outposts/proxy: fix error handling, remove requirement for profile/etc scopes

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer 2023-01-14 21:44:28 +01:00
parent 829e49275d
commit 4c45d35507
No known key found for this signature in database
4 changed files with 18 additions and 24 deletions

View File

@ -104,23 +104,18 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore
} }
a.sessions = a.getStore(p, externalHost) a.sessions = a.getStore(p, externalHost)
mux.Use(web.NewLoggingHandler(muxLogger, func(l *log.Entry, r *http.Request) *log.Entry { mux.Use(web.NewLoggingHandler(muxLogger, func(l *log.Entry, r *http.Request) *log.Entry {
s, err := a.sessions.Get(r, constants.SessionName) c := a.getClaimsFromSession(r)
if err != nil { if c == nil {
return l
}
claims, ok := s.Values[constants.SessionClaims]
if claims == nil || !ok {
return l
}
c, ok := claims.(Claims)
if !ok {
return l return l
} }
if c.PreferredUsername != "" {
return l.WithField("request_username", c.PreferredUsername) return l.WithField("request_username", c.PreferredUsername)
}
return l.WithField("request_username", c.Sub)
})) }))
mux.Use(func(inner http.Handler) http.Handler { mux.Use(func(inner http.Handler) http.Handler {
return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
c, _ := a.checkAuth(rw, r) c := a.getClaimsFromSession(r)
user := "" user := ""
if c != nil { if c != nil {
user = c.PreferredUsername user = c.PreferredUsername

View File

@ -52,10 +52,6 @@ func (a *Application) attemptBearerAuth(r *http.Request, token string) *TokenInt
a.log.Warning("token is not active") a.log.Warning("token is not active")
return nil return nil
} }
if !strings.Contains(intro.Scope, "openid") || !strings.Contains(intro.Scope, "profile") {
a.log.Error("token missing openid or profile scope")
return nil
}
intro.RawToken = token intro.RawToken = token
a.log.Trace("successfully introspected bearer token") a.log.Trace("successfully introspected bearer token")
return &intro return &intro

View File

@ -29,6 +29,9 @@ func (a *Application) addHeaders(headers http.Header, c *Claims) {
headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug) headers.Set("X-authentik-meta-app", a.proxyConfig.AssignedApplicationSlug)
headers.Set("X-authentik-meta-version", constants.OutpostUserAgent()) headers.Set("X-authentik-meta-version", constants.OutpostUserAgent())
if c.Proxy == nil {
return
}
userAttributes := c.Proxy.UserAttributes userAttributes := c.Proxy.UserAttributes
// Attempt to set basic auth based on user's attributes // Attempt to set basic auth based on user's attributes
if *a.proxyConfig.BasicAuthEnabled { if *a.proxyConfig.BasicAuthEnabled {

View File

@ -33,6 +33,13 @@ func (a *Application) configureProxy() error {
rp.ErrorHandler = a.newProxyErrorHandler() rp.ErrorHandler = a.newProxyErrorHandler()
rp.ModifyResponse = a.proxyModifyResponse rp.ModifyResponse = a.proxyModifyResponse
a.mux.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) { a.mux.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
defer func() {
err := recover()
if err == nil || err == http.ErrAbortHandler {
return
}
log.WithError(err.(error)).Error("recover in reverse proxy")
}()
claims, err := a.checkAuth(rw, r) claims, err := a.checkAuth(rw, r)
if claims == nil && a.IsAllowlisted(r.URL) { if claims == nil && a.IsAllowlisted(r.URL) {
a.log.Trace("path can be accessed without authentication") a.log.Trace("path can be accessed without authentication")
@ -45,13 +52,6 @@ func (a *Application) configureProxy() error {
} }
before := time.Now() before := time.Now()
rp.ServeHTTP(rw, r) rp.ServeHTTP(rw, r)
defer func() {
err := recover()
if err == nil || err == http.ErrAbortHandler {
return
}
log.WithError(err.(error)).Error("recover in reverse proxy")
}()
after := time.Since(before) after := time.Since(before)
metrics.UpstreamTiming.With(prometheus.Labels{ metrics.UpstreamTiming.With(prometheus.Labels{
@ -68,9 +68,9 @@ func (a *Application) configureProxy() error {
func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) { func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
return func(r *http.Request) { return func(r *http.Request) {
r.Header.Set("X-Forwarded-Host", r.Host) r.Header.Set("X-Forwarded-Host", r.Host)
claims, _ := a.checkAuth(nil, r)
r.URL.Scheme = ou.Scheme r.URL.Scheme = ou.Scheme
r.URL.Host = ou.Host r.URL.Host = ou.Host
claims := a.getClaimsFromSession(r)
if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" { if claims != nil && claims.Proxy != nil && claims.Proxy.BackendOverride != "" {
u, err := url.Parse(claims.Proxy.BackendOverride) u, err := url.Parse(claims.Proxy.BackendOverride)
if err != nil { if err != nil {
@ -85,6 +85,6 @@ func (a *Application) proxyModifyRequest(ou *url.URL) func(req *http.Request) {
} }
func (a *Application) proxyModifyResponse(res *http.Response) error { func (a *Application) proxyModifyResponse(res *http.Response) error {
res.Header.Set("X-Powered-By", "authentik_proxy2") res.Header.Set("X-Powered-By", "goauthentik.io")
return nil return nil
} }