Commit Graph

274 Commits

Author SHA1 Message Date
Joel Speed
1337f56188
Prepare CHANGELOG for v6.1.1 release 2020-08-31 17:01:52 +01:00
Joel Speed
b40517bbe3
Fix conversion of static responses in upstreams 2020-08-31 16:54:01 +01:00
Nick Meves
29b24793e3
Use X-Forwarded-Host consistently 2020-08-31 08:31:45 -07:00
Joel Speed
43bf36425d
Prepare changelog for v6.1.0 release 2020-08-27 15:08:46 +01:00
Joel Speed
105d5acb7b
Only log no cookie match if cookie domains specified 2020-08-27 14:48:00 +01:00
Dan Bond
d7abd56981
dist.sh: remove go version from asset links (#733)
* dist.sh: remove go version from asset links

* update changelog
2020-08-25 08:41:14 -07:00
Joel Speed
d05e08cba3
Create generic Authorization Header constructor 2020-08-16 20:04:34 +01:00
Joel Speed
16a30002df
Ensure session times are not nil before printing them 2020-08-16 19:53:52 +01:00
Nick Meves
514db45d1a
Allow OIDC Bearer Tokens without emails
This reverts to functionality before #499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before #499.
2020-08-14 13:31:38 -07:00
Nick Meves
51a9062044
Support Password & SentinelPassword in Redis session store 2020-08-11 12:22:05 -07:00
Nick Meves
b6e78efc1e
Add x-oauth-basic nosec annotation & address gosec unhandled errors 2020-08-10 15:15:16 -07:00
Phil Taprogge
d69fd6af22
Allow Logging to stdout with separate Error Log Channel (#718)
* Add dedicated error logging writer

* Document new errors to stdout flag

* Update changelog

* Thread-safe the log buffer

* Address feedback

* Remove duplication by adding log level

* Clean up error formatting

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-08-10 11:44:08 +01:00
Nick Meves
65c228394f
Address gosec findings
Mostly handling unhandled errors appropriately.
If logging to STDERR fails, we panic. Added #nosec
comments to findings we are OK with.
2020-08-09 07:55:39 -07:00
Nick Meves
81ec9edf53
Fix time issue causing finicky failures in logging tests 2020-08-06 15:44:05 -07:00
Nick Meves
19836f85ac
Align persistence ginkgo tests to conventions 2020-07-21 22:13:17 -07:00
Andy Voltz
88ef888752
Preserve query when building redirect (fix for #695) (#696)
* Add test for GetRedirect to check query and fragments.

* Preserve query and fragment when building redirect.

* Add changelog entry for redirect fix
2020-07-21 16:38:13 +01:00
Joel Speed
d4dd34a65a
Move provider URLs to package level vars 2020-07-19 18:34:55 +01:00
Nick Meves
9643a0b10c
Centralize Ticket management of persistent stores (#682)
* Centralize Ticket management of persistent stores

persistence package with Manager & Ticket will handle
all the details about keys, secrets, ticket into cookies,
etc. Persistent stores just need to pass Save, Load &
Clear function handles to the persistent manager now.

* Shift to persistence.Manager wrapping a persistence.Store

* Break up the Redis client builder logic

* Move error messages to Store from Manager

* Convert ticket to private for Manager use only

* Add persistence Manager & ticket tests

* Make a custom MockStore that handles time FastForwards
2020-07-19 21:25:13 +01:00
Joel Speed
3f00143175
Add changelog entry for session middleware refactor 2020-07-19 17:24:58 +01:00
Joel Speed
6b27069812
Add changelog entry for integrating new upstream proxy 2020-07-19 14:01:36 +01:00
Joel Speed
e73db7df7b
Add HTPasswd validator refactor to changelog 2020-07-18 11:01:49 +01:00
Nick Meves
abeb0236d8
Strip X-Forwarded auth headers from whitelisted paths (#624)
* Strip X-Forwarded auth headers from whitelisted paths

For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).

Only x-Forwarded headers stripped, left the Authorization header
untouched.

* Strip authorization header if it would be set

* Improve TestStripAuthHeaders test table

* Improve --skip-auth-strip-headers flag documentation
2020-07-14 23:46:44 +01:00
Nick Meves
bb5977095f
Add option to remove tokens from cookie sessions (#673)
* Add option to remove tokens from cookie sessions

* Move Minimal to be an option on CookieSession

* Add sessionOptionsDefaults helper
2020-07-14 23:02:10 +01:00
Nick Meves
a09eecc6a2
Reduce SessionState size better with MessagePack + LZ4 (#632)
* Encode sessions with MsgPack + LZ4

Assumes ciphers are now mandatory per #414. Cookie & Redis sessions
can fallback to V5 style JSON in error cases. TODO: session_state.go
unit tests & new unit tests for Legacy fallback scenarios.

