From d0d3072c50309516a3ceba3d4ddd71b634f1b23c Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sun, 16 May 2021 00:01:16 +0200 Subject: [PATCH 1/2] outposts/ldap: fix AUTHENTIK_INSECURE not being respected for API client during bind Signed-off-by: Jens Langhammer --- outpost/pkg/ak/api.go | 2 +- outpost/pkg/ak/global.go | 3 ++- outpost/pkg/ldap/api.go | 10 +++++++--- outpost/pkg/ldap/instance_bind.go | 4 +++- 4 files changed, 13 insertions(+), 6 deletions(-) diff --git a/outpost/pkg/ak/api.go b/outpost/pkg/ak/api.go index 413a8afaf..1e18eb3bc 100644 --- a/outpost/pkg/ak/api.go +++ b/outpost/pkg/ak/api.go @@ -42,7 +42,7 @@ type APIController struct { // NewAPIController initialise new API Controller instance from URL and API token func NewAPIController(akURL url.URL, token string) *APIController { transport := httptransport.New(akURL.Host, client.DefaultBasePath, []string{akURL.Scheme}) - transport.Transport = SetUserAgent(getTLSTransport(), pkg.UserAgent()) + transport.Transport = SetUserAgent(GetTLSTransport(), pkg.UserAgent()) // create the transport auth := httptransport.BearerToken(token) diff --git a/outpost/pkg/ak/global.go b/outpost/pkg/ak/global.go index b446075c5..51ee640cd 100644 --- a/outpost/pkg/ak/global.go +++ b/outpost/pkg/ak/global.go @@ -52,7 +52,8 @@ func doGlobalSetup(config map[string]interface{}) { defer sentry.Flush(2 * time.Second) } -func getTLSTransport() http.RoundTripper { +// GetTLSTransport Get a TLS transport instance, that skips verification if configured via environment variables. +func GetTLSTransport() http.RoundTripper { value, set := os.LookupEnv("AUTHENTIK_INSECURE") if !set { value = "false" diff --git a/outpost/pkg/ldap/api.go b/outpost/pkg/ldap/api.go index d6b6f1657..69203cbda 100644 --- a/outpost/pkg/ldap/api.go +++ b/outpost/pkg/ldap/api.go @@ -55,14 +55,18 @@ func (ls *LDAPServer) Start() error { type transport struct { headers map[string]string + inner http.RoundTripper } func (t *transport) RoundTrip(req *http.Request) (*http.Response, error) { for key, value := range t.headers { req.Header.Add(key, value) } - return http.DefaultTransport.RoundTrip(req) + return t.inner.RoundTrip(req) } -func newTransport(headers map[string]string) *transport { - return &transport{headers} +func newTransport(inner http.RoundTripper, headers map[string]string) *transport { + return &transport{ + inner: inner, + headers: headers, + } } diff --git a/outpost/pkg/ldap/instance_bind.go b/outpost/pkg/ldap/instance_bind.go index b9a860854..915d2b34a 100644 --- a/outpost/pkg/ldap/instance_bind.go +++ b/outpost/pkg/ldap/instance_bind.go @@ -14,6 +14,8 @@ import ( goldap "github.com/go-ldap/ldap/v3" httptransport "github.com/go-openapi/runtime/client" "github.com/nmcclain/ldap" + "goauthentik.io/outpost/pkg" + "goauthentik.io/outpost/pkg/ak" "goauthentik.io/outpost/pkg/client/core" "goauthentik.io/outpost/pkg/client/flows" "goauthentik.io/outpost/pkg/models" @@ -61,7 +63,7 @@ func (pi *ProviderInstance) Bind(username string, bindDN, bindPW string, conn ne // Create new http client that also sets the correct ip client := &http.Client{ Jar: jar, - Transport: newTransport(map[string]string{ + Transport: newTransport(ak.SetUserAgent(ak.GetTLSTransport(), pkg.UserAgent()), map[string]string{ "X-authentik-remote-ip": host, }), } From 8d2a3b67b91f0d1ad64e736e4f52c3917b14adc3 Mon Sep 17 00:00:00 2001 From: Tom Pansino <2768420+tpansino@users.noreply.github.com> Date: Sun, 16 May 2021 12:10:31 -0700 Subject: [PATCH 2/2] lib: Fix config loading of secrets from files (#887) --- authentik/lib/config.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/authentik/lib/config.py b/authentik/lib/config.py index 9980b5dc8..41f51595e 100644 --- a/authentik/lib/config.py +++ b/authentik/lib/config.py @@ -88,10 +88,10 @@ class ConfigLoader: value = os.getenv(url.netloc, url.query) if url.scheme == "file": try: - with open(url.netloc, "r") as _file: + with open(url.path, "r") as _file: value = _file.read() except OSError: - self._log("error", f"Failed to read config value from {url.netloc}") + self._log("error", f"Failed to read config value from {url.path}") value = url.query return value