2012-12-10 20:59:23 -05:00
package main
import (
2019-01-17 12:49:14 -08:00
"context"
2019-08-07 18:48:53 +02:00
"crypto/tls"
2016-06-20 07:17:39 -04:00
b64 "encoding/base64"
2019-11-08 00:38:36 +02:00
"encoding/json"
2012-12-10 20:59:23 -05:00
"errors"
"fmt"
2015-03-17 18:06:06 -04:00
"html/template"
2015-03-19 15:59:48 -04:00
"net"
2012-12-10 20:59:23 -05:00
"net/http"
"net/http/httputil"
"net/url"
2015-01-19 16:10:37 +00:00
"regexp"
2019-09-18 22:40:33 +02:00
"strconv"
2012-12-10 20:59:23 -05:00
"strings"
"time"
2014-08-07 16:16:39 -04:00
2019-01-17 12:49:14 -08:00
"github.com/coreos/go-oidc"
2018-11-29 14:26:41 +00:00
"github.com/mbland/hmacauth"
2019-05-07 14:27:09 +01:00
sessionsapi "github.com/pusher/oauth2_proxy/pkg/apis/sessions"
2019-12-16 13:10:04 -05:00
"github.com/pusher/oauth2_proxy/pkg/cookies"
2019-05-24 17:06:48 +01:00
"github.com/pusher/oauth2_proxy/pkg/encryption"
2019-06-15 11:33:29 +02:00
"github.com/pusher/oauth2_proxy/pkg/logger"
2018-11-27 11:45:05 +00:00
"github.com/pusher/oauth2_proxy/providers"
2019-03-08 09:15:21 +01:00
"github.com/yhat/wsutil"
2012-12-10 20:59:23 -05:00
)
2018-11-29 14:26:41 +00:00
const (
2018-12-20 09:30:42 +00:00
// SignatureHeader is the name of the request header containing the GAP Signature
// Part of hmacauth
2018-11-29 14:26:41 +00:00
SignatureHeader = "GAP-Signature"
2015-11-15 22:08:30 -05:00
2018-11-29 14:26:41 +00:00
httpScheme = "http"
httpsScheme = "https"
2018-01-27 22:48:52 +00:00
2019-01-31 16:22:30 +01:00
applicationJSON = "application/json"
2018-11-29 14:26:41 +00:00
)
2018-12-20 09:30:42 +00:00
// SignatureHeaders contains the headers to be signed by the hmac algorithm
// Part of hmacauth
2018-11-29 14:26:41 +00:00
var SignatureHeaders = [ ] string {
2015-11-15 22:08:30 -05:00
"Content-Length" ,
"Content-Md5" ,
"Content-Type" ,
"Date" ,
"Authorization" ,
"X-Forwarded-User" ,
"X-Forwarded-Email" ,
"X-Forwarded-Access-Token" ,
"Cookie" ,
"Gap-Auth" ,
}
2019-06-07 13:50:44 +10:00
var (
// ErrNeedsLogin means the user should be redirected to the login page
ErrNeedsLogin = errors . New ( "redirect to login page" )
)
2018-12-20 09:30:42 +00:00
// OAuthProxy is the main authentication proxy
2015-11-09 00:57:01 +01:00
type OAuthProxy struct {
2015-03-17 23:13:45 -04:00
CookieSeed string
2015-06-07 23:52:28 -04:00
CookieName string
2017-03-27 21:14:38 -04:00
CSRFCookieName string
2015-03-17 23:13:45 -04:00
CookieDomain string
2019-04-10 00:36:35 +03:00
CookiePath string
2015-03-17 23:13:45 -04:00
CookieSecure bool
2018-11-29 14:26:41 +00:00
CookieHTTPOnly bool
2015-03-17 23:13:45 -04:00
CookieExpire time . Duration
2015-05-08 10:00:57 -04:00
CookieRefresh time . Duration
2019-12-16 13:10:04 -05:00
CookieSameSite string
2015-03-17 23:13:45 -04:00
Validator func ( string ) bool
2012-12-10 20:59:23 -05:00
2015-05-29 15:47:40 -07:00
RobotsPath string
PingPath string
SignInPath string
2017-03-21 17:39:26 +01:00
SignOutPath string
2015-11-09 00:57:01 +01:00
OAuthStartPath string
OAuthCallbackPath string
2015-10-08 09:27:00 -04:00
AuthOnlyPath string
2019-11-08 00:38:36 +02:00
UserInfoPath string
2015-05-29 15:47:40 -07:00
2019-11-25 18:20:37 +01:00
redirectURL * url . URL // the url to receive requests at
whitelistDomains [ ] string
provider providers . Provider
providerNameOverride string
sessionStore sessionsapi . SessionStore
ProxyPrefix string
SignInMessage string
HtpasswdFile * HtpasswdFile
DisplayHtpasswdForm bool
serveMux http . Handler
SetXAuthRequest bool
PassBasicAuth bool
SkipProviderButton bool
PassUserHeaders bool
BasicAuthPassword string
PassAccessToken bool
SetAuthorization bool
PassAuthorization bool
skipAuthRegex [ ] string
skipAuthPreflight bool
skipJwtBearerTokens bool
jwtBearerVerifiers [ ] * oidc . IDTokenVerifier
compiledRegex [ ] * regexp . Regexp
templates * template . Template
Banner string
Footer string
2012-12-10 20:59:23 -05:00
}
2018-12-20 09:30:42 +00:00
// UpstreamProxy represents an upstream server to proxy to
2015-03-19 16:37:16 -04:00
type UpstreamProxy struct {
2019-03-08 09:15:21 +01:00
upstream string
handler http . Handler
wsHandler http . Handler
auth hmacauth . HmacAuth
2015-03-19 16:37:16 -04:00
}
2018-12-20 09:30:42 +00:00
// ServeHTTP proxies requests to the upstream provider while signing the
// request headers
2015-03-19 16:37:16 -04:00
func ( u * UpstreamProxy ) ServeHTTP ( w http . ResponseWriter , r * http . Request ) {
w . Header ( ) . Set ( "GAP-Upstream-Address" , u . upstream )
2015-11-15 22:08:30 -05:00
if u . auth != nil {
r . Header . Set ( "GAP-Auth" , w . Header ( ) . Get ( "GAP-Auth" ) )
u . auth . SignRequest ( r )
}
2019-10-09 11:33:45 +03:00
if u . wsHandler != nil && strings . EqualFold ( r . Header . Get ( "Connection" ) , "upgrade" ) && r . Header . Get ( "Upgrade" ) == "websocket" {
2019-03-08 09:15:21 +01:00
u . wsHandler . ServeHTTP ( w , r )
} else {
u . handler . ServeHTTP ( w , r )
}
2015-03-19 16:37:16 -04:00
}
2018-12-20 09:30:42 +00:00
// NewReverseProxy creates a new reverse proxy for proxying requests to upstream
// servers
2019-08-07 18:48:53 +02:00
func NewReverseProxy ( target * url . URL , opts * Options ) ( proxy * httputil . ReverseProxy ) {
2019-01-31 14:02:15 +00:00
proxy = httputil . NewSingleHostReverseProxy ( target )
2019-08-07 18:48:53 +02:00
proxy . FlushInterval = opts . FlushInterval
if opts . SSLUpstreamInsecureSkipVerify {
proxy . Transport = & http . Transport {
TLSClientConfig : & tls . Config { InsecureSkipVerify : true } ,
}
}
2019-01-31 14:02:15 +00:00
return proxy
2015-03-17 15:15:15 -04:00
}
2018-12-20 09:30:42 +00:00
2015-03-17 15:15:15 -04:00
func setProxyUpstreamHostHeader ( proxy * httputil . ReverseProxy , target * url . URL ) {
director := proxy . Director
proxy . Director = func ( req * http . Request ) {
director ( req )
2015-03-17 17:17:40 -04:00
// use RequestURI so that we aren't unescaping encoded slashes in the request path
2015-03-21 15:29:07 -04:00
req . Host = target . Host
req . URL . Opaque = req . RequestURI
2015-03-17 17:17:40 -04:00
req . URL . RawQuery = ""
}
}
2018-12-20 09:30:42 +00:00
2015-03-17 17:17:40 -04:00
func setProxyDirector ( proxy * httputil . ReverseProxy ) {
director := proxy . Director
proxy . Director = func ( req * http . Request ) {
director ( req )
// use RequestURI so that we aren't unescaping encoded slashes in the request path
2015-03-21 15:29:07 -04:00
req . URL . Opaque = req . RequestURI
2015-03-17 17:17:40 -04:00
req . URL . RawQuery = ""
2015-03-17 15:15:15 -04:00
}
2014-11-30 17:12:33 -08:00
}
2018-12-20 09:30:42 +00:00
// NewFileServer creates a http.Handler to serve files from the filesystem
2015-09-23 22:00:36 +02:00
func NewFileServer ( path string , filesystemPath string ) ( proxy http . Handler ) {
return http . StripPrefix ( path , http . FileServer ( http . Dir ( filesystemPath ) ) )
}
2014-11-30 17:12:33 -08:00
2019-03-08 09:15:21 +01:00
// NewWebSocketOrRestReverseProxy creates a reverse proxy for REST or websocket based on url
2019-06-23 20:41:23 +01:00
func NewWebSocketOrRestReverseProxy ( u * url . URL , opts * Options , auth hmacauth . HmacAuth ) http . Handler {
2019-03-08 09:15:21 +01:00
u . Path = ""
2019-08-07 18:48:53 +02:00
proxy := NewReverseProxy ( u , opts )
2019-03-08 09:15:21 +01:00
if ! opts . PassHostHeader {
setProxyUpstreamHostHeader ( proxy , u )
} else {
setProxyDirector ( proxy )
}
// this should give us a wss:// scheme if the url is https:// based.
