outposts/proxy: match skipPathRegex against full URL on domain auth

closes #1955

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-12-18 15:50:42 +01:00
parent d66f13c249
commit 7a73ddfb60
6 changed files with 95 additions and 17 deletions

View File

@ -180,8 +180,14 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
func (a *Application) IsAllowlisted(r *http.Request) bool { func (a *Application) IsAllowlisted(r *http.Request) bool {
for _, u := range a.UnauthenticatedRegex { for _, u := range a.UnauthenticatedRegex {
a.log.WithField("regex", u.String()).WithField("url", r.URL.Path).Trace("Matching URL against allow list") var testString string
if u.MatchString(r.URL.Path) { if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
testString = r.URL.Path
} else {
testString = r.URL.String()
}
a.log.WithField("regex", u.String()).WithField("url", testString).Trace("Matching URL against allow list")
if u.MatchString(testString) {
return true return true
} }
} }

View File

@ -3772,8 +3772,12 @@ msgid "Register device"
msgstr "Register device" msgstr "Register device"
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression." #~ msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression." #~ msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
#: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression."
msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression."
#: src/pages/users/UserListPage.ts #: src/pages/users/UserListPage.ts
msgid "Regular user" msgid "Regular user"
@ -4255,8 +4259,8 @@ msgid "Single use"
msgstr "Single use" msgstr "Single use"
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Skip path regex" #~ msgid "Skip path regex"
msgstr "Skip path regex" #~ msgstr "Skip path regex"
#: src/pages/applications/ApplicationForm.ts #: src/pages/applications/ApplicationForm.ts
#: src/pages/applications/ApplicationListPage.ts #: src/pages/applications/ApplicationListPage.ts
@ -5246,6 +5250,14 @@ msgstr "URL used by authentik to retrieve tokens."
msgid "URL used to request the initial token. This URL is only required for OAuth 1." msgid "URL used to request the initial token. This URL is only required for OAuth 1."
msgstr "URL used to request the initial token. This URL is only required for OAuth 1." msgstr "URL used to request the initial token. This URL is only required for OAuth 1."
#: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Unauthenticated Paths"
msgstr "Unauthenticated Paths"
#: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Unauthenticated URLs"
msgstr "Unauthenticated URLs"
#: src/pages/admin-overview/charts/PolicyStatusChart.ts #: src/pages/admin-overview/charts/PolicyStatusChart.ts
msgid "Unbound policies" msgid "Unbound policies"
msgstr "Unbound policies" msgstr "Unbound policies"
@ -5861,6 +5873,10 @@ msgstr "When used in conjunction with a User Write stage, use attributes.foo to
msgid "When using an external logging solution for archiving, this can be set to \"minutes=5\"." msgid "When using an external logging solution for archiving, this can be set to \"minutes=5\"."
msgstr "When using an external logging solution for archiving, this can be set to \"minutes=5\"." msgstr "When using an external logging solution for archiving, this can be set to \"minutes=5\"."
#: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions."
msgstr "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions."
#: src/flows/FlowExecutor.ts #: src/flows/FlowExecutor.ts
msgid "Whoops!" msgid "Whoops!"
msgstr "Whoops!" msgstr "Whoops!"

View File

@ -3743,8 +3743,12 @@ msgid "Register device"
msgstr "Enregistrer un appareil" msgstr "Enregistrer un appareil"
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression." #~ msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
msgstr "Expression régulière pour laquelle l'authentification n'est pas nécessaire. Chaque nouvelle ligne est interprétée comme une nouvelle expression régulière." #~ msgstr "Expression régulière pour laquelle l'authentification n'est pas nécessaire. Chaque nouvelle ligne est interprétée comme une nouvelle expression régulière."
#: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression."
msgstr ""
#: src/pages/users/UserListPage.ts #: src/pages/users/UserListPage.ts
msgid "Regular user" msgid "Regular user"
@ -4218,8 +4222,8 @@ msgid "Single use"
msgstr "Usage unique" msgstr "Usage unique"
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Skip path regex" #~ msgid "Skip path regex"
msgstr "Regex chemins exclus" #~ msgstr "Regex chemins exclus"
#: src/pages/applications/ApplicationForm.ts #: src/pages/applications/ApplicationForm.ts
#: src/pages/applications/ApplicationListPage.ts #: src/pages/applications/ApplicationListPage.ts
@ -5187,6 +5191,14 @@ msgstr "URL utilisée par authentik pour récupérer les jetons."
msgid "URL used to request the initial token. This URL is only required for OAuth 1." msgid "URL used to request the initial token. This URL is only required for OAuth 1."
msgstr "URL utilisée pour demander le jeton initial. Cette URL est uniquement requise pour OAuth 1." msgstr "URL utilisée pour demander le jeton initial. Cette URL est uniquement requise pour OAuth 1."
#: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Unauthenticated Paths"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Unauthenticated URLs"
msgstr ""
#: src/pages/admin-overview/charts/PolicyStatusChart.ts #: src/pages/admin-overview/charts/PolicyStatusChart.ts
msgid "Unbound policies" msgid "Unbound policies"
msgstr "Politiques non liées" msgstr "Politiques non liées"
@ -5799,6 +5811,10 @@ msgstr ""
msgid "When using an external logging solution for archiving, this can be set to \"minutes=5\"." msgid "When using an external logging solution for archiving, this can be set to \"minutes=5\"."
msgstr "En cas d'utilisation d'une solution de journalisation externe pour l'archivage, cette valeur peut être fixée à \"minutes=5\"." msgstr "En cas d'utilisation d'une solution de journalisation externe pour l'archivage, cette valeur peut être fixée à \"minutes=5\"."
#: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions."
msgstr ""
#: src/flows/FlowExecutor.ts #: src/flows/FlowExecutor.ts
msgid "Whoops!" msgid "Whoops!"
msgstr "Oups !" msgstr "Oups !"

