Merge branch 'master' into ap-gh-pagination-with-lastpage

.gitignore

@@ -16,6 +16,7 @@ release
 # Folders
 _obj
 _test
+.idea/
 
 # Architecture specific extensions/prefixes
 *.[568vq]

.travis.yml

@@ -1,6 +1,5 @@
 language: go
 go:
-  - 1.12.x
   - 1.13.x
 install:
   # Fetch dependencies

CHANGELOG.md

@@ -3,11 +3,14 @@
 ## Changes since v4.0.0
 
 - [#227](https://github.com/pusher/oauth2_proxy/pull/227) Add Keycloak provider (@Ofinka)
+- [#259](https://github.com/pusher/oauth2_proxy/pull/259) Redirect to HTTPS (@jmickey)
 - [#273](https://github.com/pusher/oauth2_proxy/pull/273) Support Go 1.13 (@dio)
 - [#275](https://github.com/pusher/oauth2_proxy/pull/275) docker: build from debian buster (@syscll)
 - [#258](https://github.com/pusher/oauth2_proxy/pull/258) Add IDToken for Azure provider
   - This PR adds the IDToken into the session for the Azure provider allowing requests to a backend to be identified as a specific user. As a consequence, if you are using a cookie to store the session the cookie will now exceed the 4kb size limit and be split into multiple cookies. This can cause problems when using nginx as a proxy, resulting in no cookie being passed at all. Either increase the proxy_buffer_size in nginx or implement the redis session storage (see https://pusher.github.io/oauth2_proxy/configuration#redis-storage)
-- [#274](https://github.com/pusher/oauth2_proxy/pull/274) Supports many github teams with api pagination support (@toshi-miura, @apratina)
+- [#274](https://github.com/pusher/oauth2_proxy/pull/274) Supports many github teams with api pagination support (@toshi-miura,@apratina)
+- [#286](https://github.com/pusher/oauth2_proxy/pull/286) Requests.go updated with useful error messages (@biotom)
+
 
 # v4.0.0
 

docs/configuration/configuration.md

@@ -44,6 +44,7 @@ An example [oauth2_proxy.cfg]({{ site.gitweb }}/contrib/oauth2_proxy.cfg.example
 | `-extra-jwt-issuers` | string | if `-skip-jwt-bearer-tokens` is set, a list of extra JWT `issuer=audience` pairs (where the issuer URL has a `.well-known/openid-configuration` or a `.well-known/jwks.json`) | |
 | `-exclude-logging-paths` | string | comma separated list of paths to exclude from logging, eg: `"/ping,/path2"` |`""` (no paths excluded) |
 | `-flush-interval` | duration | period between flushing response buffers when streaming responses | `"1s"` |
+| `-force-https` | bool | enforce https redirect | `false` |
 | `-banner` | string | custom banner string. Use `"-"` to disable default banner. | |
 | `-footer` | string | custom footer string. Use `"-"` to disable default footer. | |
 | `-gcp-healthchecks` | bool | will enable `/liveness_check`, `/readiness_check`, and `/` (with the proper user-agent) endpoints that will make it work well with GCP App Engine and GKE Ingresses | false |

http.go

@@ -152,3 +152,14 @@ func (ln tcpKeepAliveListener) Accept() (c net.Conn, err error) {
 	tc.SetKeepAlivePeriod(3 * time.Minute)
 	return tc, nil
 }
+
+func redirectToHTTPS(opts *Options, h http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		proto := r.Header.Get("X-Forwarded-Proto")
+		if opts.ForceHTTPS && (r.TLS == nil || (proto != "" && strings.ToLower(proto) != "https")) {
+			http.Redirect(w, r, opts.HTTPSAddress, http.StatusPermanentRedirect)
+		}
+
+		h.ServeHTTP(w, r)
+	})
+}