var wsProxy * wsutil . ReverseProxy
if opts . ProxyWebSockets {
wsScheme := "ws" + strings . TrimPrefix ( u . Scheme , "http" )
wsURL := & url . URL { Scheme : wsScheme , Host : u . Host }
wsProxy = wsutil . NewSingleHostReverseProxy ( wsURL )
}
2019-06-23 20:41:23 +01:00
return & UpstreamProxy {
upstream : u . Host ,
handler : proxy ,
wsHandler : wsProxy ,
auth : auth ,
}
2019-03-08 09:15:21 +01:00
}
2019-12-20 09:44:59 -05:00
// NewOAuthProxy creates a new instance of OAuthProxy from the options provided
2015-11-09 00:57:01 +01:00
func NewOAuthProxy ( opts * Options , validator func ( string ) bool ) * OAuthProxy {
2012-12-10 20:59:23 -05:00
serveMux := http . NewServeMux ( )
2015-11-15 22:08:30 -05:00
var auth hmacauth . HmacAuth
if sigData := opts . signatureData ; sigData != nil {
auth = hmacauth . NewHmacAuth ( sigData . hash , [ ] byte ( sigData . key ) ,
SignatureHeader , SignatureHeaders )
}
2015-11-09 00:47:44 +01:00
for _ , u := range opts . proxyURLs {
2012-12-10 20:59:23 -05:00
path := u . Path
2019-09-19 11:03:38 +02:00
host := u . Host
2015-09-23 22:00:36 +02:00
switch u . Scheme {
2018-11-29 14:26:41 +00:00
case httpScheme , httpsScheme :
2019-04-12 09:26:44 -07:00
logger . Printf ( "mapping path %q => upstream %q" , path , u )
2019-03-08 09:15:21 +01:00
proxy := NewWebSocketOrRestReverseProxy ( u , opts , auth )
serveMux . Handle ( path , proxy )
2019-09-18 22:40:33 +02:00
case "static" :
2019-10-04 15:07:31 +02:00
responseCode , err := strconv . Atoi ( host )
if err != nil {
logger . Printf ( "unable to convert %q to int, use default \"200\"" , host )
responseCode = 200
}
2019-09-19 11:03:38 +02:00
serveMux . HandleFunc ( path , func ( rw http . ResponseWriter , req * http . Request ) {
2019-09-18 22:40:33 +02:00
rw . WriteHeader ( responseCode )
fmt . Fprintf ( rw , "Authenticated" )
} )
2015-09-23 22:00:36 +02:00
case "file" :
if u . Fragment != "" {
path = u . Fragment
}
2019-02-10 08:37:45 -08:00
logger . Printf ( "mapping path %q => file system %q" , path , u . Path )
2015-09-23 22:00:36 +02:00
proxy := NewFileServer ( path , u . Path )
2019-06-23 20:41:23 +01:00
uProxy := UpstreamProxy {
upstream : path ,
handler : proxy ,
wsHandler : nil ,
auth : nil ,
}
serveMux . Handle ( path , & uProxy )
2015-09-23 22:00:36 +02:00
default :
panic ( fmt . Sprintf ( "unknown upstream protocol %s" , u . Scheme ) )
2015-03-17 15:15:15 -04:00
}
2012-12-10 20:59:23 -05:00
}
2015-01-12 14:48:41 +05:30
for _ , u := range opts . CompiledRegex {
2019-02-10 08:37:45 -08:00
logger . Printf ( "compiled skip-auth-regex => %q" , u )
2015-01-12 14:48:41 +05:30
}
2019-01-17 12:49:14 -08:00
if opts . SkipJwtBearerTokens {
logger . Printf ( "Skipping JWT tokens from configured OIDC issuer: %q" , opts . OIDCIssuerURL )
for _ , issuer := range opts . ExtraJwtIssuers {
logger . Printf ( "Skipping JWT tokens from extra JWT issuer: %q" , issuer )
}
}
2015-11-09 00:47:44 +01:00
redirectURL := opts . redirectURL
2019-03-20 09:25:04 -07:00
if redirectURL . Path == "" {
2019-03-05 09:58:26 -05:00
redirectURL . Path = fmt . Sprintf ( "%s/callback" , opts . ProxyPrefix )
}
2012-12-10 20:59:23 -05:00
2019-02-10 08:37:45 -08:00
logger . Printf ( "OAuthProxy configured for %s Client ID: %s" , opts . provider . Data ( ) . ProviderName , opts . ClientID )
2015-06-22 15:10:08 -04:00
refresh := "disabled"
if opts . CookieRefresh != time . Duration ( 0 ) {
refresh = fmt . Sprintf ( "after %s" , opts . CookieRefresh )
}
2015-03-17 23:13:45 -04:00
2019-12-16 13:10:04 -05:00
logger . Printf ( "Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s path:%s samesite:%s refresh:%s" , opts . CookieName , opts . CookieSecure , opts . CookieHTTPOnly , opts . CookieExpire , opts . CookieDomain , opts . CookiePath , opts . CookieSameSite , refresh )
2015-03-17 23:13:45 -04:00
2015-11-09 00:57:01 +01:00
return & OAuthProxy {
2015-06-07 23:52:28 -04:00
CookieName : opts . CookieName ,
2017-03-27 21:14:38 -04:00
CSRFCookieName : fmt . Sprintf ( "%v_%v" , opts . CookieName , "csrf" ) ,
2015-03-17 23:13:45 -04:00
CookieSeed : opts . CookieSecret ,
CookieDomain : opts . CookieDomain ,
2019-04-10 00:36:35 +03:00
CookiePath : opts . CookiePath ,
2015-03-17 23:13:45 -04:00
CookieSecure : opts . CookieSecure ,
2018-11-29 14:26:41 +00:00
CookieHTTPOnly : opts . CookieHTTPOnly ,
2015-03-17 23:13:45 -04:00
CookieExpire : opts . CookieExpire ,
2015-05-08 10:00:57 -04:00
CookieRefresh : opts . CookieRefresh ,
2019-12-16 13:10:04 -05:00
CookieSameSite : opts . CookieSameSite ,
2015-03-17 23:13:45 -04:00
Validator : validator ,
2014-11-09 14:51:10 -05:00
2015-05-29 15:47:40 -07:00
RobotsPath : "/robots.txt" ,
2019-06-03 13:51:59 +12:00
PingPath : opts . PingPath ,
2015-05-29 15:47:40 -07:00
SignInPath : fmt . Sprintf ( "%s/sign_in" , opts . ProxyPrefix ) ,
2017-03-21 17:39:26 +01:00
SignOutPath : fmt . Sprintf ( "%s/sign_out" , opts . ProxyPrefix ) ,
2015-11-09 00:57:01 +01:00
OAuthStartPath : fmt . Sprintf ( "%s/start" , opts . ProxyPrefix ) ,
2019-03-12 16:46:37 +00:00
OAuthCallbackPath : fmt . Sprintf ( "%s/callback" , opts . ProxyPrefix ) ,
2015-10-08 09:27:00 -04:00
AuthOnlyPath : fmt . Sprintf ( "%s/auth" , opts . ProxyPrefix ) ,
2019-11-08 00:38:36 +02:00
UserInfoPath : fmt . Sprintf ( "%s/userinfo" , opts . ProxyPrefix ) ,
2015-05-29 15:47:40 -07:00
2019-11-25 18:20:37 +01:00
ProxyPrefix : opts . ProxyPrefix ,
provider : opts . provider ,
providerNameOverride : opts . ProviderName ,
sessionStore : opts . sessionStore ,
