outposts/proxy: fix error handling, remove requirement for profile/etc scopes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer 2023-01-14 21:44:28 +01:00
parent 829e49275d
commit 4c45d35507
No known key found for this signature in database
4 changed files with 18 additions and 24 deletions

View File

@ -104,23 +104,18 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
}
a.sessions = a.getStore(p, externalHost)
mux.Use(web.NewLoggingHandler(muxLogger, func(l *log.Entry, r *http.Request) *log.Entry {
s, err := a.sessions.Get(r, constants.SessionName)
if err != nil {
c := a.getClaimsFromSession(r)
if c == nil {
return l
}
claims, ok := s.Values[constants.SessionClaims]
if claims == nil || !ok {
return l
if c.PreferredUsername != "" {
return l.WithField("request_username", c.PreferredUsername)
}
c, ok := claims.(Claims)
if !ok {
return l
}
return l.WithField("request_username", c.PreferredUsername)
return l.WithField("request_username", c.Sub)
}))
mux.Use(func(inner http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
c, _ := a.checkAuth(rw, r)
c := a.getClaimsFromSession(r)
user := ""
if c != nil {
user = c.PreferredUsername

View File

@ -52,10 +52,6 @@ func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenInt
a.log.Warning("token is not active")
return nil
}
if !strings.Contains(intro.Scope, "openid") || !strings.Contains(intro.Scope, "profile") {
a.log.Error("token missing openid or profile scope")
return nil
}
intro.RawToken = token
a.log.Trace("successfully introspected bearer token")
return &intro

View File

@ -29,6 +29,9 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) {
headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug)
headers.Set("X-authentik-meta-version", constants.OutpostUserAgent())
if c.Proxy == nil {
return
}
userAttributes := c.Proxy.UserAttributes
// Attempt to set basic auth based on user's attributes
if *a.proxyConfig.BasicAuthEnabled {

View File

@ -33,6 +33,13 @@ func (a *Application) configureProxy() error {
rp.ErrorHandler = a.newProxyErrorHandler()
rp.ModifyResponse = a.proxyModifyResponse
a.mux.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
defer func() {
err := recover()
if err == nil || err == http.ErrAbortHandler {
return
}
log.WithError(err.(error)).Error("recover in reverse proxy")
}()
claims, err := a.checkAuth(rw, r)
if claims == nil && a.IsAllowlisted(r.URL) {
a.log.Trace("path can be accessed without authentication")
@ -45,13 +52,6 @@ func (a *Application) configureProxy() error {
}
before := time.Now()
rp.ServeHTTP(rw, r)
defer func() {
err := recover()
if err == nil || err == http.ErrAbortHandler {
return
}
log.WithError(err.(error)).Error("recover in reverse proxy")
}()
after := time.Since(before)
metrics.UpstreamTiming.With(prometheus.Labels{
@ -68,9 +68,9 @@ func (a *Application) configureProxy() error {
func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
return func(r *http.Request) {
r.Header.Set("X-Forwarded-Host", r.Host)
claims, _ := a.checkAuth(nil, r)
r.URL.Scheme = ou.Scheme
r.URL.Host = ou.Host
claims := a.getClaimsFromSession(r)
if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" {
u, err := url.Parse(claims.Proxy.BackendOverride)
if err != nil {
@ -85,6 +85,6 @@ func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
}
func (a *Application) proxyModifyResponse(res *http.Response) error {
res.Header.Set("X-Powered-By", "authentik_proxy2")
res.Header.Set("X-Powered-By", "goauthentik.io")
return nil
}