outposts: fix oauth state when using signature routing (#3616)

* fix oauth state when using signature routing Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> * more retires Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2022-09-19 21:38:34 +02:00 · 2022-09-19 21:38:34 +02:00 · 47daaf969a
parent 9fb5092fdc
commit 47daaf969a
5 changed files with 14 additions and 14 deletions
--- a/internal/outpost/proxyv2/application/mode_forward.go
+++ b/internal/outpost/proxyv2/application/mode_forward.go
@ -37,9 +37,11 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
 		http.Error(rw, "configuration error", http.StatusInternalServerError)
 		return
 	}
+	tr := r.Clone(r.Context())
+	tr.URL = fwd
 	if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") {
 		a.log.Debug("handling OAuth Callback from querystring signature")
-		a.handleAuthCallback(rw, r)
+		a.handleAuthCallback(rw, tr)
 		return
 	} else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") {
 		a.log.Debug("handling OAuth Logout from querystring signature")
@ -57,8 +59,6 @@ func (a *Application) forwardHandleTraefik(rw http.ResponseWriter, r *http.Reque
 		a.log.Trace("path can be accessed without authentication")
 		return
 	}
-	tr := r.Clone(r.Context())
-	tr.URL = fwd
 	a.handleAuthStart(rw, r)
 	// set the redirect flag to the current URL we have, since we redirect
 	// to a (possibly) different domain, but we want to be redirected back
@ -88,9 +88,11 @@ func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request
 		http.Error(rw, "configuration error", http.StatusInternalServerError)
 		return
 	}
+	tr := r.Clone(r.Context())
+	tr.URL = fwd
 	if strings.EqualFold(fwd.Query().Get(CallbackSignature), "true") {
 		a.log.Debug("handling OAuth Callback from querystring signature")
-		a.handleAuthCallback(rw, r)
+		a.handleAuthCallback(rw, tr)
 		return
 	} else if strings.EqualFold(fwd.Query().Get(LogoutSignature), "true") {
 		a.log.Debug("handling OAuth Logout from querystring signature")
@ -108,8 +110,6 @@ func (a *Application) forwardHandleCaddy(rw http.ResponseWriter, r *http.Request
 		a.log.Trace("path can be accessed without authentication")
 		return
 	}
-	tr := r.Clone(r.Context())
-	tr.URL = fwd
 	a.handleAuthStart(rw, r)
 	// set the redirect flag to the current URL we have, since we redirect
 	// to a (possibly) different domain, but we want to be redirected back
--- a/internal/outpost/proxyv2/application/oauth.go
+++ b/internal/outpost/proxyv2/application/oauth.go
@ -78,7 +78,7 @@ func (a *Application) handleAuthCallback(rw http.ResponseWriter, r *http.Request
 		http.Redirect(rw, r, a.proxyConfig.ExternalHost, http.StatusFound)
 		return
 	}
-	claims, err := a.redeemCallback(r, state.([]string))
+	claims, err := a.redeemCallback(state.([]string), r.URL, r.Context())
 	if err != nil {
 		a.log.WithError(err).Warning("failed to redeem code")
 		rw.WriteHeader(400)
--- a/internal/outpost/proxyv2/application/oauth_callback.go
+++ b/internal/outpost/proxyv2/application/oauth_callback.go
@ -3,14 +3,14 @@ package application
 import (
 	"context"
 	"fmt"
-	"net/http"
+	"net/url"

 	log "github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
 )

-func (a *Application) redeemCallback(r *http.Request, states []string) (*Claims, error) {
-	state := r.URL.Query().Get("state")
+func (a *Application) redeemCallback(states []string, u *url.URL, c context.Context) (*Claims, error) {
+	state := u.Query().Get("state")
 	if len(states) < 1 {
 		return nil, fmt.Errorf("no states")
 	}
@ -29,12 +29,12 @@ func (a *Application) redeemCallback(r *http.Request, states []string) (*Claims,
 		return nil, fmt.Errorf("invalid state")
 	}

-	code := r.URL.Query().Get("code")
+	code := u.Query().Get("code")
 	if code == "" {
 		return nil, fmt.Errorf("blank code")
 	}

-	ctx := context.WithValue(r.Context(), oauth2.HTTPClient, a.httpClient)
+	ctx := context.WithValue(c, oauth2.HTTPClient, a.httpClient)
 	// Verify state and errors.
 	oauth2Token, err := a.oauthConfig.Exchange(ctx, code)
 	if err != nil {
--- a/ldap.Dockerfile
+++ b/ldap.Dockerfile
@ -19,7 +19,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH

 COPY --from=builder /go/ldap /

-HEALTHCHECK --interval=5s --retries=10 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
+HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]

 EXPOSE 3389 6636 9300

--- a/proxy.Dockerfile
+++ b/proxy.Dockerfile
@ -32,7 +32,7 @@ COPY --from=web-builder /static/security.txt /web/security.txt
 COPY --from=web-builder /static/dist/ /web/dist/
 COPY --from=web-builder /static/authentik/ /web/authentik/

-HEALTHCHECK --interval=5s --retries=10 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
+HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]

 EXPOSE 9000 9300 9443