* Only compress encoded sessions with Cookie Store

* Cleanup msgpack + lz4 error handling

* Change NewBase64Cipher to take in an existing Cipher

* Add msgpack & lz4 session state tests

* Add required options for oauthproxy tests

More aggressively assert.NoError on all
validation.Validate(opts) calls to enforce legal
options in all our tests.
Add additional NoError checks wherever error return
values were ignored.

* Remove support for uncompressed session state fields

* Improve error verbosity & add session state tests

* Ensure all marshalled sessions are valid

Invalid CFB decryptions can result in garbage data
that 1/100 times might cause message pack unmarshal
to not fail and instead return an empty session.
This adds more rigor to make sure legacy sessions
cause appropriate errors.

* Add tests for legacy V5 session decoding

Refactor common legacy JSON test cases to a
legacy helpers area under session store tests.

* Make ValidateSession a struct method & add CHANGELOG entry

* Improve SessionState error & comments verbosity

* Move legacy session test helpers to sessions pkg

Placing these helpers under the sessions pkg removed
all the circular import uses in housing it under the
session store area.

* Improve SignatureAuthenticator test helper formatting

* Make redis.legacyV5DecodeSession internal

* Make LegacyV5TestCase test table public for linter
2020-07-13 20:56:05 +01:00
mkontani
dd36138965
docs: Fix required ruby-version (#675)
* fix required ruby-version

Signed-off-by: mkontani <itoama@live.jp>

* add a changelog entry

Signed-off-by: mkontani <itoama@live.jp>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-12 16:09:34 +01:00
Joel Speed
d1c7be565b
Move changelog entry to correct release
This changelog entry was merged into the wrong release, this puts it back to the correct release
2020-07-11 11:14:12 +01:00
Isabelle COWAN-BERGMAN
64ae31b5a0
Implements --trusted-ip option (#552)
* Implements --ip-whitelist option

* Included IPWhitelist option to allow one-or-more selected CIDR ranges
  to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.

* Renamed IPWhitelist ipCIDRSet

* Fixed unessesary pointer usage in ipCIDRSet

* Update CHANGELOG.md

* Update CHANGELOG.md

* Updated to not use err.Error() in printf statements

* Imrpoved language for --ip-whitelist descriptions.

* Improve IP whitelist options error messages

* Clarify options single-host normalization

* Wrote a book about ipCIDRSet

* Added comment to IsWhitelistedIP in oauthproxy.go

* Rewrite oauthproxy test case as table driven

* oops

* Support whitelisting by low-level remote address

* Added more test-cases, improved descriptions

* Move ip_cidr_set.go to pkg/ip/net_set.go

* Add more whitelist test use cases.

* Oops

* Use subtests for TestIPWhitelist

* Add minimal tests for ip.NetSet

* Use switch statment

* Renamed ip-whitelist to whitelist-ip

* Update documentation with a warning.

* Update pkg/apis/options/options.go

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix fmt

* Move ParseIPNet into abstraction

* Add warning in case of --reverse-proxy

* Update pkg/validation/options_test.go

* Rename --whitelist-ip to --trusted-ip

* Update oauthproxy.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-11 11:10:58 +01:00
Joel Speed
7ffe9b7620
Reduce docker context to improve build times 2020-07-07 20:51:43 +01:00
Mariano Vallés
a999270cf3
Add req.host to targetURL when redirecting to https (#668)
* Add req.host to targetURL when redirecting to https

The req.URL.Host might not be present when redirecting to https if the
given req.URL is something like "/". In such scenario, the req.Host is
still present and valid.

This commit adds the original req.Host to the targetURL before returning
the 308 status, to avoid having a `Location: https:///` in the response.

* Bring back empty line

* Wrap the setting of targetURL.Host in a condition

* Add a comment to the test explaining why the redirectURL includes example.com

* Add changelog entry
2020-07-07 09:55:38 +01:00
Joel Speed
02410d3919
Update changelog to add request builder entry 2020-07-06 18:31:28 +01:00
Mitsuo Heijo
97ab3fa005 update CHANGELOG 2020-07-06 19:09:02 +09:00
Jordan Crawford
6346dafc1e (#649) Remove blank helthcheck user agents and paths when setting up the healthcheck middleware
A blank user agent is considered == to an empty string. When no -ping-user-agent option is specified, this is considered to be an empty string.

