-
-
Notifications
You must be signed in to change notification settings - Fork 361
/
mutator_cookie.go
115 lines (89 loc) · 2.64 KB
/
mutator_cookie.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
// Copyright © 2023 Ory Corp
// SPDX-License-Identifier: Apache-2.0
package mutate
import (
"bytes"
"encoding/json"
"fmt"
"net/http"
"text/template"
"github.com/ory/oathkeeper/driver/configuration"
"github.com/ory/oathkeeper/pipeline"
"github.com/ory/oathkeeper/pipeline/authn"
"github.com/ory/oathkeeper/x"
"github.com/pkg/errors"
)
const cookieHeader = "Cookie"
type CredentialsCookiesConfig struct {
Cookies map[string]string `json:"cookies"`
}
type MutatorCookie struct {
t *template.Template
c configuration.Provider
}
func NewMutatorCookie(c configuration.Provider) *MutatorCookie {
return &MutatorCookie{c: c, t: x.NewTemplate("cookie")}
}
func (a *MutatorCookie) GetID() string {
return "cookie"
}
func (a *MutatorCookie) WithCache(t *template.Template) {
a.t = t
}
func (a *MutatorCookie) Mutate(r *http.Request, session *authn.AuthenticationSession, config json.RawMessage, rl pipeline.Rule) error {
// Cache request cookies
requestCookies := r.Cookies()
req := http.Request{Header: map[string][]string{}}
// Keep track of rule cookies in a map
cookies := map[string]bool{}
cfg, err := a.config(config)
if err != nil {
return err
}
for cookie, templateString := range cfg.Cookies {
var tmpl *template.Template
var err error
templateId := fmt.Sprintf("%s:%s", rl.GetID(), cookie)
tmpl = a.t.Lookup(templateId)
if tmpl == nil {
tmpl, err = a.t.New(templateId).Parse(templateString)
if err != nil {
return errors.Wrapf(err, `error parsing cookie template "%s" in rule "%s"`, templateString, rl.GetID())
}
}
cookieValue := bytes.Buffer{}
err = tmpl.Execute(&cookieValue, session)
if err != nil {
return errors.Wrapf(err, `error executing cookie template "%s" in rule "%s"`, templateString, rl.GetID())
}
req.AddCookie(&http.Cookie{
Name: cookie,
Value: cookieValue.String(),
})
cookies[cookie] = true
}
// Re-add previously set cookies that do not coincide with rule cookies
for _, cookie := range requestCookies {
// Test if cookie is handled by rule
if _, ok := cookies[cookie.Name]; !ok {
// Re-add cookie if not handled by rule
req.AddCookie(cookie)
}
}
session.SetHeader(cookieHeader, req.Header.Get(cookieHeader))
return nil
}
func (a *MutatorCookie) Validate(config json.RawMessage) error {
if !a.c.MutatorIsEnabled(a.GetID()) {
return NewErrMutatorNotEnabled(a)
}
_, err := a.config(config)
return err
}
func (a *MutatorCookie) config(config json.RawMessage) (*CredentialsCookiesConfig, error) {
var c CredentialsCookiesConfig
if err := a.c.MutatorConfig(a.GetID(), config, &c); err != nil {
return nil, NewErrMutatorMisconfigured(a, err)
}
return &c, nil
}