serveMux : serveMux ,
redirectURL : redirectURL ,
whitelistDomains : opts . WhitelistDomains ,
skipAuthRegex : opts . SkipAuthRegex ,
skipAuthPreflight : opts . SkipAuthPreflight ,
skipJwtBearerTokens : opts . SkipJwtBearerTokens ,
jwtBearerVerifiers : opts . jwtBearerVerifiers ,
compiledRegex : opts . CompiledRegex ,
SetXAuthRequest : opts . SetXAuthRequest ,
PassBasicAuth : opts . PassBasicAuth ,
PassUserHeaders : opts . PassUserHeaders ,
BasicAuthPassword : opts . BasicAuthPassword ,
PassAccessToken : opts . PassAccessToken ,
SetAuthorization : opts . SetAuthorization ,
PassAuthorization : opts . PassAuthorization ,
SkipProviderButton : opts . SkipProviderButton ,
templates : loadTemplates ( opts . CustomTemplatesDir ) ,
Banner : opts . Banner ,
Footer : opts . Footer ,
2012-12-10 20:59:23 -05:00
}
}
2018-12-20 09:30:42 +00:00
// GetRedirectURI returns the redirectURL that the upstream OAuth Provider will
// redirect clients to once authenticated
2015-11-09 00:57:01 +01:00
func ( p * OAuthProxy ) GetRedirectURI ( host string ) string {
2015-03-17 16:25:19 -04:00
// default to the request Host if not set
2015-11-09 00:47:44 +01:00
if p . redirectURL . Host != "" {
return p . redirectURL . String ( )
2015-03-17 16:25:19 -04:00
}
var u url . URL
2015-11-09 00:47:44 +01:00
u = * p . redirectURL
2015-03-17 16:25:19 -04:00
if u . Scheme == "" {
2015-03-17 23:13:45 -04:00
if p . CookieSecure {
2018-11-29 14:26:41 +00:00
u . Scheme = httpsScheme
2015-03-17 16:25:19 -04:00
} else {
2018-11-29 14:26:41 +00:00
u . Scheme = httpScheme
2015-03-17 16:25:19 -04:00
}
}
u . Host = host
return u . String ( )
}
2015-11-09 00:57:01 +01:00
func ( p * OAuthProxy ) displayCustomLoginForm ( ) bool {
2014-12-09 14:38:57 -06:00
return p . HtpasswdFile != nil && p . DisplayHtpasswdForm
}
2019-05-07 14:27:09 +01:00
func ( p * OAuthProxy ) redeemCode ( host , code string ) ( s * sessionsapi . SessionState , err error ) {
2013-10-22 19:56:29 +00:00
if code == "" {
2015-06-23 07:23:39 -04:00
return nil , errors . New ( "missing code" )
2013-10-22 19:56:29 +00:00
}
2015-11-09 00:50:42 +01:00
redirectURI := p . GetRedirectURI ( host )
s , err = p . provider . Redeem ( redirectURI , code )
2012-12-10 20:59:23 -05:00
if err != nil {
2015-06-23 07:23:39 -04:00
return
2012-12-10 20:59:23 -05:00
}
2012-12-17 13:15:23 -05:00
2015-06-23 07:23:39 -04:00
if s . Email == "" {
s . Email , err = p . provider . GetEmailAddress ( s )
2014-08-07 16:16:39 -04:00
}
2017-09-26 23:31:27 +02:00
if s . User == "" {
s . User , err = p . provider . GetUserName ( s )
if err != nil && err . Error ( ) == "not implemented" {
err = nil
}
}
2015-06-23 07:23:39 -04:00
return
2014-08-07 16:16:39 -04:00
}
2018-12-20 09:30:42 +00:00
// MakeCSRFCookie creates a cookie for CSRF
2017-03-27 21:14:38 -04:00
func ( p * OAuthProxy ) MakeCSRFCookie ( req * http . Request , value string , expiration time . Duration , now time . Time ) * http . Cookie {
return p . makeCookie ( req , p . CSRFCookieName , value , expiration , now )
}
func ( p * OAuthProxy ) makeCookie ( req * http . Request , name string , value string , expiration time . Duration , now time . Time ) * http . Cookie {
2015-03-19 15:59:48 -04:00
if p . CookieDomain != "" {
2017-04-18 20:33:50 -07:00
domain := req . Host
if h , _ , err := net . SplitHostPort ( domain ) ; err == nil {
domain = h
}
2015-03-19 15:59:48 -04:00
if ! strings . HasSuffix ( domain , p . CookieDomain ) {
2019-02-10 08:37:45 -08:00
logger . Printf ( "Warning: request host is %q but using configured cookie domain of %q" , domain , p . CookieDomain )
2015-03-19 15:59:48 -04:00
}
2012-12-10 20:59:23 -05:00
}
2015-05-08 11:51:11 -04:00
return & http . Cookie {
2017-03-27 21:14:38 -04:00
Name : name ,
2015-05-08 11:51:11 -04:00
Value : value ,
2019-04-10 00:36:35 +03:00
Path : p . CookiePath ,
2017-04-18 20:33:50 -07:00
Domain : p . CookieDomain ,
2018-11-29 14:26:41 +00:00
HttpOnly : p . CookieHTTPOnly ,
2015-03-19 15:59:48 -04:00
Secure : p . CookieSecure ,
2015-06-22 15:10:08 -04:00
Expires : now . Add ( expiration ) ,
2019-12-16 13:10:04 -05:00
SameSite : cookies . ParseSameSite ( p . CookieSameSite ) ,
2012-12-10 20:59:23 -05:00
}
}
2018-12-20 09:30:42 +00:00
// ClearCSRFCookie creates a cookie to unset the CSRF cookie stored in the user's
// session
2017-03-27 21:14:38 -04:00
func ( p * OAuthProxy ) ClearCSRFCookie ( rw http . ResponseWriter , req * http . Request ) {
http . SetCookie ( rw , p . MakeCSRFCookie ( req , "" , time . Hour * - 1 , time . Now ( ) ) )
}
2018-12-20 09:30:42 +00:00
// SetCSRFCookie adds a CSRF cookie to the response
2017-03-27 21:14:38 -04:00
func ( p * OAuthProxy ) SetCSRFCookie ( rw http . ResponseWriter , req * http . Request , val string ) {
http . SetCookie ( rw , p . MakeCSRFCookie ( req , val , p . CookieExpire , time . Now ( ) ) )
2012-12-10 20:59:23 -05:00
}
2018-12-20 09:30:42 +00:00
// ClearSessionCookie creates a cookie to unset the user's authentication cookie
// stored in the user's session
2019-05-07 16:13:55 +01:00
func ( p * OAuthProxy ) ClearSessionCookie ( rw http . ResponseWriter , req * http . Request ) error {
return p . sessionStore . Clear ( rw , req )
2017-03-27 21:14:38 -04:00
}
2018-12-20 09:30:42 +00:00
// LoadCookiedSession reads the user's authentication details from the request
2019-05-07 16:13:55 +01:00
func ( p * OAuthProxy ) LoadCookiedSession ( req * http . Request ) ( * sessionsapi . SessionState , error ) {
return p . sessionStore . Load ( req )
