1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-07-09 01:25:37 +02:00
Commit Graph

253 Commits

Author SHA1 Message Date
da02914a9c Log IsValidRedirect violations and do a final safety call 2021-01-16 13:56:38 -08:00
fa6a785eaf Improve handler vs helper organization in oauthproxy.go
Additionally, convert a lot of helper methods to be private
2021-01-16 13:55:49 -08:00
73fc7706bc Figure out final app redirect URL with proxy aware request utils 2021-01-16 13:55:49 -08:00
b625de9490 Track the ReverseProxy option in the request Scope
This allows for proper handling of reverse proxy based headers throughout
the lifecycle of a request.
2021-01-16 13:55:48 -08:00
81bf1ef8ce Adapt isAjax to support mimetype lists
Fixes #988
2021-01-12 19:37:30 +01:00
1d74a51cd7 Use X-Forwarded-{Proto,Host,Uri} on redirect as last resort (#957) 2021-01-01 15:23:11 -08:00
753f6c548a Add a detailed allowed_groups example to Important Notes 2020-12-24 12:05:12 -08:00
65e15f24c1 Support only allowed_groups querystring 2020-12-24 12:05:12 -08:00
025056cba0 Move AuthOnly authorize logic to a dedicated method 2020-12-24 12:05:11 -08:00
44d83e5f95 Use StatusForbidden to prevent infinite redirects 2020-12-24 12:04:01 -08:00
23b2355f85 Allow group authZ in AuthOnly endpoint via Querystring 2020-12-24 12:04:01 -08:00
22f60e9b63 Generalize and extend default CreateSessionFromToken 2020-11-28 10:25:12 -08:00
3e9717d489 Decouple TokenToSession from OIDC & add a generic VerifyFunc 2020-11-28 10:25:11 -08:00
e9f787957e Standardize provider interface method names 2020-11-28 10:25:11 -08:00
2549b722d3 Add User & Groups to Userinfo 2020-11-25 18:19:48 -08:00
b9661cb6fe Return 401 Unauthorized if Authorize fails 2020-11-12 11:18:59 -08:00
f21b3b8b20 Authorize in Redeem callback flow 2020-11-12 11:18:59 -08:00
1b3b00443a Streamline ErrMissingCode in provider Redeem methods 2020-11-12 11:18:59 -08:00
eb58ea2ed9 Move AllowedGroups to DefaultProvider for default Authorize usage 2020-11-12 11:18:15 -08:00
e7ac793044 Replace ValidateGroup with Authorize for Provider 2020-11-12 11:17:06 -08:00
cc6532a282 Use display-htpasswd-form flag (#778)
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-11-08 18:48:01 +00:00
8059a812cd Integrate new header injectors with OAuth2 Proxy 2020-11-07 17:16:58 +00:00
d9c141ae7c Remove GetUserName method from Provider 2020-10-19 14:09:46 -07:00
2b9e1bbba0 Add EnrichSessionState as main post-Redeem session updater 2020-10-19 14:09:45 -07:00
0bd8eb3191 Setup provider.ErrNotImplemented sentinel error 2020-10-19 14:09:02 -07:00
add45c360c Split session enrichment from code redemption 2020-10-19 14:09:02 -07:00
b7b7ade7c4 Improve AllowedRoute test table formatting 2020-10-07 10:13:41 -07:00
89a8ac8c1f Add startup logging for skipped auth routes 2020-10-07 10:13:41 -07:00
cfd3de807c Add tests for skip auth functionality 2020-10-07 10:13:41 -07:00
183cb124a4 Support HTTP method based allowlists 2020-10-07 10:13:40 -07:00
3fa42edb73 Fix import path for v7 (#800)
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
e0d915cc03 Stop shadowing GetEmailAddress errors in redeemCode 2020-09-24 10:50:18 -07:00
3371284a36 Remove GetPreferredUsername method from Provider interface
It isn't used in any providers and we have future plans
to remove the specialness of PreferredUsername and make it
an optional field in the session.

