outposts/proxy: match skipPathRegex against full URL on domain auth

closes #1955 Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
2021-12-18 15:50:42 +01:00 · 2021-12-18 15:50:42 +01:00 · 7a73ddfb60
parent d66f13c249
commit 7a73ddfb60
6 changed files with 95 additions and 17 deletions
--- a/internal/outpost/proxyv2/application/application.go
+++ b/internal/outpost/proxyv2/application/application.go
@ -180,8 +180,14 @@ func NewApplication(p api.ProxyOutpostConfig, c *http.Client, cs *ak.CryptoStore

 func (a *Application) IsAllowlisted(r *http.Request) bool {
 	for _, u := range a.UnauthenticatedRegex {
-		a.log.WithField("regex", u.String()).WithField("url", r.URL.Path).Trace("Matching URL against allow list")
-		if u.MatchString(r.URL.Path) {
+		var testString string
+		if a.Mode() == api.PROXYMODE_PROXY || a.Mode() == api.PROXYMODE_FORWARD_SINGLE {
+			testString = r.URL.Path
+		} else {
+			testString = r.URL.String()
+		}
+		a.log.WithField("regex", u.String()).WithField("url", testString).Trace("Matching URL against allow list")
+		if u.MatchString(testString) {
 			return true
 		}
 	}
--- a/web/src/locales/en.po
+++ b/web/src/locales/en.po
@ -3772,8 +3772,12 @@ msgid "Register device"
 msgstr "Register device"

 #: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
-msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
+#~ msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
+#~ msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression."
+msgstr "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression."

 #: src/pages/users/UserListPage.ts
 msgid "Regular user"
@ -4255,8 +4259,8 @@ msgid "Single use"
 msgstr "Single use"

 #: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Skip path regex"
-msgstr "Skip path regex"
+#~ msgid "Skip path regex"
+#~ msgstr "Skip path regex"

 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/ApplicationListPage.ts
@ -5246,6 +5250,14 @@ msgstr "URL used by authentik to retrieve tokens."
 msgid "URL used to request the initial token. This URL is only required for OAuth 1."
 msgstr "URL used to request the initial token. This URL is only required for OAuth 1."

+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Unauthenticated Paths"
+msgstr "Unauthenticated Paths"
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Unauthenticated URLs"
+msgstr "Unauthenticated URLs"
+
 #: src/pages/admin-overview/charts/PolicyStatusChart.ts
 msgid "Unbound policies"
 msgstr "Unbound policies"
@ -5861,6 +5873,10 @@ msgstr "When used in conjunction with a User Write stage, use attributes.foo to
 msgid "When using an external logging solution for archiving, this can be set to \"minutes=5\"."
 msgstr "When using an external logging solution for archiving, this can be set to \"minutes=5\"."

+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions."
+msgstr "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions."
+
 #: src/flows/FlowExecutor.ts
 msgid "Whoops!"
 msgstr "Whoops!"
--- a/web/src/locales/fr_FR.po
+++ b/web/src/locales/fr_FR.po
@ -3743,8 +3743,12 @@ msgid "Register device"
 msgstr "Enregistrer un appareil"

 #: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
-msgstr "Expression régulière pour laquelle l'authentification n'est pas nécessaire. Chaque nouvelle ligne est interprétée comme une nouvelle expression régulière."
+#~ msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
+#~ msgstr "Expression régulière pour laquelle l'authentification n'est pas nécessaire. Chaque nouvelle ligne est interprétée comme une nouvelle expression régulière."
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression."
+msgstr ""

 #: src/pages/users/UserListPage.ts
 msgid "Regular user"
@ -4218,8 +4222,8 @@ msgid "Single use"
 msgstr "Usage unique"

 #: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Skip path regex"
-msgstr "Regex chemins exclus"
+#~ msgid "Skip path regex"
+#~ msgstr "Regex chemins exclus"

 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/ApplicationListPage.ts
@ -5187,6 +5191,14 @@ msgstr "URL utilisée par authentik pour récupérer les jetons."
 msgid "URL used to request the initial token. This URL is only required for OAuth 1."
 msgstr "URL utilisée pour demander le jeton initial. Cette URL est uniquement requise pour OAuth 1."

+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Unauthenticated Paths"
+msgstr ""
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Unauthenticated URLs"
+msgstr ""
+
 #: src/pages/admin-overview/charts/PolicyStatusChart.ts
 msgid "Unbound policies"
 msgstr "Politiques non liées"
@ -5799,6 +5811,10 @@ msgstr ""
 msgid "When using an external logging solution for archiving, this can be set to \"minutes=5\"."
 msgstr "En cas d'utilisation d'une solution de journalisation externe pour l'archivage, cette valeur peut être fixée à \"minutes=5\"."