2015-06-23 07:23:39 -04:00
}
2018-12-20 09:30:42 +00:00
// SaveSession creates a new session cookie value and sets this on the response
2019-05-07 14:27:09 +01:00
func ( p * OAuthProxy ) SaveSession ( rw http . ResponseWriter , req * http . Request , s * sessionsapi . SessionState ) error {
2019-05-07 16:13:55 +01:00
return p . sessionStore . Save ( rw , req , s )
2012-12-26 10:35:02 -05:00
}
2018-12-20 09:30:42 +00:00
// RobotsTxt disallows scraping pages from the OAuthProxy
2015-11-09 00:57:01 +01:00
func ( p * OAuthProxy ) RobotsTxt ( rw http . ResponseWriter ) {
2015-05-10 15:15:52 -04:00
rw . WriteHeader ( http . StatusOK )
fmt . Fprintf ( rw , "User-agent: *\nDisallow: /" )
}
2018-12-20 09:30:42 +00:00
// PingPage responds 200 OK to requests
2015-11-09 00:57:01 +01:00
func ( p * OAuthProxy ) PingPage ( rw http . ResponseWriter ) {
2014-10-14 16:22:38 -04:00
rw . WriteHeader ( http . StatusOK )
2014-10-14 17:05:59 -04:00
fmt . Fprintf ( rw , "OK" )
2014-10-14 16:22:38 -04:00
}
2018-12-20 09:30:42 +00:00
// ErrorPage writes an error response
2015-11-09 00:57:01 +01:00
func ( p * OAuthProxy ) ErrorPage ( rw http . ResponseWriter , code int , title string , message string ) {
2012-12-10 20:59:23 -05:00
rw . WriteHeader ( code )
2012-12-17 13:15:23 -05:00
t := struct {
2015-10-03 15:59:47 -07:00
Title string
Message string
ProxyPrefix string
2012-12-10 20:59:23 -05:00
} {
2015-10-03 15:59:47 -07:00
Title : fmt . Sprintf ( "%d %s" , code , title ) ,
Message : message ,
ProxyPrefix : p . ProxyPrefix ,
2012-12-10 20:59:23 -05:00
}
2015-03-17 18:06:06 -04:00
p . templates . ExecuteTemplate ( rw , "error.html" , t )
2012-12-17 13:15:23 -05:00
}
2018-12-20 09:30:42 +00:00
// SignInPage writes the sing in template to the response
2015-11-09 00:57:01 +01:00
func ( p * OAuthProxy ) SignInPage ( rw http . ResponseWriter , req * http . Request , code int ) {
2017-03-27 21:14:38 -04:00
p . ClearSessionCookie ( rw , req )
2012-12-17 13:15:23 -05:00
rw . WriteHeader ( code )
2012-12-26 10:35:02 -05:00
2020-02-28 10:59:27 +01:00
redirectURL , err := p . GetRedirect ( req )
if err != nil {
logger . Printf ( "Error obtaining redirect: %s" , err . Error ( ) )
p . ErrorPage ( rw , 500 , "Internal Error" , err . Error ( ) )
return
2016-11-16 12:06:18 +05:30
}
2020-02-28 10:59:27 +01:00
if redirectURL == p . SignInPath {
redirectURL = "/"
2015-04-06 22:10:03 -04:00
}
2012-12-26 10:35:02 -05:00
t := struct {
2015-03-31 12:59:07 -04:00
ProviderName string
2012-12-26 15:55:41 +00:00
SignInMessage string
2014-12-09 14:38:57 -06:00
CustomLogin bool
2013-10-22 19:56:29 +00:00
Redirect string
2014-11-09 22:01:50 -05:00
Version string
2015-05-29 15:47:40 -07:00
ProxyPrefix string
2016-06-18 23:53:42 -04:00
Footer template . HTML
2012-12-26 15:55:41 +00:00
} {
2015-03-31 12:59:07 -04:00
ProviderName : p . provider . Data ( ) . ProviderName ,
2012-12-26 10:35:02 -05:00
SignInMessage : p . SignInMessage ,
2014-12-09 14:38:57 -06:00
CustomLogin : p . displayCustomLoginForm ( ) ,
2020-02-28 10:59:27 +01:00
Redirect : redirectURL ,
2014-11-09 22:01:50 -05:00
Version : VERSION ,
2015-05-29 15:47:40 -07:00
ProxyPrefix : p . ProxyPrefix ,
2016-06-18 23:53:42 -04:00
Footer : template . HTML ( p . Footer ) ,
2012-12-26 15:55:41 +00:00
}
2019-11-25 18:20:37 +01:00
if p . providerNameOverride != "" {
t . ProviderName = p . providerNameOverride
}
2015-03-17 18:06:06 -04:00
p . templates . ExecuteTemplate ( rw , "sign_in.html" , t )
2012-12-10 20:59:23 -05:00
}
2018-12-20 09:30:42 +00:00
// ManualSignIn handles basic auth logins to the proxy
2015-11-09 00:57:01 +01:00
func ( p * OAuthProxy ) ManualSignIn ( rw http . ResponseWriter , req * http . Request ) ( string , bool ) {
2012-12-26 10:35:02 -05:00
if req . Method != "POST" || p . HtpasswdFile == nil {
2012-12-26 15:55:41 +00:00
return "" , false
}
user := req . FormValue ( "username" )
passwd := req . FormValue ( "password" )
if user == "" {
return "" , false
}
// check auth
if p . HtpasswdFile . Validate ( user , passwd ) {
2019-02-10 09:01:13 -08:00
logger . PrintAuthf ( user , req , logger . AuthSuccess , "Authenticated via HtpasswdFile" )
2012-12-26 15:55:41 +00:00
return user , true
}
2019-02-10 09:01:13 -08:00
logger . PrintAuthf ( user , req , logger . AuthFailure , "Invalid authentication via HtpasswdFile" )
2012-12-26 15:55:41 +00:00
return "" , false
}
2018-12-20 09:30:42 +00:00
// GetRedirect reads the query parameter to get the URL to redirect clients to
// once authenticated with the OAuthProxy
2017-03-27 21:14:38 -04:00
func ( p * OAuthProxy ) GetRedirect ( req * http . Request ) ( redirect string , err error ) {
err = req . ParseForm ( )
2013-10-24 15:31:08 +00:00
if err != nil {
2017-03-27 21:14:38 -04:00
return
2013-10-24 15:31:08 +00:00
}
2019-08-17 15:50:37 -05:00
redirect = req . Header . Get ( "X-Auth-Request-Redirect" )
if req . Form . Get ( "rd" ) != "" {
redirect = req . Form . Get ( "rd" )
}
2017-09-29 16:55:50 +01:00
if ! p . IsValidRedirect ( redirect ) {
2019-01-29 12:13:02 +00:00
redirect = req . URL . Path
if strings . HasPrefix ( redirect , p . ProxyPrefix ) {
redirect = "/"
}
2013-10-24 15:31:08 +00:00
}
2017-03-27 21:14:38 -04:00
return
2013-10-24 15:31:08 +00:00
}
2019-10-23 16:38:44 +03:00
// splitHostPort separates host and port. If the port is not valid, it returns
// the entire input as host, and it doesn't check the validity of the host.
// Unlike net.SplitHostPort, but per RFC 3986, it requires ports to be numeric.