This reveals two problems:
- When no ping-user-agent is specified, main.go sets up a health check user agent of ""
- When no user agent is specified, the empty string is still checked against the health check user agents.

Now the health check middleware ignores blank user agents and paths in order to sanitise it's input to avoid this issue.

Additional tests have been added to verify these situations.
2020-07-06 14:07:38 +12:00
Joel Speed
37c76b6376
Update changelog to add upstream proxy entry 2020-07-05 10:22:24 +01:00
Joel Speed
eb933cc3f4
Add changelog entry for cookie validation separation 2020-07-05 09:18:45 +01:00
Nick Meves
c6f1daba2f
Split cookies more precisely at 4096 bytes 2020-07-03 20:38:04 -07:00
Joel Speed
1c1106721e
Move RedirectToHTTPS to middleware package
Moves the logic for redirecting to HTTPs to a middleware package and adds tests for this logic.
Also makes the functionality more useful, previously it always redirected to the HTTPS address of the proxy, which may not have been intended, now it will redirect based on if a port is provided in the URL (assume public facing 80 to 443 or 4180 to 8443 for example)
2020-07-03 17:19:09 +01:00
Joel Speed
5c8a66bcc9
Close client connections after each redis test 2020-07-03 16:24:47 +01:00
k-wall
b0375e85fa
Fix #635: Support specifying alternative provider TLS trust source(s) (#645)
* Fix #635: Support specifying alternative provider TLS trust source(s)

* Update pkg/apis/options/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/validation/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address review comments

* upd CHANGELOG.md

* refactor test to assert textual subjects + add openssl gen cmd

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-03 16:09:17 +01:00
Joel Speed
34137f7305
Move SessionStore tests to independent package 2020-07-01 06:41:35 +01:00
Joel Speed
778463906a
Update changelog for session storage initialisation move 2020-06-28 12:32:06 +01:00
Joel Speed
25154ede41
Update changelog ready for release v6.0.0 2020-06-27 12:10:27 +01:00
İlteriş Eroğlu
1b6c54cae1
Change how gitlab-group is parsed on options (#639)
* Changed how gitlab-group is parsed, from string to []string

See #637

* Point out that gitlab-group can be a list

See #637

* Reflect to the []string change on pkg/apis/options/options.go

See #637

* Move cfg option gitlab_group to gitlab_groups

See #637

* Renamed Group to Groups

See #637

* Reflect the change on gitlab.go as well

See #637

* Added #639

* Added the author of #639 to the CHANGELOG

* Add the gitlab_groups env change to CHANGELOG.md

See #639

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-26 23:26:07 +01:00
Evgeni Gordeev
054979978f Merge remote-tracking branch 'upstream/master' into helm-example
# Conflicts:
#	CHANGELOG.md
2020-06-25 15:24:00 -05:00
Evgeni Gordeev
e8fce0b14d Merge remote-tracking branch 'upstream/master' into helm-example
# Conflicts:
#	CHANGELOG.md
2020-06-19 22:25:14 -05:00
Nick Meves
c2c1caa404
Set User = Subject in ExtraJWTBearer sessions 2020-06-19 11:48:23 -07:00
Joel Speed
dc756b9de3
Don't log invalid redirect if redirect is empty 2020-06-19 18:17:05 +01:00
Evgeni Gordeev
11c033e2c8 * move httpbin and hello-world charts outside.
* expose kind to 443 port
* make helm optional
* rename folder to kubernetes
2020-06-16 16:39:11 -05:00
Evgeni Gordeev
9a495e996b Merge remote-tracking branch 'upstream/master' into helm-example
# Conflicts:
#	CHANGELOG.md
2020-06-16 16:38:01 -05:00
Joel Speed
ba3e40ab1c
Add changelog entry for healthcheck middleware 2020-06-14 21:06:14 +01:00
Evgeni Gordeev
43f214ce8b
Add Keycloak local testing environment (#604)
* Adding one more example - keycloak - alongside with dex IDP.

* don't expose keycloak and proxy ports to the host

* specify email-domain list option in documentation

* get rid of nginx and socat to simplify the example as per https://github.com/oauth2-proxy/oauth2-proxy/pull/604#issuecomment-640054390

* get rid of the scripts - use static file for keycloak startup

* changelog entry

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-14 14:06:12 +01:00