Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: pass only essential and configured headers to authenticator #952

Merged
merged 42 commits into from
Jun 23, 2022
Merged
Changes from 1 commit
Commits
Show all changes
42 commits
Select commit Hold shift + click to select a range
f0cb78f
fix: added gzip support for cookie_session authenticator
gen1us2k Apr 11, 2022
6999a5f
fix: added proxy_headers config variable for authenticators
gen1us2k May 9, 2022
5b94457
fix: better design for forwardRequestToSessionStore
gen1us2k May 9, 2022
50f01b1
fix: better solution to convert array to map
gen1us2k May 10, 2022
85d391d
renamed field
gen1us2k May 13, 2022
0cceab9
added header package to improve readability
gen1us2k May 13, 2022
6cbc29a
fixed build
gen1us2k May 13, 2022
f4b9936
updated schema
gen1us2k May 13, 2022
4f5d8af
removed old test
gen1us2k May 13, 2022
5c35b6d
added tests
gen1us2k May 13, 2022
27e785a
better backwards compatibility
gen1us2k May 23, 2022
e456520
Merge branch 'master' into gzip_support
gen1us2k May 23, 2022
0a9c066
fix: added gzip support for cookie_session authenticator
gen1us2k Apr 11, 2022
9906ce4
fix: added proxy_headers config variable for authenticators
gen1us2k May 9, 2022
198902c
fix: better design for forwardRequestToSessionStore
gen1us2k May 9, 2022
134c9dc
fix: better solution to convert array to map
gen1us2k May 10, 2022
eea93ee
renamed field
gen1us2k May 13, 2022
3d4333d
added header package to improve readability
gen1us2k May 13, 2022
6f0982f
fixed build
gen1us2k May 13, 2022
8941f8b
updated schema
gen1us2k May 13, 2022
9417a30
removed old test
gen1us2k May 13, 2022
81c0fae
added tests
gen1us2k May 13, 2022
aeba3ce
better backwards compatibility
gen1us2k May 23, 2022
b671e8b
Update pipeline/authn/authenticator_cookie_session.go
gen1us2k May 30, 2022
f7f6da9
Merge
gen1us2k May 30, 2022
0ca5c51
Small refactoring
gen1us2k May 30, 2022
339e8e7
fix: Don't use maps anymore
gen1us2k Jun 9, 2022
affc702
Merge branch 'master' into gzip_support
gen1us2k Jun 9, 2022
0bbc5fd
Small fixes
gen1us2k Jun 10, 2022
da038f8
fixed test
gen1us2k Jun 10, 2022
690d766
Merge branch 'master' into gzip_support
gen1us2k Jun 21, 2022
ba19be3
chore: code review
aeneasr Jun 23, 2022
afaf5af
Remove header constants
gen1us2k Jun 23, 2022
fe4bd05
fixed tests. Check only canonical header names
gen1us2k Jun 23, 2022
5e16805
Merge branch 'master' into gzip_support
gen1us2k Jun 23, 2022
046422f
Drop header values
gen1us2k Jun 23, 2022
f2d31ea
Added tests for the cookie session authenticator
gen1us2k Jun 23, 2022
a19b283
Added test for token authenticator
gen1us2k Jun 23, 2022
c66ba2a
run prettifier
gen1us2k Jun 23, 2022
ab72681
Fixed linter
gen1us2k Jun 23, 2022
4b735e3
Drop dead headers
gen1us2k Jun 23, 2022
028c091
not canonical header
gen1us2k Jun 23, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
added tests
gen1us2k authored and aeneasr committed May 26, 2022
commit 81c0fae513ec57682d559368f1492772d8c587ed
54 changes: 31 additions & 23 deletions pipeline/authn/authenticator_cookie_session.go
Original file line number Diff line number Diff line change
@@ -152,17 +152,41 @@ func cookieSessionResponsible(r *http.Request, only []string) bool {
}

func forwardRequestToSessionStore(r *http.Request, cf *AuthenticatorForwardConfig) (json.RawMessage, error) {
reqUrl, err := url.Parse(cf.CheckSessionURL)
req, err := PrepareRequest(r, cf)
if err != nil {
return nil, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to parse session check URL: %s", err))
return nil, err
}