// *** taken from net/url, modified validOptionalPort() to accept ":*"
func splitHostPort ( hostport string ) ( host , port string ) {
host = hostport
colon := strings . LastIndexByte ( host , ':' )
if colon != - 1 && validOptionalPort ( host [ colon : ] ) {
host , port = host [ : colon ] , host [ colon + 1 : ]
}
if strings . HasPrefix ( host , "[" ) && strings . HasSuffix ( host , "]" ) {
host = host [ 1 : len ( host ) - 1 ]
}
return
}
// validOptionalPort reports whether port is either an empty string
// or matches /^:\d*$/
// *** taken from net/url, modified to accept ":*"
func validOptionalPort ( port string ) bool {
if port == "" || port == ":*" {
return true
}
if port [ 0 ] != ':' {
return false
}
for _ , b := range port [ 1 : ] {
if b < '0' || b > '9' {
return false
}
}
return true
}
2017-09-29 16:55:50 +01:00
// IsValidRedirect checks whether the redirect URL is whitelisted
func ( p * OAuthProxy ) IsValidRedirect ( redirect string ) bool {
switch {
2020-01-26 15:00:03 +00:00
case strings . HasPrefix ( redirect , "/" ) && ! strings . HasPrefix ( redirect , "//" ) && ! strings . HasPrefix ( redirect , "/\\" ) :
2017-09-29 16:55:50 +01:00
return true
2017-12-11 09:24:52 +00:00
case strings . HasPrefix ( redirect , "http://" ) || strings . HasPrefix ( redirect , "https://" ) :
redirectURL , err := url . Parse ( redirect )
if err != nil {
return false
2017-09-29 16:55:50 +01:00
}
2019-10-12 23:47:23 +03:00
redirectHostname := redirectURL . Hostname ( )
2017-09-29 16:55:50 +01:00
for _ , domain := range p . whitelistDomains {
2019-10-23 16:38:44 +03:00
domainHostname , domainPort := splitHostPort ( strings . TrimLeft ( domain , "." ) )
2019-11-14 17:17:12 +02:00
if domainHostname == "" {
2019-10-12 23:47:23 +03:00
continue
}
if ( redirectHostname == domainHostname ) || ( strings . HasPrefix ( domain , "." ) && strings . HasSuffix ( redirectHostname , domainHostname ) ) {
2019-10-23 16:38:44 +03:00
// the domain names match, now validate the ports
// if the whitelisted domain's port is '*', allow all ports
// if the whitelisted domain contains a specific port, only allow that port
// if the whitelisted domain doesn't contain a port at all, only allow empty redirect ports ie http and https
redirectPort := redirectURL . Port ( )
if ( domainPort == "*" ) ||
( domainPort == redirectPort ) ||
( domainPort == "" && redirectPort == "" ) {
2019-10-12 23:47:23 +03:00
return true
}
2017-09-29 16:55:50 +01:00
}
}
2019-10-12 23:47:23 +03:00
2017-09-29 16:55:50 +01:00
return false
default :
return false
}
}
2018-12-20 09:30:42 +00:00
// IsWhitelistedRequest is used to check if auth should be skipped for this request
2019-06-07 13:50:44 +10:00
func ( p * OAuthProxy ) IsWhitelistedRequest ( req * http . Request ) bool {
2017-04-07 14:55:48 +03:00
isPreflightRequestAllowed := p . skipAuthPreflight && req . Method == "OPTIONS"
return isPreflightRequestAllowed || p . IsWhitelistedPath ( req . URL . Path )
}
2018-12-20 09:30:42 +00:00
// IsWhitelistedPath is used to check if the request path is allowed without auth
2019-06-07 13:50:44 +10:00
func ( p * OAuthProxy ) IsWhitelistedPath ( path string ) bool {
2015-06-23 07:23:39 -04:00
for _ , u := range p . compiledRegex {
2019-06-07 13:50:44 +10:00
if u . MatchString ( path ) {
return true
2015-06-23 07:23:39 -04:00
}
2012-12-26 15:55:41 +00:00
}
2019-06-07 13:50:44 +10:00
return false
2015-06-23 07:23:39 -04:00
}
2012-12-26 10:35:02 -05:00
2015-06-23 07:23:39 -04:00
func getRemoteAddr ( req * http . Request ) ( s string ) {
s = req . RemoteAddr
if req . Header . Get ( "X-Real-IP" ) != "" {
s += fmt . Sprintf ( " (%q)" , req . Header . Get ( "X-Real-IP" ) )
}
return
}
2013-10-22 19:56:29 +00:00
2015-11-09 00:57:01 +01:00
func ( p * OAuthProxy ) ServeHTTP ( rw http . ResponseWriter , req * http . Request ) {
2015-06-23 07:23:39 -04:00
switch path := req . URL . Path ; {
case path == p . RobotsPath :
2015-05-10 15:15:52 -04:00
p . RobotsTxt ( rw )
2015-06-23 07:23:39 -04:00
case path == p . PingPath :
p . PingPage ( rw )
2017-04-07 14:55:48 +03:00
case p . IsWhitelistedRequest ( req ) :
2015-06-23 07:23:39 -04:00
p . serveMux . ServeHTTP ( rw , req )
case path == p . SignInPath :
p . SignIn ( rw , req )
2017-03-21 17:39:26 +01:00
case path == p . SignOutPath :
p . SignOut ( rw , req )
2015-11-09 00:57:01 +01:00
case path == p . OAuthStartPath :
p . OAuthStart ( rw , req )
case path == p . OAuthCallbackPath :
p . OAuthCallback ( rw , req )
2015-10-08 09:27:00 -04:00
case path == p . AuthOnlyPath :
p . AuthenticateOnly ( rw , req )
2019-11-08 00:38:36 +02:00
case path == p . UserInfoPath :
p . UserInfo ( rw , req )
2015-06-23 07:23:39 -04:00
default :
p . Proxy ( rw , req )
2015-05-10 15:15:52 -04:00
}
2015-06-23 07:23:39 -04:00
}
2015-05-10 15:15:52 -04:00
2018-12-20 09:30:42 +00:00
// SignIn serves a page prompting users to sign in
2015-11-09 00:57:01 +01:00
func ( p * OAuthProxy ) SignIn ( rw http . ResponseWriter , req * http . Request ) {
2015-06-23 07:23:39 -04:00
redirect , err := p . GetRedirect ( req )
if err != nil {
2019-02-10 08:37:45 -08:00
logger . Printf ( "Error obtaining redirect: %s" , err . Error ( ) )
2015-06-23 07:23:39 -04:00
p . ErrorPage ( rw , 500 , "Internal Error" , err . Error ( ) )
2014-10-14 16:22:38 -04:00
return
}
2015-06-23 07:23:39 -04:00
user , ok := p . ManualSignIn ( rw , req )
if ok {
2019-05-07 14:27:09 +01:00
session := & sessionsapi . SessionState { User : user }
2015-06-23 07:23:39 -04:00
p . SaveSession ( rw , req , session )
http . Redirect ( rw , req , redirect , 302 )
} else {
2017-06-21 15:02:34 -07:00
if p . SkipProviderButton {
p . OAuthStart ( rw , req )
} else {
p . SignInPage ( rw , req , http . StatusOK )
}
2015-06-23 07:23:39 -04:00
}
}
2015-01-12 14:48:41 +05:30
2019-11-08 00:38:36 +02:00
//UserInfo endpoint outputs session email in JSON format
func ( p * OAuthProxy ) UserInfo ( rw http . ResponseWriter , req * http . Request ) {
session , err := p . getAuthenticatedSession ( rw , req )
if err != nil {
http . Error ( rw , http . StatusText ( http . StatusUnauthorized ) , http . StatusUnauthorized )
return
}
userInfo := struct {
Email string ` json:"email" `
} { session . Email }
rw . Header ( ) . Set ( "Content-Type" , "application/json" )
rw . WriteHeader ( http . StatusOK )
json . NewEncoder ( rw ) . Encode ( userInfo )
}
2018-12-20 09:30:42 +00:00
// SignOut sends a response to clear the authentication cookie
2017-03-21 17:39:26 +01:00
func ( p * OAuthProxy ) SignOut ( rw http . ResponseWriter , req * http . Request ) {
2019-11-19 18:17:26 +01:00
redirect , err := p . GetRedirect ( req )
if err != nil {
logger . Printf ( "Error obtaining redirect: %s" , err . Error ( ) )
