mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2024-11-24 08:52:25 +02:00
965fab422d
* Add API route config In addition to requests with Accept header `application/json` return 401 instead of 302 to login page on requests matching API paths regex. * Update changelog * Refactor * Remove unnecessary comment * Reorder checks * Lint Api -> API Co-authored-by: Sebastian Halder <sebastian.halder@boehringer-ingelheim.com>
81 lines
2.2 KiB
Go
81 lines
2.2 KiB
Go
package validation
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"regexp"
|
|
"strings"
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/ip"
|
|
)
|
|
|
|
func validateAllowlists(o *options.Options) []string {
|
|
msgs := []string{}
|
|
|
|
msgs = append(msgs, validateAuthRoutes(o)...)
|
|
msgs = append(msgs, validateAuthRegexes(o)...)
|
|
msgs = append(msgs, validateTrustedIPs(o)...)
|
|
|
|
if len(o.TrustedIPs) > 0 && o.ReverseProxy {
|
|
_, err := fmt.Fprintln(os.Stderr, "WARNING: mixing --trusted-ip with --reverse-proxy is a potential security vulnerability. An attacker can inject a trusted IP into an X-Real-IP or X-Forwarded-For header if they aren't properly protected outside of oauth2-proxy")
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
}
|
|
|
|
return msgs
|
|
}
|
|
|
|
// validateAuthRoutes validates method=path routes passed with options.SkipAuthRoutes
|
|
func validateAuthRoutes(o *options.Options) []string {
|
|
msgs := []string{}
|
|
for _, route := range o.SkipAuthRoutes {
|
|
var regex string
|
|
parts := strings.SplitN(route, "=", 2)
|
|
if len(parts) == 1 {
|
|
regex = parts[0]
|
|
} else {
|
|
regex = parts[1]
|
|
}
|
|
_, err := regexp.Compile(regex)
|
|
if err != nil {
|
|
msgs = append(msgs, fmt.Sprintf("error compiling regex /%s/: %v", regex, err))
|
|
}
|
|
}
|
|
return msgs
|
|
}
|
|
|
|
// validateRegex validates regex paths passed with options.SkipAuthRegex
|
|
func validateAuthRegexes(o *options.Options) []string {
|
|
return validateRegexes(o.SkipAuthRegex)
|
|
}
|
|
|
|
// validateTrustedIPs validates IP/CIDRs for IP based allowlists
|
|
func validateTrustedIPs(o *options.Options) []string {
|
|
msgs := []string{}
|
|
for i, ipStr := range o.TrustedIPs {
|
|
if nil == ip.ParseIPNet(ipStr) {
|
|
msgs = append(msgs, fmt.Sprintf("trusted_ips[%d] (%s) could not be recognized", i, ipStr))
|
|
}
|
|
}
|
|
return msgs
|
|
}
|
|
|
|
// validateAPIRoutes validates regex paths passed with options.ApiRoutes
|
|
func validateAPIRoutes(o *options.Options) []string {
|
|
return validateRegexes(o.APIRoutes)
|
|
}
|
|
|
|
// validateRegexes validates all regexes and returns a list of messages in case of error
|
|
func validateRegexes(regexes []string) []string {
|
|
msgs := []string{}
|
|
for _, regex := range regexes {
|
|
_, err := regexp.Compile(regex)
|
|
if err != nil {
|
|
msgs = append(msgs, fmt.Sprintf("error compiling regex /%s/: %v", regex, err))
|
|
}
|
|
}
|
|
return msgs
|
|
}
|