go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-01-24 05:26:55 +02:00
Code Issues Releases Activity
oauth2-proxy/pkg/util/util.go
emsixteeen a5006fd606
Issue: 2236 - adds an option to append CA certificates (#2237) 
* adding append option for custom CA certs

* updated test for changed GetCertPool signature, added testing to check functionality of empty and non-empty store

* adding legacy options as well

* update associated documentation

* fixing code climate complaints - reduce number of return statements

* Apply suggestions from code review

Changes caFilesAppend (and variants) to useSystemTrustStore

Co-authored-by: Jan Larwig <jan@larwig.com>

* Apply suggestions from code review

Fixes extra whitespaces and grammar.

Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com>

* fix indentation

* update changelog

---------

Co-authored-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Koen van Zuijlen <8818390+kvanzuijlen@users.noreply.github.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2023-10-25 11:36:17 +01:00

194 lines
5.0 KiB
Go
Raw Blame History

package util
import (
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"crypto/x509/pkix"
"fmt"
"math/big"
"net"
"net/url"
"os"
"strings"
"time"
)
func GetCertPool(paths []string, useSystemPool bool) (*x509.CertPool, error) {
if len(paths) == 0 {
return nil, fmt.Errorf("invalid empty list of Root CAs file paths")
}
var pool *x509.CertPool
if useSystemPool {
rootPool, err := getSystemCertPool()
if err != nil {
return nil, fmt.Errorf("unable to get SystemCertPool when append is true - #{err}")
}
pool = rootPool
} else {
pool = x509.NewCertPool()
}
return loadCertsFromPaths(paths, pool)
}
func getSystemCertPool() (*x509.CertPool, error) {
rootPool, err := x509.SystemCertPool()
if err != nil {
return nil, err
}
if rootPool == nil {
return nil, fmt.Errorf("SystemCertPool is empty")
}
return rootPool, nil
}
func loadCertsFromPaths(paths []string, pool *x509.CertPool) (*x509.CertPool, error) {
for _, path := range paths {
// Cert paths are a configurable option
data, err := os.ReadFile(path) // #nosec G304
if err != nil {
return nil, fmt.Errorf("certificate authority file (%s) could not be read - %s", path, err)
}
if !pool.AppendCertsFromPEM(data) {
return nil, fmt.Errorf("loading certificate authority (%s) failed", path)
}
}
return pool, nil
}
// https://golang.org/src/crypto/tls/generate_cert.go as a function
func GenerateCert(ipaddr string) ([]byte, []byte, error) {
var err error
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
return nil, nil, err
}
keyBytes, err := x509.MarshalPKCS8PrivateKey(priv)
if err != nil {
return nil, keyBytes, err
}
serialNumber, err := rand.Int(rand.Reader, new(big.Int).Lsh(big.NewInt(1), 128))
if err != nil {
return nil, keyBytes, err
}
notBefore := time.Now()
template := x509.Certificate{
SerialNumber: serialNumber,
Subject: pkix.Name{
Organization: []string{"OAuth2 Proxy Test Suite"},
},
NotBefore: notBefore,
NotAfter: notBefore.Add(time.Hour),
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageKeyEncipherment,
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
IPAddresses: []net.IP{net.ParseIP(ipaddr)},
}
certBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
return certBytes, keyBytes, err
}
// SplitHostPort separates host and port. If the port is not valid, it returns
// the entire input as host, and it doesn't check the validity of the host.
// Unlike net.SplitHostPort, but per RFC 3986, it requires ports to be numeric.
// *** taken from net/url, modified validOptionalPort() to accept ":*"
func SplitHostPort(hostport string) (host, port string) {
host = hostport
colon := strings.LastIndexByte(host, ':')
if colon != -1 && validOptionalPort(host[colon:]) {
host, port = host[:colon], host[colon+1:]
}
if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") {
host = host[1 : len(host)-1]
}
return
}
// validOptionalPort reports whether port is either an empty string
// or matches /^:\d*$/
// *** taken from net/url, modified to accept ":*"
func validOptionalPort(port string) bool {
if port == "" || port == ":*" {
return true
}
if port[0] != ':' {
return false
}
for _, b := range port[1:] {
if b < '0' || b > '9' {
return false
}
}
return true
}
// IsEndpointAllowed checks whether the endpoint URL is allowed based
// on an allowed domains list.
func IsEndpointAllowed(endpoint *url.URL, allowedDomains []string) bool {
hostname := endpoint.Hostname()
for _, allowedDomain := range allowedDomains {
allowedHost, allowedPort := SplitHostPort(allowedDomain)
if allowedHost == "" {
continue
}
if isHostnameAllowed(hostname, allowedHost) {
// the domain names match, now validate the ports
// if the allowed domain's port is '*', allow all ports
// if the allowed domain contains a specific port, only allow that port
// if the allowed domain doesn't contain a port at all, only allow empty redirect ports ie http and https
redirectPort := endpoint.Port()
if allowedPort == "*" ||
allowedPort == redirectPort ||
(allowedPort == "" && redirectPort == "") {
return true
}
}
}
return false
}
func isHostnameAllowed(hostname, allowedHost string) bool {
// check if we have a perfect match between hostname and allowedHost
if hostname == strings.TrimPrefix(allowedHost, ".") ||
hostname == strings.TrimPrefix(allowedHost, "*.") {
return true
}
// check if hostname is a sub domain of the allowedHost
if (strings.HasPrefix(allowedHost, ".") && strings.HasSuffix(hostname, allowedHost)) ||
(strings.HasPrefix(allowedHost, "*.") && strings.HasSuffix(hostname, allowedHost[1:])) {
return true
}
return false
}
// RemoveDuplicateStr removes duplicates from a slice of strings.
func RemoveDuplicateStr(strSlice []string) []string {
allKeys := make(map[string]struct{})
var list []string
for _, item := range strSlice {
if _, ok := allKeys[item]; !ok {
allKeys[item] = struct{}{}
list = append(list, item)
}
}
return list
}
Reference in New Issue View Git Blame Copy Permalink