outposts/proxy: fix redirect path when external host is a subdirectory (#3628)
fix redirect path when external host is a subdirectory Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org> Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
f9d9b2716d
commit
49b6aabb02
|
@ -25,6 +25,41 @@ func TestProxy_ModifyRequest(t *testing.T) {
|
|||
assert.Equal(t, "frontend", req.Host)
|
||||
}
|
||||
|
||||
func TestProxy_Redirect(t *testing.T) {
|
||||
a := newTestApplication()
|
||||
_ = a.configureProxy()
|
||||
req, _ := http.NewRequest("GET", "https://ext.t.goauthentik.io/foo", nil)
|
||||
rr := httptest.NewRecorder()
|
||||
|
||||
a.mux.ServeHTTP(rr, req)
|
||||
|
||||
assert.Equal(t, http.StatusFound, rr.Code)
|
||||
loc, _ := rr.Result().Location()
|
||||
assert.Equal(
|
||||
t,
|
||||
"https://ext.t.goauthentik.io/outpost.goauthentik.io/start?rd=https%3A%2F%2Fext.t.goauthentik.io%2Ffoo",
|
||||
loc.String(),
|
||||
)
|
||||
}
|
||||
|
||||
func TestProxy_Redirect_Subdirectory(t *testing.T) {
|
||||
a := newTestApplication()
|
||||
a.proxyConfig.ExternalHost = a.proxyConfig.ExternalHost + "/subdir"
|
||||
_ = a.configureProxy()
|
||||
req, _ := http.NewRequest("GET", "https://ext.t.goauthentik.io/foo", nil)
|
||||
rr := httptest.NewRecorder()
|
||||
|
||||
a.mux.ServeHTTP(rr, req)
|
||||
|
||||
assert.Equal(t, http.StatusFound, rr.Code)
|
||||
loc, _ := rr.Result().Location()
|
||||
assert.Equal(
|
||||
t,
|
||||
"https://ext.t.goauthentik.io/subdir/outpost.goauthentik.io/start?rd=https%3A%2F%2Fext.t.goauthentik.io%2Ffoo",
|
||||
loc.String(),
|
||||
)
|
||||
}
|
||||
|
||||
func TestProxy_ModifyRequest_Claims(t *testing.T) {
|
||||
a := newTestApplication()
|
||||
req, _ := http.NewRequest("GET", "http://frontend/foo", nil)
|
||||
|
|
|
@ -16,6 +16,8 @@ func newTestApplication() *Application {
|
|||
ClientSecret: api.PtrString(ak.TestSecret()),
|
||||
CookieSecret: api.PtrString(ak.TestSecret()),
|
||||
ExternalHost: "https://ext.t.goauthentik.io",
|
||||
InternalHost: api.PtrString("http://backend"),
|
||||
InternalHostSslValidation: api.PtrBool(true),
|
||||
CookieDomain: api.PtrString(""),
|
||||
Mode: *api.NewNullableProxyMode(api.PROXYMODE_FORWARD_SINGLE.Ptr()),
|
||||
SkipPathRegex: api.PtrString("/skip.*"),
|
||||
|
|
|
@ -12,6 +12,15 @@ import (
|
|||
"goauthentik.io/internal/outpost/proxyv2/constants"
|
||||
)
|
||||
|
||||
func urlPathSet(originalUrl string, newPath string) string {
|
||||
u, err := url.Parse(originalUrl)
|
||||
if err != nil {
|
||||
return originalUrl
|
||||
}
|
||||
u.Path = newPath
|
||||
return u.String()
|
||||
}
|
||||
|
||||
func urlJoin(originalUrl string, newPath string) string {
|
||||
u, err := url.Parse(originalUrl)
|
||||
if err != nil {
|
||||
|
@ -26,7 +35,9 @@ func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
|
|||
if err != nil {
|
||||
a.log.WithError(err).Warning("failed to decode session")
|
||||
}
|
||||
redirectUrl := urlJoin(a.proxyConfig.ExternalHost, r.URL.Path)
|
||||
|
||||
redirectUrl := urlPathSet(a.proxyConfig.ExternalHost, r.URL.Path)
|
||||
|
||||
if a.Mode() == api.PROXYMODE_FORWARD_DOMAIN {
|
||||
dom := strings.TrimPrefix(*a.proxyConfig.CookieDomain, ".")
|
||||
// In forward_domain we only check that the current URL's host
|
||||
|
|
Reference in a new issue