http_test.go

@@ -106,3 +106,53 @@ func TestGCPHealthcheckNotIngressPut(t *testing.T) {
 
 	assert.Equal(t, "test", rw.Body.String())
 }
+
+func TestRedirectToHTTPSTrue(t *testing.T) {
+	opts := NewOptions()
+	opts.ForceHTTPS = true
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		w.Write([]byte("test"))
+	}
+
+	h := redirectToHTTPS(opts, http.HandlerFunc(handler))
+	rw := httptest.NewRecorder()
+	r, _ := http.NewRequest("GET", "/", nil)
+	h.ServeHTTP(rw, r)
+
+	assert.Equal(t, http.StatusPermanentRedirect, rw.Code, "status code should be %d, got: %d", http.StatusPermanentRedirect, rw.Code)
+}
+
+func TestRedirectToHTTPSFalse(t *testing.T) {
+	opts := NewOptions()
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		w.Write([]byte("test"))
+	}
+
+	h := redirectToHTTPS(opts, http.HandlerFunc(handler))
+	rw := httptest.NewRecorder()
+	r, _ := http.NewRequest("GET", "/", nil)
+	h.ServeHTTP(rw, r)
+
+	assert.Equal(t, http.StatusOK, rw.Code, "status code should be %d, got: %d", http.StatusOK, rw.Code)
+}
+
+func TestRedirectNotWhenHTTPS(t *testing.T) {
+	opts := NewOptions()
+	opts.ForceHTTPS = true
+	handler := func(w http.ResponseWriter, req *http.Request) {
+		w.Write([]byte("test"))
+	}
+
+	h := redirectToHTTPS(opts, http.HandlerFunc(handler))
+	s := httptest.NewTLSServer(h)
+	defer s.Close()
+
+	opts.HTTPSAddress = s.URL
+	client := s.Client()
+	res, err := client.Get(s.URL)
+	if err != nil {
+		t.Fatalf("request to test server failed with error: %v", err)
+	}
+
+	assert.Equal(t, http.StatusOK, res.StatusCode, "status code should be %d, got: %d", http.StatusOK, res.StatusCode)
+}

main.go

@@ -32,6 +32,7 @@ func main() {
 
 	flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")
 	flagSet.String("https-address", ":443", "<addr>:<port> to listen on for HTTPS clients")
+	flagSet.Bool("force-https", false, "force HTTPS redirect for HTTP requests")
 	flagSet.String("tls-cert-file", "", "path to certificate file")
 	flagSet.String("tls-key-file", "", "path to private key file")
 	flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
@@ -185,9 +186,9 @@ func main() {
 
 	var handler http.Handler
 	if opts.GCPHealthChecks {
-		handler = gcpHealthcheck(LoggingHandler(oauthproxy))
+		handler = redirectToHTTPS(opts, gcpHealthcheck(LoggingHandler(oauthproxy)))
 	} else {
-		handler = LoggingHandler(oauthproxy)
+		handler = redirectToHTTPS(opts, LoggingHandler(oauthproxy))
 	}
 	s := &Server{
 		Handler: handler,

options.go

@@ -34,6 +34,7 @@ type Options struct {
 	ProxyWebSockets bool   `flag:"proxy-websockets" cfg:"proxy_websockets" env:"OAUTH2_PROXY_PROXY_WEBSOCKETS"`
 	HTTPAddress     string `flag:"http-address" cfg:"http_address" env:"OAUTH2_PROXY_HTTP_ADDRESS"`
 	HTTPSAddress    string `flag:"https-address" cfg:"https_address" env:"OAUTH2_PROXY_HTTPS_ADDRESS"`
+	ForceHTTPS      bool   `flag:"force-https" cfg:"force_https" env:"OAUTH2_PROXY_FORCE_HTTPS"`
 	RedirectURL     string `flag:"redirect-url" cfg:"redirect_url" env:"OAUTH2_PROXY_REDIRECT_URL"`
 	ClientID        string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"`
 	ClientSecret    string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"`
@@ -145,6 +146,7 @@ func NewOptions() *Options {
 		ProxyWebSockets:     true,
 		HTTPAddress:         "127.0.0.1:4180",
 		HTTPSAddress:        ":443",
+		ForceHTTPS:          false,
 		DisplayHtpasswdForm: true,
 		CookieOptions: options.CookieOptions{
 			CookieName:     "_oauth2_proxy",

pkg/requests/requests.go

@@ -18,17 +18,23 @@ func Request(req *http.Request) (*simplejson.Json, error) {
 		return nil, err
 	}
 	body, err := ioutil.ReadAll(resp.Body)
-	resp.Body.Close()
-	logger.Printf("%d %s %s %s", resp.StatusCode, req.Method, req.URL, body)
-	if err != nil {
-		return nil, err
+	if body != nil {
+		defer resp.Body.Close()
 	}
+
+	logger.Printf("%d %s %s %s", resp.StatusCode, req.Method, req.URL, body)
+
+	if err != nil {
+		return nil, fmt.Errorf("problem reading http request body: %w", err)
+	}
+
 	if resp.StatusCode != 200 {
 		return nil, fmt.Errorf("got %d %s", resp.StatusCode, body)
 	}
+
 	data, err := simplejson.NewJson(body)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error unmarshalling json: %w", err)
 	}
 	return data, nil
 }
@@ -41,10 +47,13 @@ func RequestJSON(req *http.Request, v interface{}) error {
 		return err
 	}
 	body, err := ioutil.ReadAll(resp.Body)
-	resp.Body.Close()
+	if body != nil {
+		defer resp.Body.Close()
+	}
+
 	logger.Printf("%d %s %s %s", resp.StatusCode, req.Method, req.URL, body)
 	if err != nil {
-		return err
+		return fmt.Errorf("error reading body from http response: %w", err)
 	}
 	if resp.StatusCode != 200 {
 		return fmt.Errorf("got %d %s", resp.StatusCode, body)
@@ -56,7 +65,7 @@ func RequestJSON(req *http.Request, v interface{}) error {
 func RequestUnparsedResponse(url string, header http.Header) (resp *http.Response, err error) {
 	req, err := http.NewRequest("GET", url, nil)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("error performing get request: %w", err)
 	}
 	req.Header = header
 

pkg/requests/requests_test.go

@@ -8,20 +8,21 @@ import (
 	"testing"
 
