2021-09-08 18:04:56 +00:00
|
|
|
package application
|
|
|
|
|
|
|
|
import (
|
|
|
|
"encoding/base64"
|
|
|
|
"fmt"
|
|
|
|
"net/http"
|
2021-12-21 14:49:25 +00:00
|
|
|
"net/url"
|
2021-09-08 18:04:56 +00:00
|
|
|
"strings"
|
2021-12-01 19:41:55 +00:00
|
|
|
|
2021-12-20 20:04:45 +00:00
|
|
|
"goauthentik.io/api"
|
2021-12-01 19:41:55 +00:00
|
|
|
"goauthentik.io/internal/constants"
|
2021-09-08 18:04:56 +00:00
|
|
|
)
|
|
|
|
|
2021-12-01 19:05:56 +00:00
|
|
|
func (a *Application) addHeaders(headers http.Header, c *Claims) {
|
2021-09-08 18:04:56 +00:00
|
|
|
// https://goauthentik.io/docs/providers/proxy/proxy
|
2021-10-02 20:00:23 +00:00
|
|
|
|
2021-12-01 19:05:56 +00:00
|
|
|
headers.Set("X-authentik-username", c.PreferredUsername)
|
|
|
|
headers.Set("X-authentik-groups", strings.Join(c.Groups, "|"))
|
|
|
|
headers.Set("X-authentik-email", c.Email)
|
|
|
|
headers.Set("X-authentik-name", c.Name)
|
|
|
|
headers.Set("X-authentik-uid", c.Sub)
|
2021-12-12 16:58:19 +00:00
|
|
|
headers.Set("X-authentik-jwt", c.RawToken)
|
2021-10-02 20:00:23 +00:00
|
|
|
|
2021-12-01 19:19:09 +00:00
|
|
|
// System headers
|
2021-12-02 13:19:57 +00:00
|
|
|
headers.Set("X-authentik-meta-jwks", a.proxyConfig.OidcConfiguration.JwksUri)
|
2021-12-01 19:19:09 +00:00
|
|
|
headers.Set("X-authentik-meta-outpost", a.outpostName)
|
|
|
|
headers.Set("X-authentik-meta-provider", a.proxyConfig.Name)
|
|
|
|
headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug)
|
2021-12-01 19:41:55 +00:00
|
|
|
headers.Set("X-authentik-meta-version", constants.OutpostUserAgent())
|
2021-12-01 19:19:09 +00:00
|
|
|
|
2021-09-08 18:04:56 +00:00
|
|
|
userAttributes := c.Proxy.UserAttributes
|
|
|
|
// Attempt to set basic auth based on user's attributes
|
|
|
|
if *a.proxyConfig.BasicAuthEnabled {
|
|
|
|
var ok bool
|
|
|
|
var password string
|
|
|
|
if password, ok = userAttributes[*a.proxyConfig.BasicAuthPasswordAttribute].(string); !ok {
|
|
|
|
password = ""
|
|
|
|
}
|
|
|
|
// Check if we should use email or a custom attribute as username
|
|
|
|
var username string
|
|
|
|
if username, ok = userAttributes[*a.proxyConfig.BasicAuthUserAttribute].(string); !ok {
|
|
|
|
username = c.Email
|
|
|
|
}
|
|
|
|
authVal := base64.StdEncoding.EncodeToString([]byte(username + ":" + password))
|
|
|
|
a.log.WithField("username", username).Trace("setting http basic auth")
|
2021-12-01 19:05:56 +00:00
|
|
|
headers.Set("Authorization", fmt.Sprintf("Basic %s", authVal))
|
2021-09-08 18:04:56 +00:00
|
|
|
}
|
|
|
|
// Check if user has additional headers set that we should sent
|
|
|
|
if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]interface{}); ok {
|
|
|
|
a.log.WithField("headers", additionalHeaders).Trace("setting additional headers")
|
|
|
|
if additionalHeaders == nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
for key, value := range additionalHeaders {
|
2021-12-01 19:05:56 +00:00
|
|
|
headers.Set(key, toString(value))
|
2021-09-08 18:04:56 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2021-12-20 20:04:45 +00:00
|
|
|
|
2021-12-21 14:49:25 +00:00
|
|
|
func (a *Application) getTraefikForwardUrl(r *http.Request) *url.URL {
|
|
|
|
u, err := url.Parse(fmt.Sprintf(
|
|
|
|
"%s://%s%s",
|
|
|
|
r.Header.Get("X-Forwarded-Proto"),
|
|
|
|
r.Header.Get("X-Forwarded-Host"),
|
|
|
|
r.Header.Get("X-Forwarded-Uri"),
|
|
|
|
))
|
|
|
|
if err != nil {
|
|
|
|
a.log.WithError(err).Warning("Failed to parse URL from traefik")
|
|
|
|
return r.URL
|
|
|
|
}
|
2021-12-26 13:11:11 +00:00
|
|
|
a.log.WithField("url", u.String()).Trace("traefik forwarded url")
|
2021-12-21 14:49:25 +00:00
|
|
|
return u
|
|
|
|
}
|
|
|
|
|
2021-12-20 20:04:45 +00:00
|
|
|
func (a *Application) IsAllowlisted(r *http.Request) bool {
|
2021-12-21 14:49:25 +00:00
|
|
|
url := r.URL
|
|
|
|
// In Forward auth mode, we can't directly match against the requested URL
|
|
|
|
// Since that would be /akprox/auth/...
|
|
|
|
if a.Mode() == api.PROXYMODE_FORWARD_SINGLE || a.Mode() == api.PROXYMODE_FORWARD_DOMAIN {
|
|
|
|
// For traefik, we can get the Upstream URL from headers
|
2021-12-21 18:16:01 +00:00
|
|
|
// For nginx we can attempt to as well, but it's not guaranteed to work.
|
2021-12-21 14:49:25 +00:00
|
|
|
if strings.HasPrefix(r.URL.Path, "/akprox/auth") {
|
|
|
|
url = a.getTraefikForwardUrl(r)
|
|
|
|
}
|
|
|
|
}
|
2021-12-20 20:04:45 +00:00
|
|
|
for _, u := range a.UnauthenticatedRegex {
|
|
|
|
var testString string
|
|
|
|
if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
|
2021-12-21 14:49:25 +00:00
|
|
|
testString = url.Path
|
2021-12-20 20:04:45 +00:00
|
|
|
} else {
|
2021-12-21 14:49:25 +00:00
|
|
|
testString = url.String()
|
2021-12-20 20:04:45 +00:00
|
|
|
}
|
|
|
|
a.log.WithField("regex", u.String()).WithField("url", testString).Trace("Matching URL against allow list")
|
|
|
|
if u.MatchString(testString) {
|
|
|
|
return true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false
|
|
|
|
}
|