From 01013683690ee37623f2dc2718990dad0fe45d77 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Tue, 15 Feb 2022 13:43:55 +0100 Subject: [PATCH] outposts/proxy: fix logic error in rd argument Signed-off-by: Jens Langhammer #1997 --- internal/outpost/proxyv2/application/oauth.go | 8 ++--- .../outpost/proxyv2/application/oauth_test.go | 32 +++++++++++++++++++ internal/outpost/proxyv2/application/test.go | 1 + 3 files changed, 37 insertions(+), 4 deletions(-) create mode 100644 internal/outpost/proxyv2/application/oauth_test.go diff --git a/internal/outpost/proxyv2/application/oauth.go b/internal/outpost/proxyv2/application/oauth.go index 14fb813b2..f699370eb 100644 --- a/internal/outpost/proxyv2/application/oauth.go +++ b/internal/outpost/proxyv2/application/oauth.go @@ -17,7 +17,7 @@ const ( ) func (a *Application) checkRedirectParam(r *http.Request) (string, bool) { - rd := r.Header.Get(redirectParam) + rd := r.URL.Query().Get(redirectParam) if rd == "" { return "", false } @@ -28,16 +28,16 @@ func (a *Application) checkRedirectParam(r *http.Request) (string, bool) { } // Check to make sure we only redirect to allowed places if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE { - if !strings.Contains(u.String(), a.ProxyConfig().ExternalHost) { + if !strings.Contains(u.String(), a.proxyConfig.ExternalHost) { a.log.Warning("redirect URI did not contain external host") return "", false } } else { - if !strings.HasSuffix(rd, *a.ProxyConfig().CookieDomain) { + if !strings.HasSuffix(rd, *a.proxyConfig.CookieDomain) { return "", false } } - return u.String(), false + return u.String(), true } func (a *Application) handleRedirect(rw http.ResponseWriter, r *http.Request) { diff --git a/internal/outpost/proxyv2/application/oauth_test.go b/internal/outpost/proxyv2/application/oauth_test.go new file mode 100644 index 000000000..ced8f2fdb --- /dev/null +++ b/internal/outpost/proxyv2/application/oauth_test.go @@ -0,0 +1,32 @@ +package application + +import ( + "net/http" + "testing" + + "github.com/stretchr/testify/assert" +) + +func TestCheckRedirectParam(t *testing.T) { + a := newTestApplication() + req, _ := http.NewRequest("GET", "/outpost.goauthentik.io/auth/start", nil) + + rd, ok := a.checkRedirectParam(req) + + assert.Equal(t, false, ok) + assert.Equal(t, "", rd) + + req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://google.com", nil) + + rd, ok = a.checkRedirectParam(req) + + assert.Equal(t, false, ok) + assert.Equal(t, "", rd) + + req, _ = http.NewRequest("GET", "/outpost.goauthentik.io/auth/start?rd=https://ext.t.goauthentik.io/test", nil) + + rd, ok = a.checkRedirectParam(req) + + assert.Equal(t, true, ok) + assert.Equal(t, "https://ext.t.goauthentik.io/test", rd) +} diff --git a/internal/outpost/proxyv2/application/test.go b/internal/outpost/proxyv2/application/test.go index 8e1fbc340..c87e7cbfc 100644 --- a/internal/outpost/proxyv2/application/test.go +++ b/internal/outpost/proxyv2/application/test.go @@ -15,6 +15,7 @@ func newTestApplication() *Application { ClientId: api.PtrString(ak.TestSecret()), ClientSecret: api.PtrString(ak.TestSecret()), CookieSecret: api.PtrString(ak.TestSecret()), + ExternalHost: "https://ext.t.goauthentik.io", CookieDomain: api.PtrString(""), Mode: api.PROXYMODE_FORWARD_SINGLE.Ptr(), SkipPathRegex: api.PtrString("/skip.*"),