res, err := http.DefaultClient.Do(req.WithContext(r.Context()))
if err != nil {
return nil, helper.ErrForbidden.WithReason(err.Error()).WithTrace(err)
}

defer res.Body.Close()

if res.StatusCode == http.StatusOK {
body, err := ioutil.ReadAll(res.Body)
if err != nil {
return json.RawMessage{}, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to fetch cookie session context from remote: %+v", err))
}
return body, nil
} else {
return json.RawMessage{}, errors.WithStack(helper.ErrUnauthorized)
}
}

func PrepareRequest(r *http.Request, cf *AuthenticatorForwardConfig) (http.Request, error) {
reqURL, err := url.Parse(cf.CheckSessionURL)
if err != nil {
return http.Request{}, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to parse session check URL: %s", err))
}

if !cf.PreservePath {
reqUrl.Path = r.URL.Path
reqURL.Path = r.URL.Path
}

if !cf.PreserveQuery {
reqUrl.RawQuery = r.URL.RawQuery
reqURL.RawQuery = r.URL.RawQuery
}

if cf.ForceMethod == "" {
@@ -171,7 +195,7 @@ func forwardRequestToSessionStore(r *http.Request, cf *AuthenticatorForwardConfi

req := http.Request{
Method: cf.ForceMethod,
URL: reqUrl,
URL: reqURL,
Header: http.Header{},
}

@@ -187,23 +211,7 @@ func forwardRequestToSessionStore(r *http.Request, cf *AuthenticatorForwardConfi
}

if cf.PreserveHost {
req.Header.Set("X-Forwarded-Host", r.Host)
}

res, err := http.DefaultClient.Do(req.WithContext(r.Context()))
if err != nil {
return nil, helper.ErrForbidden.WithReason(err.Error()).WithTrace(err)
}

defer res.Body.Close()

if res.StatusCode == 200 {
body, err := ioutil.ReadAll(res.Body)
if err != nil {
return json.RawMessage{}, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to fetch cookie session context from remote: %+v", err))
}
return body, nil
} else {
return json.RawMessage{}, errors.WithStack(helper.ErrUnauthorized)
req.Header.Set(header.XForwardedHost, r.Host)
}
return req, nil
}
41 changes: 41 additions & 0 deletions pipeline/authn/authenticator_cookie_session_test.go
Original file line number Diff line number Diff line change
@@ -18,6 +18,7 @@ import (

"github.com/ory/oathkeeper/internal"
. "github.com/ory/oathkeeper/pipeline/authn"
"github.com/ory/oathkeeper/x/header"
)

func TestAuthenticatorCookieSession(t *testing.T) {
@@ -249,6 +250,46 @@ func TestAuthenticatorCookieSession(t *testing.T) {
})
}

func TestPrepareRequest(t *testing.T) {
t.Run("prepare request should return only configured headers", func(t *testing.T) {
testCases := []struct {
requestHeaders []string
expectedHeaders []string
conf *AuthenticatorForwardConfig
}{
{
requestHeaders: []string{header.Authorization, header.AcceptEncoding},
expectedHeaders: []string{},
conf: &AuthenticatorForwardConfig{},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

},
{
requestHeaders: []string{header.Authorization, header.AcceptEncoding},
expectedHeaders: []string{header.Authorization},
conf: &AuthenticatorForwardConfig{
ForwardHTTPHeaders: map[string]string{
header.Authorization: header.Authorization,
},
},
},
}

for _, testCase := range testCases {
r := makeRequest("GET", "/", "", map[string]string{"sessionID": "zyx"}, "")
for _, h := range testCase.requestHeaders {
r.Header.Add(h, h)
}
expected := http.Header{}
for _, h := range testCase.expectedHeaders {
expected.Add(h, h)
}
req, err := PrepareRequest(r, testCase.conf)
assert.NoError(t, err)
assert.Equal(t, expected, req.Header)
}
})

}

type RequestRecorder struct {
requests []*http.Request
bodies [][]byte
1 change: 1 addition & 0 deletions x/header/header.go
Original file line number Diff line number Diff line change
@@ -63,6 +63,7 @@ const (
Upgrade = "Upgrade"
Vary = "Vary"
WWWAuthenticate = "WWW-Authenticate"
XForwardedHost = "X-Forwarded-Host"
)

// Canonical returns the canonical format of the