+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions."
+msgstr ""
+
 #: src/flows/FlowExecutor.ts
 msgid "Whoops!"
 msgstr "Oups !"
--- a/web/src/locales/pseudo-LOCALE.po
+++ b/web/src/locales/pseudo-LOCALE.po
@ -3762,7 +3762,11 @@ msgid "Register device"
 msgstr ""

 #: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
+#~ msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression."
+#~ msgstr ""
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Regular expressions for which authentication is not required. Each new line is interpreted as a new expression."
 msgstr ""

 #: src/pages/users/UserListPage.ts
@ -4245,8 +4249,8 @@ msgid "Single use"
 msgstr ""

 #: src/pages/providers/proxy/ProxyProviderForm.ts
-msgid "Skip path regex"
-msgstr ""
+#~ msgid "Skip path regex"
+#~ msgstr ""

 #: src/pages/applications/ApplicationForm.ts
 #: src/pages/applications/ApplicationListPage.ts
@ -5226,6 +5230,14 @@ msgstr ""
 msgid "URL used to request the initial token. This URL is only required for OAuth 1."
 msgstr ""

+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Unauthenticated Paths"
+msgstr ""
+
+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "Unauthenticated URLs"
+msgstr ""
+
 #: src/pages/admin-overview/charts/PolicyStatusChart.ts
 msgid "Unbound policies"
 msgstr ""
@ -5841,6 +5853,10 @@ msgstr ""
 msgid "When using an external logging solution for archiving, this can be set to \"minutes=5\"."
 msgstr ""

+#: src/pages/providers/proxy/ProxyProviderForm.ts
+msgid "When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions."
+msgstr ""
+
 #: src/flows/FlowExecutor.ts
 msgid "Whoops!"
 msgstr ""
--- a/web/src/pages/providers/proxy/ProxyProviderForm.ts
+++ b/web/src/pages/providers/proxy/ProxyProviderForm.ts
@ -401,12 +401,20 @@ export class ProxyProviderFormPage extends ModelForm<ProxyProvider, number> {
                        </p>
                    </ak-form-element-horizontal>

-                    <ak-form-element-horizontal label=${t`Skip path regex`} name="skipPathRegex">
+                    <ak-form-element-horizontal
+                        label="${this.mode === ProxyMode.ForwardDomain
+                            ? t`Unauthenticated URLs`
+                            : t`Unauthenticated Paths`}${t``}"
+                        name="skipPathRegex"
+                    >
                        <textarea class="pf-c-form-control">
 ${this.instance?.skipPathRegex}</textarea
                        >
                        <p class="pf-c-form__helper-text">
-                            ${t`Regular expressions for which authentication is not required. Each new line is interpreted as a new Regular Expression.`}
+                            ${t`Regular expressions for which authentication is not required. Each new line is interpreted as a new expression.`}
+                        </p>
+                        <p class="pf-c-form__helper-text">
+                            ${t`When using proxy or forward auth (single application) mode, the requested URL Path is checked against the regular expressions. When using forward auth (domain mode), the full requested URL including scheme and host is matched against the regular expressions.`}
                        </p>
                    </ak-form-element-horizontal>

--- a/website/docs/providers/proxy/proxy.md
+++ b/website/docs/providers/proxy/proxy.md
@ -46,7 +46,7 @@ Besides these user-specific headers, some application specific headers are also

    The authentik outpost's version.

-# HTTPS
+## HTTPS

 The outpost listens on both 9000 for HTTP and 9443 for HTTPS.

@ -54,7 +54,7 @@ The outpost listens on both 9000 for HTTP and 9443 for HTTPS.
 If your upstream host is HTTPS, and you're not using forward auth, you need to access the outpost over HTTPS too.
 :::

-# Logging out
+## Logging out

 Login is done automatically when you visit the domain without a valid cookie.

@ -63,3 +63,19 @@ When using single-application mode, navigate to `app.domain.tld/akprox/sign_out`
 When using domain-level mode, navigate to `auth.domain.tld/akprox/sign_out`, where auth.domain.tld is the external host configured for the provider.

 To log out, navigate to `/akprox/sign_out`.
+
+## Allowing unauthenticated requests
+
+To allow un-authenticated requests to certain paths/URLs, you can use the *Unauthenticated URLs* / *Unauthenticated Paths* field.
+
+Each new line is interpreted as a regular expression, and is compiled and checked using the standard Golang regex parser.
+
+The behaviour of this field changes depending on which mode you're in.
+
+### Proxy and Forward auth (single application)
+
+In this mode, the regular expressions are matched against the Request's Path.
+
+### Forward auth (domain level)
+
+In this mode, the regular expressions are matched against the Request's full URL.