1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-24 08:52:25 +02:00
Commit Graph

1168 Commits

Author SHA1 Message Date
Joel Speed
d43b372ca9
Use bool pointers for upstream options that default to true 2020-07-19 14:01:36 +01:00
Joel Speed
6b27069812
Add changelog entry for integrating new upstream proxy 2020-07-19 14:01:36 +01:00
Joel Speed
71dc70222b
Break legacy upstream options into LegacyUpstreams struct 2020-07-19 14:01:36 +01:00
Joel Speed
5dbcd73722
Configure OAuth2 Proxy to use new upstreams package and LegacyConfig 2020-07-19 08:17:53 +01:00
Joel Speed
e932381ba7
Add LegacyOptions and conversion to new Options
This will be temporary until we switch to structured config, then we can remove the LegacyOptions and conversions
2020-07-19 08:17:53 +01:00
Joel Speed
e02f99eb58
Merge pull request #687 from oauth2-proxy/htpasswd-validator
Refactor HTPasswd Validator
2020-07-18 17:29:50 +01:00
Joel Speed
e73db7df7b
Add HTPasswd validator refactor to changelog 2020-07-18 11:01:49 +01:00
Joel Speed
2981a5ed1a
Integrate HTPasswdValidator into OAuth2 Proxy 2020-07-18 11:01:49 +01:00
Joel Speed
7d8ee61254
Add HTPasswdValidator to basic authentication package 2020-07-18 11:01:49 +01:00
devopsix
895403cb9b
Document what provider have support for --cookie-refresh. (#543)
Co-authored-by: Dirk Weinhardt <dirk.weinhardt@etl.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-15 00:05:13 +01:00
Nick Meves
abeb0236d8
Strip X-Forwarded auth headers from whitelisted paths (#624)
* Strip X-Forwarded auth headers from whitelisted paths

For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).

Only x-Forwarded headers stripped, left the Authorization header
untouched.

* Strip authorization header if it would be set

* Improve TestStripAuthHeaders test table

* Improve --skip-auth-strip-headers flag documentation
2020-07-14 23:46:44 +01:00
Nick Meves
bb5977095f
Add option to remove tokens from cookie sessions (#673)
* Add option to remove tokens from cookie sessions

* Move Minimal to be an option on CookieSession

* Add sessionOptionsDefaults helper
2020-07-14 23:02:10 +01:00
Nick Meves
a09eecc6a2
Reduce SessionState size better with MessagePack + LZ4 (#632)
* Encode sessions with MsgPack + LZ4

Assumes ciphers are now mandatory per #414. Cookie & Redis sessions
can fallback to V5 style JSON in error cases. TODO: session_state.go
unit tests & new unit tests for Legacy fallback scenarios.

* Only compress encoded sessions with Cookie Store

* Cleanup msgpack + lz4 error handling

* Change NewBase64Cipher to take in an existing Cipher

* Add msgpack & lz4 session state tests

* Add required options for oauthproxy tests

More aggressively assert.NoError on all
validation.Validate(opts) calls to enforce legal
options in all our tests.
Add additional NoError checks wherever error return
values were ignored.

* Remove support for uncompressed session state fields

* Improve error verbosity & add session state tests

* Ensure all marshalled sessions are valid

Invalid CFB decryptions can result in garbage data
that 1/100 times might cause message pack unmarshal
to not fail and instead return an empty session.
This adds more rigor to make sure legacy sessions
cause appropriate errors.

* Add tests for legacy V5 session decoding

Refactor common legacy JSON test cases to a
legacy helpers area under session store tests.

* Make ValidateSession a struct method & add CHANGELOG entry

* Improve SessionState error & comments verbosity

* Move legacy session test helpers to sessions pkg

Placing these helpers under the sessions pkg removed
all the circular import uses in housing it under the
session store area.