 	"github.com/bitly/go-simplejson"
-
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
-func testBackend(responseCode int, payload string) *httptest.Server {
+func testBackend(t *testing.T, responseCode int, payload string) *httptest.Server {
 	return httptest.NewServer(http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
 			w.WriteHeader(responseCode)
-			w.Write([]byte(payload))
+			_, err := w.Write([]byte(payload))
+			require.NoError(t, err)
 		}))
 }
 
 func TestRequest(t *testing.T) {
-	backend := testBackend(200, "{\"foo\": \"bar\"}")
+	backend := testBackend(t, 200, "{\"foo\": \"bar\"}")
 	defer backend.Close()
 
 	req, _ := http.NewRequest("GET", backend.URL, nil)
@@ -35,7 +36,7 @@ func TestRequest(t *testing.T) {
 func TestRequestFailure(t *testing.T) {
 	// Create a backend to generate a test URL, then close it to cause a
 	// connection error.
-	backend := testBackend(200, "{\"foo\": \"bar\"}")
+	backend := testBackend(t, 200, "{\"foo\": \"bar\"}")
 	backend.Close()
 
 	req, err := http.NewRequest("GET", backend.URL, nil)
@@ -49,7 +50,7 @@ func TestRequestFailure(t *testing.T) {
 }
 
 func TestHttpErrorCode(t *testing.T) {
-	backend := testBackend(404, "{\"foo\": \"bar\"}")
+	backend := testBackend(t, 404, "{\"foo\": \"bar\"}")
 	defer backend.Close()
 
 	req, err := http.NewRequest("GET", backend.URL, nil)
@@ -60,7 +61,7 @@ func TestHttpErrorCode(t *testing.T) {
 }
 
 func TestJsonParsingError(t *testing.T) {
-	backend := testBackend(200, "not well-formed JSON")
+	backend := testBackend(t, 200, "not well-formed JSON")
 	defer backend.Close()
 
 	req, err := http.NewRequest("GET", backend.URL, nil)
@@ -77,7 +78,8 @@ func TestRequestUnparsedResponseUsingAccessTokenParameter(t *testing.T) {
 			token := r.FormValue("access_token")
 			if r.URL.Path == "/" && token == "my_token" {
 				w.WriteHeader(200)
-				w.Write([]byte("some payload"))
+				_, err := w.Write([]byte("some payload"))
+				require.NoError(t, err)
 			} else {
 				w.WriteHeader(403)
 			}
@@ -86,16 +88,17 @@ func TestRequestUnparsedResponseUsingAccessTokenParameter(t *testing.T) {
 
 	response, err := RequestUnparsedResponse(
 		backend.URL+"?access_token=my_token", nil)
+	defer response.Body.Close()
+
 	assert.Equal(t, nil, err)
 	assert.Equal(t, 200, response.StatusCode)
 	body, err := ioutil.ReadAll(response.Body)
 	assert.Equal(t, nil, err)
-	response.Body.Close()
 	assert.Equal(t, "some payload", string(body))
 }
 
 func TestRequestUnparsedResponseUsingAccessTokenParameterFailedResponse(t *testing.T) {
-	backend := testBackend(200, "some payload")
+	backend := testBackend(t, 200, "some payload")
 	// Close the backend now to force a request failure.
 	backend.Close()
 
@@ -110,7 +113,8 @@ func TestRequestUnparsedResponseUsingHeaders(t *testing.T) {
 		func(w http.ResponseWriter, r *http.Request) {
 			if r.URL.Path == "/" && r.Header["Auth"][0] == "my_token" {
 				w.WriteHeader(200)
-				w.Write([]byte("some payload"))
+				_, err := w.Write([]byte("some payload"))
+				require.NoError(t, err)
 			} else {
 				w.WriteHeader(403)
 			}
@@ -120,10 +124,12 @@ func TestRequestUnparsedResponseUsingHeaders(t *testing.T) {
 	headers := make(http.Header)
 	headers.Set("Auth", "my_token")
 	response, err := RequestUnparsedResponse(backend.URL, headers)
+	defer response.Body.Close()
+
 	assert.Equal(t, nil, err)
 	assert.Equal(t, 200, response.StatusCode)
 	body, err := ioutil.ReadAll(response.Body)
 	assert.Equal(t, nil, err)
-	response.Body.Close()
+
 	assert.Equal(t, "some payload", string(body))
 }