From 47daaf969abbfe4a261c3172306a5984eaca8a1d Mon Sep 17 00:00:00 2001 From: Jens L Date: Mon, 19 Sep 2022 21:38:34 +0200 Subject: [PATCH] outposts: fix oauth state when using signature routing (#3616) * fix oauth state when using signature routing Signed-off-by: Jens Langhammer * more retires Signed-off-by: Jens Langhammer Signed-off-by: Jens Langhammer --- internal/outpost/proxyv2/application/mode_forward.go | 12 ++++++------ internal/outpost/proxyv2/application/oauth.go | 2 +- .../outpost/proxyv2/application/oauth_callback.go | 10 +++++----- ldap.Dockerfile | 2 +- proxy.Dockerfile | 2 +- 5 files changed, 14 insertions(+), 14 deletions(-) diff --git a/internal/outpost/proxyv2/application/mode_forward.go b/internal/outpost/proxyv2/application/mode_forward.go index 930999e05..37ba929fb 100644 --- a/internal/outpost/proxyv2/application/mode_forward.go +++ b/internal/outpost/proxyv2/application/mode_forward.go @@ -37,9 +37,11 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque http.Error(rw, "configuration error", http.StatusInternalServerError) return } + tr := r.Clone(r.Context()) + tr.URL = fwd if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") { a.log.Debug("handling OAuth Callback from querystring signature") - a.handleAuthCallback(rw, r) + a.handleAuthCallback(rw, tr) return } else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") { a.log.Debug("handling OAuth Logout from querystring signature") @@ -57,8 +59,6 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque a.log.Trace("path can be accessed without authentication") return } - tr := r.Clone(r.Context()) - tr.URL = fwd a.handleAuthStart(rw, r) // set the redirect flag to the current URL we have, since we redirect // to a (possibly) different domain, but we want to be redirected back @@ -88,9 +88,11 @@ func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request http.Error(rw, "configuration error", http.StatusInternalServerError) return } + tr := r.Clone(r.Context()) + tr.URL = fwd if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") { a.log.Debug("handling OAuth Callback from querystring signature") - a.handleAuthCallback(rw, r) + a.handleAuthCallback(rw, tr) return } else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") { a.log.Debug("handling OAuth Logout from querystring signature") @@ -108,8 +110,6 @@ func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request a.log.Trace("path can be accessed without authentication") return } - tr := r.Clone(r.Context()) - tr.URL = fwd a.handleAuthStart(rw, r) // set the redirect flag to the current URL we have, since we redirect // to a (possibly) different domain, but we want to be redirected back diff --git a/internal/outpost/proxyv2/application/oauth.go b/internal/outpost/proxyv2/application/oauth.go index b9e246976..5f3b5212e 100644 --- a/internal/outpost/proxyv2/application/oauth.go +++ b/internal/outpost/proxyv2/application/oauth.go @@ -78,7 +78,7 @@ func (a *Application) handleAuthCallback(rw http.ResponseWriter, r *http.Request http.Redirect(rw, r, a.proxyConfig.ExternalHost, http.StatusFound) return } - claims, err := a.redeemCallback(r, state.([]string)) + claims, err := a.redeemCallback(state.([]string), r.URL, r.Context()) if err != nil { a.log.WithError(err).Warning("failed to redeem code") rw.WriteHeader(400) diff --git a/internal/outpost/proxyv2/application/oauth_callback.go b/internal/outpost/proxyv2/application/oauth_callback.go index eff50120b..f32a1cc42 100644 --- a/internal/outpost/proxyv2/application/oauth_callback.go +++ b/internal/outpost/proxyv2/application/oauth_callback.go @@ -3,14 +3,14 @@ package application import ( "context" "fmt" - "net/http" + "net/url" log "github.com/sirupsen/logrus" "golang.org/x/oauth2" ) -func (a *Application) redeemCallback(r *http.Request, states []string) (*Claims, error) { - state := r.URL.Query().Get("state") +func (a *Application) redeemCallback(states []string, u *url.URL, c context.Context) (*Claims, error) { + state := u.Query().Get("state") if len(states) < 1 { return nil, fmt.Errorf("no states") } @@ -29,12 +29,12 @@ func (a *Application) redeemCallback(r *http.Request, states []string) (*Claims, return nil, fmt.Errorf("invalid state") } - code := r.URL.Query().Get("code") + code := u.Query().Get("code") if code == "" { return nil, fmt.Errorf("blank code") } - ctx := context.WithValue(r.Context(), oauth2.HTTPClient, a.httpClient) + ctx := context.WithValue(c, oauth2.HTTPClient, a.httpClient) // Verify state and errors. oauth2Token, err := a.oauthConfig.Exchange(ctx, code) if err != nil { diff --git a/ldap.Dockerfile b/ldap.Dockerfile index bfcc3dae6..170aad7cd 100644 --- a/ldap.Dockerfile +++ b/ldap.Dockerfile @@ -19,7 +19,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH COPY --from=builder /go/ldap / -HEALTHCHECK --interval=5s --retries=10 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ] +HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ] EXPOSE 3389 6636 9300 diff --git a/proxy.Dockerfile b/proxy.Dockerfile index 6a5da8b3d..0cb525552 100644 --- a/proxy.Dockerfile +++ b/proxy.Dockerfile @@ -32,7 +32,7 @@ COPY --from=web-builder /static/security.txt /web/security.txt COPY --from=web-builder /static/dist/ /web/dist/ COPY --from=web-builder /static/authentik/ /web/authentik/ -HEALTHCHECK --interval=5s --retries=10 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ] +HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ] EXPOSE 9000 9300 9443