View File

@ -3762,7 +3762,11 @@ msgid "Register device"
msgstr "" msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression." #~ msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
#~ msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression."
msgstr "" msgstr ""
#: src/pages/users/UserListPage.ts #: src/pages/users/UserListPage.ts
@ -4245,8 +4249,8 @@ msgid "Single use"
msgstr "" msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts #: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Skip path regex" #~ msgid "Skip path regex"
msgstr "" #~ msgstr ""
#: src/pages/applications/ApplicationForm.ts #: src/pages/applications/ApplicationForm.ts
#: src/pages/applications/ApplicationListPage.ts #: src/pages/applications/ApplicationListPage.ts
@ -5226,6 +5230,14 @@ msgstr ""
msgid "URL used to request the initial token. This URL is only required for OAuth 1." msgid "URL used to request the initial token. This URL is only required for OAuth 1."
msgstr "" msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Unauthenticated Paths"
msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "Unauthenticated URLs"
msgstr ""
#: src/pages/admin-overview/charts/PolicyStatusChart.ts #: src/pages/admin-overview/charts/PolicyStatusChart.ts
msgid "Unbound policies" msgid "Unbound policies"
msgstr "" msgstr ""
@ -5841,6 +5853,10 @@ msgstr ""
msgid "When using an external logging solution for archiving, this can be set to \"minutes=5\"." msgid "When using an external logging solution for archiving, this can be set to \"minutes=5\"."
msgstr "" msgstr ""
#: src/pages/providers/proxy/ProxyProviderForm.ts
msgid "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions."
msgstr ""
#: src/flows/FlowExecutor.ts #: src/flows/FlowExecutor.ts
msgid "Whoops!" msgid "Whoops!"
msgstr "" msgstr ""

View File

@ -401,12 +401,20 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
</p> </p>
</ak-form-element-horizontal> </ak-form-element-horizontal>
<ak-form-element-horizontal label=${t`Skip path regex`} name="skipPathRegex"> <ak-form-element-horizontal
label="${this.mode === ProxyMode.ForwardDomain
? t`Unauthenticated URLs`
: t`Unauthenticated Paths`}${t``}"
name="skipPathRegex"
>
<textarea class="pf-c-form-control"> <textarea class="pf-c-form-control">
${this.instance?.skipPathRegex}</textarea ${this.instance?.skipPathRegex}</textarea
> >
<p class="pf-c-form__helper-text"> <p class="pf-c-form__helper-text">
${t`Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression.`} ${t`Regular expressions for which authentication is not required. Each new line is interpreted as a new expression.`}
</p>
<p class="pf-c-form__helper-text">
${t`When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions.`}
</p> </p>
</ak-form-element-horizontal> </ak-form-element-horizontal>

View File

@ -46,7 +46,7 @@ Besides these user-specific headers, some application specific headers are also
The authentik outpost's version. The authentik outpost's version.
# HTTPS ## HTTPS
The outpost listens on both 9000 for HTTP and 9443 for HTTPS. The outpost listens on both 9000 for HTTP and 9443 for HTTPS.
@ -54,7 +54,7 @@ The outpost listens on both 9000 for HTTP and 9443 for HTTPS.
If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too. If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too.
::: :::
# Logging out ## Logging out
Login is done automatically when you visit the domain without a valid cookie. Login is done automatically when you visit the domain without a valid cookie.
@ -63,3 +63,19 @@ When using single-application mode, navigate to `app.domain.tld/akprox/sign_out`
When using domain-level mode, navigate to `auth.domain.tld/akprox/sign_out`, where auth.domain.tld is the external host configured for the provider. When using domain-level mode, navigate to `auth.domain.tld/akprox/sign_out`, where auth.domain.tld is the external host configured for the provider.
To log out, navigate to `/akprox/sign_out`. To log out, navigate to `/akprox/sign_out`.
## Allowing unauthenticated requests
To allow un-authenticated requests to certain paths/URLs, you can use the *Unauthenticated URLs* / *Unauthenticated Paths* field.
Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser.
The behaviour of this field changes depending on which mode you're in.
### Proxy and Forward auth (single application)
In this mode, the regular expressions are matched against the Request's Path.
### Forward auth (domain level)
In this mode, the regular expressions are matched against the Request's full URL.