p . ErrorPage ( rw , 500 , "Internal Error" , err . Error ( ) )
return
}
2017-03-27 21:14:38 -04:00
p . ClearSessionCookie ( rw , req )
2019-11-19 18:17:26 +01:00
http . Redirect ( rw , req , redirect , 302 )
2017-03-21 17:39:26 +01:00
}
2018-12-20 09:30:42 +00:00
// OAuthStart starts the OAuth2 authentication flow
2015-11-09 00:57:01 +01:00
func ( p * OAuthProxy ) OAuthStart ( rw http . ResponseWriter , req * http . Request ) {
2019-05-24 17:06:48 +01:00
nonce , err := encryption . Nonce ( )
2017-03-27 21:14:38 -04:00
if err != nil {
2019-02-10 08:37:45 -08:00
logger . Printf ( "Error obtaining nonce: %s" , err . Error ( ) )
2017-03-27 21:14:38 -04:00
p . ErrorPage ( rw , 500 , "Internal Error" , err . Error ( ) )
return
}
p . SetCSRFCookie ( rw , req , nonce )
2015-06-23 07:23:39 -04:00
redirect , err := p . GetRedirect ( req )
if err != nil {
2019-02-10 08:37:45 -08:00
logger . Printf ( "Error obtaining redirect: %s" , err . Error ( ) )
2015-06-23 07:23:39 -04:00
p . ErrorPage ( rw , 500 , "Internal Error" , err . Error ( ) )
return
2015-01-12 14:48:41 +05:30
}
2015-06-23 07:23:39 -04:00
redirectURI := p . GetRedirectURI ( req . Host )
2017-03-27 21:14:38 -04:00
http . Redirect ( rw , req , p . provider . GetLoginURL ( redirectURI , fmt . Sprintf ( "%v:%v" , nonce , redirect ) ) , 302 )
2015-06-23 07:23:39 -04:00
}
2015-01-12 14:48:41 +05:30
2018-12-20 09:30:42 +00:00
// OAuthCallback is the OAuth2 authentication flow callback that finishes the
// OAuth2 authentication flow
2015-11-09 00:57:01 +01:00
func ( p * OAuthProxy ) OAuthCallback ( rw http . ResponseWriter , req * http . Request ) {
2015-06-23 07:23:39 -04:00
remoteAddr := getRemoteAddr ( req )
2013-10-24 15:31:08 +00:00
2015-06-23 07:23:39 -04:00
// finish the oauth cycle
err := req . ParseForm ( )
if err != nil {
2019-02-10 09:01:13 -08:00
logger . Printf ( "Error while parsing OAuth2 callback: %s" + err . Error ( ) )
2015-06-23 07:23:39 -04:00
p . ErrorPage ( rw , 500 , "Internal Error" , err . Error ( ) )
2012-12-10 20:59:23 -05:00
return
}
2015-06-23 07:23:39 -04:00
errorString := req . Form . Get ( "error" )
if errorString != "" {
2019-02-10 09:01:13 -08:00
logger . Printf ( "Error while parsing OAuth2 callback: %s " , errorString )
2015-06-23 07:23:39 -04:00
p . ErrorPage ( rw , 403 , "Permission Denied" , errorString )
2012-12-10 20:59:23 -05:00
return
}
2015-06-23 07:23:39 -04:00
session , err := p . redeemCode ( req . Host , req . Form . Get ( "code" ) )
if err != nil {
2019-05-07 10:47:15 -07:00
logger . Printf ( "Error redeeming code during OAuth2 callback: %s " , err . Error ( ) )
2015-06-23 07:23:39 -04:00
p . ErrorPage ( rw , 500 , "Internal Error" , "Internal Error" )
return
}
2017-03-27 21:14:38 -04:00
s := strings . SplitN ( req . Form . Get ( "state" ) , ":" , 2 )
if len ( s ) != 2 {
2019-04-23 09:36:18 -07:00
logger . Printf ( "Error while parsing OAuth2 state: invalid length" )
2017-03-27 21:14:38 -04:00
p . ErrorPage ( rw , 500 , "Internal Error" , "Invalid State" )
return
}
nonce := s [ 0 ]
redirect := s [ 1 ]
c , err := req . Cookie ( p . CSRFCookieName )
if err != nil {
2019-04-23 09:36:18 -07:00
logger . PrintAuthf ( session . Email , req , logger . AuthFailure , "Invalid authentication via OAuth2: unable too obtain CSRF cookie" )
2017-03-27 21:14:38 -04:00
p . ErrorPage ( rw , 403 , "Permission Denied" , err . Error ( ) )
return
}
p . ClearCSRFCookie ( rw , req )
if c . Value != nonce {
2019-04-23 09:36:18 -07:00
logger . PrintAuthf ( session . Email , req , logger . AuthFailure , "Invalid authentication via OAuth2: csrf token mismatch, potential attack" )
2017-03-27 21:14:38 -04:00
p . ErrorPage ( rw , 403 , "Permission Denied" , "csrf failed" )
return
}
2017-09-29 16:55:50 +01:00
if ! p . IsValidRedirect ( redirect ) {
2015-06-23 07:23:39 -04:00
redirect = "/"
}
// set cookie, or deny
2015-08-20 03:07:02 -07:00
if p . Validator ( session . Email ) && p . provider . ValidateGroup ( session . Email ) {
2019-04-23 09:36:18 -07:00
logger . PrintAuthf ( session . Email , req , logger . AuthSuccess , "Authenticated via OAuth2: %s" , session )
2015-06-23 07:23:39 -04:00
err := p . SaveSession ( rw , req , session )
2012-12-10 20:59:23 -05:00
if err != nil {
2019-02-10 08:37:45 -08:00
logger . Printf ( "%s %s" , remoteAddr , err )
2015-06-23 07:23:39 -04:00
p . ErrorPage ( rw , 500 , "Internal Error" , "Internal Error" )
2012-12-10 20:59:23 -05:00
return
}
2015-06-23 07:23:39 -04:00
http . Redirect ( rw , req , redirect , 302 )
} else {
2019-06-20 13:40:04 -07:00
logger . PrintAuthf ( session . Email , req , logger . AuthFailure , "Invalid authentication via OAuth2: unauthorized" )
2015-06-23 07:23:39 -04:00
p . ErrorPage ( rw , 403 , "Permission Denied" , "Invalid Account" )
}
}
2012-12-10 20:59:23 -05:00
2018-12-20 09:30:42 +00:00
// AuthenticateOnly checks whether the user is currently logged in
2015-10-08 09:27:00 -04:00
func ( p * OAuthProxy ) AuthenticateOnly ( rw http . ResponseWriter , req * http . Request ) {
2019-06-07 14:25:12 +10:00
session , err := p . getAuthenticatedSession ( rw , req )
2019-06-15 18:48:27 +10:00
if err != nil {
2015-10-08 14:10:28 -04:00
http . Error ( rw , "unauthorized request" , http . StatusUnauthorized )
2019-06-15 18:48:27 +10:00
return
2015-10-08 09:27:00 -04:00
}
2019-06-15 18:48:27 +10:00
// we are authenticated
p . addHeadersForProxying ( rw , req , session )
rw . WriteHeader ( http . StatusAccepted )
2015-10-08 09:27:00 -04:00
}
2018-12-20 09:30:42 +00:00
// Proxy proxies the user request if the user is authenticated else it prompts
// them to authenticate
2015-11-09 00:57:01 +01:00
func ( p * OAuthProxy ) Proxy ( rw http . ResponseWriter , req * http . Request ) {
2019-06-07 13:50:44 +10:00
session , err := p . getAuthenticatedSession ( rw , req )
switch err {
case nil :
// we are authenticated
p . addHeadersForProxying ( rw , req , session )
p . serveMux . ServeHTTP ( rw , req )
case ErrNeedsLogin :
// we need to send the user to a login screen
if isAjax ( req ) {
// no point redirecting an AJAX request
p . ErrorJSON ( rw , http . StatusUnauthorized )
return
}
2015-11-11 11:42:35 +11:00
if p . SkipProviderButton {
p . OAuthStart ( rw , req )
} else {
p . SignInPage ( rw , req , http . StatusForbidden )
}
2019-06-07 13:50:44 +10:00
default :
// unknown error
logger . Printf ( "Unexpected internal error: %s" , err )
p . ErrorPage ( rw , http . StatusInternalServerError ,
"Internal Error" , "Internal Error" )
2015-10-08 14:10:28 -04:00
}
2019-06-07 13:50:44 +10:00
2015-10-08 14:10:28 -04:00
}
2019-06-07 13:50:44 +10:00
// getAuthenticatedSession checks whether a user is authenticated and returns a session object and nil error if so
// Returns nil, ErrNeedsLogin if user needs to login.
