fix(proxy): do not pass unused credentials upstream #839
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Welcome to Cryostat! 👋
Before contributing, make sure you have:
main
branch[chore, ci, docs, feat, fix, test]
git commit -S -m "YOUR_COMMIT_MESSAGE"
Fixes: #838
Description of the change:
Explicitly sets some flags on the OpenShift OAuth Proxy to prevent it from passing headers to upstream servers (Cryostat, Grafana dashboard, storage) containing Basic credentials or auth tokens which the upstreams do not use and should not have access to if they don't have a particular need.
According to https://oauth2-proxy.github.io/oauth2-proxy/configuration/alpha-config#removed-options , the
oauth2-proxy
's equivalent flags are not accessible when using the alpha configuration. We use alpha configuration because it is the only way to turn on theproxyRawPath
setting (https://oauth2-proxy.github.io/oauth2-proxy/configuration/alpha-config#upstreamconfig), which is the switch for this proxy to avoid the path encoding redirect bug. When using alpha configuration it seems that none of these flags are enabled by default, they must each be configured explicitly using the new https://oauth2-proxy.github.io/oauth2-proxy/configuration/alpha-config#header options.Motivation for the change:
This enhances security, but also fixes a bug where Grafana 9 seems to attempt to validate credentials provided to it even if it is configured for anonymous access. Since we only configure it for anonymous access, passing along unexpected headers to it causes it to fail to evaluate these credentials and block the request, despite the anonymous access configuration.
How to manually test: