only update map when necessary

* Update CHANGELOG

* Move to the right location of change log

* Fix blank line
2021-01-22 08:48:34 +00:00
Nick Meves
f054682fb7
Make HTTPS Redirect middleware Reverse Proxy aware 2021-01-16 13:55:48 -08:00
Nick Meves
6fb3274ca3
Refactor organization of scope aware request utils
Reorganized the structure of the Request Utils due to their widespread use
resulting in circular imports issues (mostly because of middleware & logger).
2021-01-16 13:55:48 -08:00
Nick Meves
b625de9490
Track the ReverseProxy option in the request Scope
This allows for proper handling of reverse proxy based headers throughout
the lifecycle of a request.
2021-01-16 13:55:48 -08:00
Nick Meves
5f8f856260
Remove failed bearer tokens from logs 2020-11-28 10:25:12 -08:00
Nick Meves
22f60e9b63
Generalize and extend default CreateSessionFromToken 2020-11-28 10:25:12 -08:00
Nick Meves
44fa8316a1
Aggregate error logging on JWT chain failures 2020-11-28 10:25:12 -08:00
Nick Meves
3e9717d489
Decouple TokenToSession from OIDC & add a generic VerifyFunc 2020-11-28 10:25:11 -08:00
Joel Speed
6743e3991d
Add header injector middlewares 2020-10-07 18:24:58 +01:00
Mitsuo Heijo
3fa42edb73
Fix import path for v7 (#800)
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
Nick Meves
29b24793e3
Use X-Forwarded-Host consistently 2020-08-31 08:31:45 -07:00
Nick Meves
b6e78efc1e
Add x-oauth-basic nosec annotation & address gosec unhandled errors 2020-08-10 15:15:16 -07:00
Phil Taprogge
d69fd6af22
Allow Logging to stdout with separate Error Log Channel (#718)
* Add dedicated error logging writer

* Document new errors to stdout flag

* Update changelog

* Thread-safe the log buffer

* Address feedback

* Remove duplication by adding log level

* Clean up error formatting

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-08-10 11:44:08 +01:00
Nick Meves
65c228394f
Address gosec findings
Mostly handling unhandled errors appropriately.
If logging to STDERR fails, we panic. Added #nosec
comments to findings we are OK with.
2020-08-09 07:55:39 -07:00
Joel Speed
034f057b60
Add session loader from session storage 2020-07-19 17:21:42 +01:00
Joel Speed
7d6f2a3f45
Add Basic Auth session loader middleware 2020-07-19 17:21:42 +01:00
Joel Speed
c81a7ed197
Add JWT session loader middleware 2020-07-19 17:21:42 +01:00
Joel Speed
2768321929
Add request scope middleware 2020-07-19 17:21:42 +01:00
Mariano Vallés
a999270cf3
Add req.host to targetURL when redirecting to https (#668)
* Add req.host to targetURL when redirecting to https

The req.URL.Host might not be present when redirecting to https if the
given req.URL is something like "/". In such scenario, the req.Host is
still present and valid.

This commit adds the original req.Host to the targetURL before returning
the 308 status, to avoid having a `Location: https:///` in the response.

* Bring back empty line

* Wrap the setting of targetURL.Host in a condition

* Add a comment to the test explaining why the redirectURL includes example.com

* Add changelog entry
2020-07-07 09:55:38 +01:00
Jordan Crawford
6346dafc1e (#649) Remove blank helthcheck user agents and paths when setting up the healthcheck middleware
A blank user agent is considered == to an empty string. When no -ping-user-agent option is specified, this is considered to be an empty string.

This reveals two problems:
- When no ping-user-agent is specified, main.go sets up a health check user agent of ""
- When no user agent is specified, the empty string is still checked against the health check user agents.

Now the health check middleware ignores blank user agents and paths in order to sanitise it's input to avoid this issue.

Additional tests have been added to verify these situations.
2020-07-06 14:07:38 +12:00
Joel Speed
1c1106721e
Move RedirectToHTTPS to middleware package
Moves the logic for redirecting to HTTPs to a middleware package and adds tests for this logic.
Also makes the functionality more useful, previously it always redirected to the HTTPS address of the proxy, which may not have been intended, now it will redirect based on if a port is provided in the URL (assume public facing 80 to 443 or 4180 to 8443 for example)
2020-07-03 17:19:09 +01:00
Joel Speed
ca416a2ebb
Add HealthCheck middleware 2020-06-14 21:05:17 +01:00