// Set-Cookie headers may be set on the response as a side-effect of calling this method.
func ( p * OAuthProxy ) getAuthenticatedSession ( rw http . ResponseWriter , req * http . Request ) ( * sessionsapi . SessionState , error ) {
2019-01-17 12:49:14 -08:00
var session * sessionsapi . SessionState
var err error
2015-06-23 07:23:39 -04:00
var saveSession , clearSession , revalidated bool
2019-01-17 12:49:14 -08:00
if p . skipJwtBearerTokens && req . Header . Get ( "Authorization" ) != "" {
session , err = p . GetJwtSession ( req )
if err != nil {
2019-04-24 08:25:29 -07:00
logger . Printf ( "Error retrieving session from token in Authorization header: %s" , err )
2019-01-17 12:49:14 -08:00
}
if session != nil {
saveSession = false
}
2015-06-23 07:23:39 -04:00
}
2019-01-17 12:49:14 -08:00
remoteAddr := getRemoteAddr ( req )
if session == nil {
session , err = p . LoadCookiedSession ( req )
if err != nil {
logger . Printf ( "Error loading cookied session: %s" , err )
}
2015-06-23 07:23:39 -04:00
2019-06-05 16:08:34 -07:00
if session != nil {
if session . Age ( ) > p . CookieRefresh && p . CookieRefresh != time . Duration ( 0 ) {
logger . Printf ( "Refreshing %s old session cookie for %s (refresh after %s)" , session . Age ( ) , session , p . CookieRefresh )
saveSession = true
}
if ok , err := p . provider . RefreshSessionIfNeeded ( session ) ; err != nil {
logger . Printf ( "%s removing session. error refreshing access token %s %s" , remoteAddr , err , session )
clearSession = true
session = nil
} else if ok {
saveSession = true
revalidated = true
}
2019-01-17 12:49:14 -08:00
}
2015-06-23 07:23:39 -04:00
}
if session != nil && session . IsExpired ( ) {
2019-04-23 09:36:18 -07:00
logger . Printf ( "Removing session: token expired %s" , session )
2015-06-23 07:23:39 -04:00
session = nil
saveSession = false
clearSession = true
}
2015-08-20 03:07:02 -07:00
if saveSession && ! revalidated && session != nil && session . AccessToken != "" {
2015-06-23 07:23:39 -04:00
if ! p . provider . ValidateSessionState ( session ) {
2019-04-23 09:36:18 -07:00
logger . Printf ( "Removing session: error validating %s" , session )
2015-06-23 07:23:39 -04:00
saveSession = false
session = nil
clearSession = true
2013-10-22 19:56:29 +00:00
}
2015-06-23 07:23:39 -04:00
}
2013-10-22 19:56:29 +00:00
2019-06-20 13:40:04 -07:00
if session != nil && session . Email != "" {
if ! p . Validator ( session . Email ) || ! p . provider . ValidateGroup ( session . Email ) {
logger . Printf ( session . Email , req , logger . AuthFailure , "Invalid authentication via session: removing session %s" , session )
session = nil
saveSession = false
clearSession = true
}
2015-06-23 07:23:39 -04:00
}
2015-08-20 03:07:02 -07:00
if saveSession && session != nil {
2018-11-29 14:26:41 +00:00
err = p . SaveSession ( rw , req , session )
2015-06-23 07:23:39 -04:00
if err != nil {
2019-02-10 08:37:45 -08:00
logger . PrintAuthf ( session . Email , req , logger . AuthError , "Save session error %s" , err )
2019-06-07 13:50:44 +10:00
return nil , err
2012-12-10 20:59:23 -05:00
}
}
2012-12-17 13:38:33 -05:00
2015-06-23 07:23:39 -04:00
if clearSession {
2017-03-27 21:14:38 -04:00
p . ClearSessionCookie ( rw , req )
2012-12-10 20:59:23 -05:00
}
2015-06-23 07:23:39 -04:00
if session == nil {
session , err = p . CheckBasicAuth ( req )
2019-02-15 10:07:25 -08:00
if err != nil {
logger . Printf ( "Error during basic auth validation: %s" , err )
}
2012-12-10 20:59:23 -05:00
}
2015-06-23 07:23:39 -04:00
if session == nil {
2019-06-07 13:50:44 +10:00
return nil , ErrNeedsLogin
2012-12-10 20:59:23 -05:00
}
2019-06-07 13:50:44 +10:00
return session , nil
}
// addHeadersForProxying adds the appropriate headers the request / response for proxying
func ( p * OAuthProxy ) addHeadersForProxying ( rw http . ResponseWriter , req * http . Request , session * sessionsapi . SessionState ) {
2014-11-09 14:51:10 -05:00
if p . PassBasicAuth {
2015-07-24 09:17:43 +00:00
req . SetBasicAuth ( session . User , p . BasicAuthPassword )
2015-06-23 07:23:39 -04:00
req . Header [ "X-Forwarded-User" ] = [ ] string { session . User }
if session . Email != "" {
req . Header [ "X-Forwarded-Email" ] = [ ] string { session . Email }
2019-06-20 14:17:15 +10:00
} else {
req . Header . Del ( "X-Forwarded-Email" )
2015-06-23 07:23:39 -04:00
}
2012-12-10 20:59:23 -05:00
}
2019-06-20 14:17:15 +10:00
2016-02-08 15:57:47 +00:00
if p . PassUserHeaders {
req . Header [ "X-Forwarded-User" ] = [ ] string { session . User }
if session . Email != "" {
req . Header [ "X-Forwarded-Email" ] = [ ] string { session . Email }
2019-06-20 14:17:15 +10:00
} else {
req . Header . Del ( "X-Forwarded-Email" )
2016-02-08 15:57:47 +00:00
}
}
2019-06-20 14:17:15 +10:00
2016-10-20 17:49:59 +05:30
if p . SetXAuthRequest {
rw . Header ( ) . Set ( "X-Auth-Request-User" , session . User )
if session . Email != "" {
rw . Header ( ) . Set ( "X-Auth-Request-Email" , session . Email )
2019-06-20 14:17:15 +10:00
} else {
rw . Header ( ) . Del ( "X-Auth-Request-Email" )
2016-10-20 17:49:59 +05:30
}
2019-06-20 14:17:15 +10:00
if p . PassAccessToken {
if session . AccessToken != "" {
rw . Header ( ) . Set ( "X-Auth-Request-Access-Token" , session . AccessToken )
} else {
rw . Header ( ) . Del ( "X-Auth-Request-Access-Token" )
}
2019-02-22 17:49:57 +10:00
}
2016-10-20 17:49:59 +05:30
}
2019-06-20 14:17:15 +10:00
if p . PassAccessToken {
if session . AccessToken != "" {
req . Header [ "X-Forwarded-Access-Token" ] = [ ] string { session . AccessToken }
} else {
req . Header . Del ( "X-Forwarded-Access-Token" )
}
2015-04-02 20:57:17 -04:00
}
2019-06-20 14:17:15 +10:00
if p . PassAuthorization {
if session . IDToken != "" {
req . Header [ "Authorization" ] = [ ] string { fmt . Sprintf ( "Bearer %s" , session . IDToken ) }
} else {
req . Header . Del ( "Authorization" )
}
2018-01-27 10:14:19 +00:00
}
2019-06-20 14:17:15 +10:00
if p . SetAuthorization {
if session . IDToken != "" {
rw . Header ( ) . Set ( "Authorization" , fmt . Sprintf ( "Bearer %s" , session . IDToken ) )
} else {