User, Email & Groups will eventually be the only first class
fields on the session that are always set.
2020-09-24 10:49:50 -07:00
9d59519a96 Add support to ensure user belongs in required groups when using the OIDC provider 2020-09-21 10:43:54 -07:00
29b24793e3 Use X-Forwarded-Host consistently 2020-08-31 08:31:45 -07:00
d69fd6af22 Allow Logging to stdout with separate Error Log Channel (#718)
* Add dedicated error logging writer

* Document new errors to stdout flag

* Update changelog

* Thread-safe the log buffer

* Address feedback

* Remove duplication by adding log level

* Clean up error formatting

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-08-10 11:44:08 +01:00
e88d29f16a Refactor SignInMessage out of main 2020-08-09 07:55:41 -07:00
45222395e0 Attempt to log still on template errors 2020-08-09 07:55:40 -07:00
ad52587ae6 Document GoSec nosec skip comments 2020-08-09 07:55:40 -07:00
2bb0160bf3 Streamline error page usage 2020-08-09 07:55:40 -07:00
65c228394f Address gosec findings
Mostly handling unhandled errors appropriately.
If logging to STDERR fails, we panic. Added #nosec
comments to findings we are OK with.
2020-08-09 07:55:39 -07:00
88ef888752 Preserve query when building redirect (fix for #695) (#696)
* Add test for GetRedirect to check query and fragments.

* Preserve query and fragment when building redirect.

* Add changelog entry for redirect fix
2020-07-21 16:38:13 +01:00
eb234011eb Integrate sessions middlewares 2020-07-19 17:24:12 +01:00
5dbcd73722 Configure OAuth2 Proxy to use new upstreams package and LegacyConfig 2020-07-19 08:17:53 +01:00
2981a5ed1a Integrate HTPasswdValidator into OAuth2 Proxy 2020-07-18 11:01:49 +01:00
abeb0236d8 Strip X-Forwarded auth headers from whitelisted paths (#624)
* Strip X-Forwarded auth headers from whitelisted paths

For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).

Only x-Forwarded headers stripped, left the Authorization header
untouched.

* Strip authorization header if it would be set

* Improve TestStripAuthHeaders test table

* Improve --skip-auth-strip-headers flag documentation
2020-07-14 23:46:44 +01:00
64ae31b5a0 Implements --trusted-ip option (#552)
* Implements --ip-whitelist option

* Included IPWhitelist option to allow one-or-more selected CIDR ranges
  to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.

* Renamed IPWhitelist ipCIDRSet

* Fixed unessesary pointer usage in ipCIDRSet

* Update CHANGELOG.md

* Update CHANGELOG.md

* Updated to not use err.Error() in printf statements

* Imrpoved language for --ip-whitelist descriptions.

* Improve IP whitelist options error messages

* Clarify options single-host normalization

* Wrote a book about ipCIDRSet

* Added comment to IsWhitelistedIP in oauthproxy.go

* Rewrite oauthproxy test case as table driven

* oops

* Support whitelisting by low-level remote address

* Added more test-cases, improved descriptions

* Move ip_cidr_set.go to pkg/ip/net_set.go

* Add more whitelist test use cases.

* Oops

* Use subtests for TestIPWhitelist

* Add minimal tests for ip.NetSet

* Use switch statment

* Renamed ip-whitelist to whitelist-ip

* Update documentation with a warning.

* Update pkg/apis/options/options.go

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix fmt

* Move ParseIPNet into abstraction

* Add warning in case of --reverse-proxy

* Update pkg/validation/options_test.go

* Rename --whitelist-ip to --trusted-ip

* Update oauthproxy.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-11 11:10:58 +01:00
4c1047866b fix: do not add Cache-Control header to response from auth only endpoint
fix #661
related #453
2020-07-06 19:04:31 +09:00
5ce9e75c21 Initialise Session Storage in NewOAuthProxy instead of validation 2020-06-28 12:32:06 +01:00
ee5662e0f5 Merge pull request from GHSA-5m6c-jp6f-2vcv
* Add more Open Redirect test cases

* Add whitelisted domain to test

* Add more test cases

* Improve invalid redirect regex
2020-06-27 12:07:24 +01:00