* Improve SignatureAuthenticator test helper formatting

* Make redis.legacyV5DecodeSession internal

* Make LegacyV5TestCase test table public for linter
2020-07-13 20:56:05 +01:00
mkontani
dd36138965
docs: Fix required ruby-version (#675)
* fix required ruby-version

Signed-off-by: mkontani <itoama@live.jp>

* add a changelog entry

Signed-off-by: mkontani <itoama@live.jp>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-12 16:09:34 +01:00
dreadnought
18716142b4
Use double dashes in service example (#678) 2020-07-12 15:50:19 +01:00
Joel Speed
19b5606126
Merge pull request #674 from oauth2-proxy/fix-changelog
Move changelog entry to correct release
2020-07-11 18:36:46 +01:00
Joel Speed
d1c7be565b
Move changelog entry to correct release
This changelog entry was merged into the wrong release, this puts it back to the correct release
2020-07-11 11:14:12 +01:00
Isabelle COWAN-BERGMAN
64ae31b5a0
Implements --trusted-ip option (#552)
* Implements --ip-whitelist option

* Included IPWhitelist option to allow one-or-more selected CIDR ranges
  to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.

* Renamed IPWhitelist ipCIDRSet

* Fixed unessesary pointer usage in ipCIDRSet

* Update CHANGELOG.md

* Update CHANGELOG.md

* Updated to not use err.Error() in printf statements

* Imrpoved language for --ip-whitelist descriptions.

* Improve IP whitelist options error messages

* Clarify options single-host normalization

* Wrote a book about ipCIDRSet

* Added comment to IsWhitelistedIP in oauthproxy.go

* Rewrite oauthproxy test case as table driven

* oops

* Support whitelisting by low-level remote address

* Added more test-cases, improved descriptions

* Move ip_cidr_set.go to pkg/ip/net_set.go

* Add more whitelist test use cases.

* Oops

* Use subtests for TestIPWhitelist

* Add minimal tests for ip.NetSet

* Use switch statment

* Renamed ip-whitelist to whitelist-ip

* Update documentation with a warning.

* Update pkg/apis/options/options.go

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix fmt

* Move ParseIPNet into abstraction

* Add warning in case of --reverse-proxy

* Update pkg/validation/options_test.go

* Rename --whitelist-ip to --trusted-ip

* Update oauthproxy.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-11 11:10:58 +01:00
Nick Meves
e6903d8c1f
Merge pull request #669 from oauth2-proxy/docker-ignore
Reduce docker context to improve build times
2020-07-07 13:43:38 -07:00
Joel Speed
7ffe9b7620
Reduce docker context to improve build times 2020-07-07 20:51:43 +01:00
Mariano Vallés
a999270cf3
Add req.host to targetURL when redirecting to https (#668)
* Add req.host to targetURL when redirecting to https

The req.URL.Host might not be present when redirecting to https if the
given req.URL is something like "/". In such scenario, the req.Host is
still present and valid.

This commit adds the original req.Host to the targetURL before returning
the 308 status, to avoid having a `Location: https:///` in the response.