rw . Header ( ) . Del ( "Authorization" )
}
2018-01-27 10:14:19 +00:00
}
2019-06-20 14:17:15 +10:00
2015-06-23 07:23:39 -04:00
if session . Email == "" {
rw . Header ( ) . Set ( "GAP-Auth" , session . User )
2015-03-19 16:37:16 -04:00
} else {
2015-06-23 07:23:39 -04:00
rw . Header ( ) . Set ( "GAP-Auth" , session . Email )
2015-03-19 16:37:16 -04:00
}
2012-12-10 20:59:23 -05:00
}
2018-12-20 09:30:42 +00:00
// CheckBasicAuth checks the requests Authorization header for basic auth
// credentials and authenticates these against the proxies HtpasswdFile
2019-05-07 14:27:09 +01:00
func ( p * OAuthProxy ) CheckBasicAuth ( req * http . Request ) ( * sessionsapi . SessionState , error ) {
2012-12-10 20:59:23 -05:00
if p . HtpasswdFile == nil {
2015-06-23 07:23:39 -04:00
return nil , nil
}
auth := req . Header . Get ( "Authorization" )
if auth == "" {
return nil , nil
2012-12-10 20:59:23 -05:00
}
2015-06-23 07:23:39 -04:00
s := strings . SplitN ( auth , " " , 2 )
2012-12-10 20:59:23 -05:00
if len ( s ) != 2 || s [ 0 ] != "Basic" {
2015-06-23 07:23:39 -04:00
return nil , fmt . Errorf ( "invalid Authorization header %s" , req . Header . Get ( "Authorization" ) )
2012-12-10 20:59:23 -05:00
}
2016-06-20 07:17:39 -04:00
b , err := b64 . StdEncoding . DecodeString ( s [ 1 ] )
2012-12-10 20:59:23 -05:00
if err != nil {
2015-06-23 07:23:39 -04:00
return nil , err
2012-12-10 20:59:23 -05:00
}
pair := strings . SplitN ( string ( b ) , ":" , 2 )
if len ( pair ) != 2 {
2015-06-23 07:23:39 -04:00
return nil , fmt . Errorf ( "invalid format %s" , b )
2012-12-10 20:59:23 -05:00
}
if p . HtpasswdFile . Validate ( pair [ 0 ] , pair [ 1 ] ) {
2019-02-10 09:01:13 -08:00
logger . PrintAuthf ( pair [ 0 ] , req , logger . AuthSuccess , "Authenticated via basic auth and HTpasswd File" )
2019-05-07 14:27:09 +01:00
return & sessionsapi . SessionState { User : pair [ 0 ] } , nil
2012-12-10 20:59:23 -05:00
}
2019-04-23 09:36:18 -07:00
logger . PrintAuthf ( pair [ 0 ] , req , logger . AuthFailure , "Invalid authentication via basic auth: not in Htpasswd File" )
2019-02-15 10:07:25 -08:00
return nil , nil
2012-12-10 20:59:23 -05:00
}
2019-01-30 11:13:12 +01:00
// isAjax checks if a request is an ajax request
2019-06-07 13:50:44 +10:00
func isAjax ( req * http . Request ) bool {
2019-01-30 11:13:12 +01:00
acceptValues , ok := req . Header [ "accept" ]
if ! ok {
acceptValues = req . Header [ "Accept" ]
}
2019-01-31 16:22:30 +01:00
const ajaxReq = applicationJSON
2019-01-30 11:13:12 +01:00
for _ , v := range acceptValues {
if v == ajaxReq {
return true
}
}
return false
}
2019-08-13 12:42:23 +02:00
// ErrorJSON returns the error code with an application/json mime type
2019-01-30 11:13:12 +01:00
func ( p * OAuthProxy ) ErrorJSON ( rw http . ResponseWriter , code int ) {
2019-01-31 16:22:30 +01:00
rw . Header ( ) . Set ( "Content-Type" , applicationJSON )
2019-01-30 11:13:12 +01:00
rw . WriteHeader ( code )
}
2019-01-17 12:49:14 -08:00
// GetJwtSession loads a session based on a JWT token in the authorization header.
func ( p * OAuthProxy ) GetJwtSession ( req * http . Request ) ( * sessionsapi . SessionState , error ) {
rawBearerToken , err := p . findBearerToken ( req )
if err != nil {
return nil , err
}
ctx := context . Background ( )
var session * sessionsapi . SessionState
for _ , verifier := range p . jwtBearerVerifiers {
bearerToken , err := verifier . Verify ( ctx , rawBearerToken )
if err != nil {
logger . Printf ( "failed to verify bearer token: %v" , err )
continue
}
var claims struct {
2019-05-01 09:22:25 -07:00
Subject string ` json:"sub" `
2019-01-17 12:49:14 -08:00
Email string ` json:"email" `
Verified * bool ` json:"email_verified" `
}
if err := bearerToken . Claims ( & claims ) ; err != nil {
return nil , fmt . Errorf ( "failed to parse bearer token claims: %v" , err )
}
if claims . Email == "" {
2019-05-01 09:22:25 -07:00
claims . Email = claims . Subject
2019-01-17 12:49:14 -08:00
}
if claims . Verified != nil && ! * claims . Verified {
return nil , fmt . Errorf ( "email in id_token (%s) isn't verified" , claims . Email )
}
session = & sessionsapi . SessionState {
AccessToken : rawBearerToken ,
IDToken : rawBearerToken ,
RefreshToken : "" ,
ExpiresOn : bearerToken . Expiry ,
Email : claims . Email ,
2019-06-17 12:58:40 -07:00
User : claims . Email ,
2019-01-17 12:49:14 -08:00
}
return session , nil
}
return nil , fmt . Errorf ( "unable to verify jwt token %s" , req . Header . Get ( "Authorization" ) )
}
// findBearerToken finds a valid JWT token from the Authorization header of a given request.
func ( p * OAuthProxy ) findBearerToken ( req * http . Request ) ( string , error ) {
auth := req . Header . Get ( "Authorization" )
s := strings . SplitN ( auth , " " , 2 )
if len ( s ) != 2 {
return "" , fmt . Errorf ( "invalid authorization header %s" , auth )
}
2019-04-24 08:25:29 -07:00
jwtRegex := regexp . MustCompile ( ` ^eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+$ ` )
2019-01-17 12:49:14 -08:00
var rawBearerToken string
2019-04-24 08:25:29 -07:00
if s [ 0 ] == "Bearer" && jwtRegex . MatchString ( s [ 1 ] ) {
2019-01-17 12:49:14 -08:00
rawBearerToken = s [ 1 ]
} else if s [ 0 ] == "Basic" {
// Check if we have a Bearer token masquerading in Basic
b , err := b64 . StdEncoding . DecodeString ( s [ 1 ] )
if err != nil {
return "" , err
}
pair := strings . SplitN ( string ( b ) , ":" , 2 )
if len ( pair ) != 2 {
return "" , fmt . Errorf ( "invalid format %s" , b )
}
user , password := pair [ 0 ] , pair [ 1 ]
// check user, user+password, or just password for a token
if jwtRegex . MatchString ( user ) {
// Support blank passwords or magic `x-oauth-basic` passwords - nothing else
if password == "" || password == "x-oauth-basic" {
rawBearerToken = user
}
} else if jwtRegex . MatchString ( password ) {
// support passwords and ignore user
rawBearerToken = password
}
2019-04-24 08:25:29 -07:00
}
if rawBearerToken == "" {
return "" , fmt . Errorf ( "no valid bearer token found in authorization header" )
2019-01-17 12:49:14 -08:00
}
return rawBearerToken , nil
}