* Bring back empty line

* Wrap the setting of targetURL.Host in a condition

* Add a comment to the test explaining why the redirectURL includes example.com

* Add changelog entry
2020-07-07 09:55:38 +01:00
Joel Speed
d29766609b
Merge pull request #660 from oauth2-proxy/request-builder
Use builder pattern to simplify requests to external endpoints
2020-07-06 21:01:55 +01:00
Joel Speed
de9e65a63a
Migrate all requests to result pattern 2020-07-06 20:38:00 +01:00
Joel Speed
d0b6c04960
Add tests for request result 2020-07-06 20:37:36 +01:00
Joel Speed
fbf4063245
Switch Builder.Do() to return a Result 2020-07-06 18:31:31 +01:00
Joel Speed
02410d3919
Update changelog to add request builder entry 2020-07-06 18:31:28 +01:00
Joel Speed
028a0ed62e
Remove old requests code 2020-07-06 18:31:11 +01:00
Joel Speed
53142455b6
Migrate all requests to new builder pattern 2020-07-06 18:31:09 +01:00
Joel Speed
21ef86b594
Add tests for the request builder 2020-07-06 18:29:58 +01:00
Joel Speed
0bc0feb4bb
Add request builder to simplify request handling 2020-07-06 18:29:57 +01:00
Joel Speed
9d39816709
Merge pull request #662 from johejo/issue-661
Do not add Cache-Control header to response from auth only endpoint
2020-07-06 14:33:36 +01:00
Joel Speed
830065a128
Merge branch 'master' into issue-661 2020-07-06 13:39:19 +01:00
Joel Speed
efa1e9b448
Merge pull request #663 from Jonher937/patch-1
Make example args a codeblock for OIDC Provider
2020-07-06 12:18:06 +01:00
Mitsuo Heijo
97ab3fa005 update CHANGELOG 2020-07-06 19:09:02 +09:00
Mitsuo Heijo
4c1047866b fix: do not add Cache-Control header to response from auth only endpoint
fix #661
related #453
2020-07-06 19:04:31 +09:00
Jonathan Herlin
416c8b0a5c
Make example args a codeblock
Making this a code block aligns with the rest of the examples and makes it easier to read
2020-07-06 12:04:16 +02:00
Joel Speed
215aeec8b9
Merge pull request #650 from jordancrawfordnz/issue-649
Only set healthcheck user agents when the ping-user-agent is set, and don't check blank user agents against healthcheck user agents
2020-07-06 09:00:13 +01:00
Jordan Crawford
6346dafc1e (#649) Remove blank helthcheck user agents and paths when setting up the healthcheck middleware
A blank user agent is considered == to an empty string. When no -ping-user-agent option is specified, this is considered to be an empty string.

This reveals two problems:
- When no ping-user-agent is specified, main.go sets up a health check user agent of ""
- When no user agent is specified, the empty string is still checked against the health check user agents.

Now the health check middleware ignores blank user agents and paths in order to sanitise it's input to avoid this issue.

Additional tests have been added to verify these situations.
2020-07-06 14:07:38 +12:00
Joel Speed
99481b3a39
Merge pull request #591 from oauth2-proxy/upstream-proxy
Introduce upstream package with new reverse proxy implementation
2020-07-05 20:36:47 +01:00
Joel Speed
37c76b6376
Update changelog to add upstream proxy entry 2020-07-05 10:22:24 +01:00
Joel Speed
5b95ed3033
Add tests for upstream package 2020-07-05 10:21:05 +01:00
Joel Speed
fa8e1ee033
Allow file server to handle windows filesystems 2020-07-05 10:21:05 +01:00
Joel Speed
e1c3e938cc
Add upstream package with Proxy server implementation 2020-07-05 10:21:05 +01:00
Joel Speed
b6b5194190
Add Upstreams options struct with validation 2020-07-05 10:21:05 +01:00
Joel Speed
fb1bef2757
Merge pull request #576 from oauth2-proxy/cookie-validation
Separate Cookie validation
2020-07-05 09:35:19 +01:00
Joel Speed
3e13f3197f
Ensure that cookie names over 256 characters are rejected by validation 2020-07-05 09:18:48 +01:00
Joel Speed
eb933cc3f4
Add changelog entry for cookie validation separation 2020-07-05 09:18:45 +01:00
Joel Speed
211fd3a010
Rename CookieOptions to Cookie 2020-07-05 09:18:21 +01:00
Joel Speed
285c65a2d4
Add tests for cookie validation
This also removes the check for the decoded from the valid secret size
check. The code was unreachable because encryption.SecretBytes will only
return the decoded secret if it was the right length after decoding.
2020-07-05 09:17:28 +01:00
Joel Speed
900061b88a
Move CookieOptions validation to it's own file 2020-07-05 09:17:28 +01:00