From b88eb430c1a1ccdb768e8541a88f832b26ea3921 Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Sat, 19 Jun 2021 15:24:51 +0200 Subject: [PATCH] outposts/proxy: fix additionalHeaders not being set closes #1050 Signed-off-by: Jens Langhammer --- outpost/Makefile | 4 ---- outpost/pkg/proxy/proxy.go | 6 ++++-- outpost/pkg/proxy/utils.go | 14 ++++++++++++++ website/docs/policies/index.md | 28 +++++++++++++--------------- 4 files changed, 31 insertions(+), 21 deletions(-) diff --git a/outpost/Makefile b/outpost/Makefile index 03a50e4ff..c6c6caa6b 100644 --- a/outpost/Makefile +++ b/outpost/Makefile @@ -1,9 +1,5 @@ all: clean -run: - go run -v . - clean: go mod tidy go clean . - diff --git a/outpost/pkg/proxy/proxy.go b/outpost/pkg/proxy/proxy.go index c0f7ce5f4..ec0aae395 100644 --- a/outpost/pkg/proxy/proxy.go +++ b/outpost/pkg/proxy/proxy.go @@ -446,15 +446,17 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req username = session.Email } authVal := b64.StdEncoding.EncodeToString([]byte(username + ":" + password)) + p.logger.WithField("username", username).Trace("setting http basic auth") req.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)} } // Check if user has additional headers set that we should sent - if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]string); ok { + if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]interface{}); ok { + p.logger.WithField("headers", additionalHeaders).Trace("setting additional headers") if additionalHeaders == nil { return } for key, value := range additionalHeaders { - req.Header.Set(key, value) + req.Header.Set(key, toString(value)) } } } diff --git a/outpost/pkg/proxy/utils.go b/outpost/pkg/proxy/utils.go index 32e26c905..6fb02841f 100644 --- a/outpost/pkg/proxy/utils.go +++ b/outpost/pkg/proxy/utils.go @@ -3,6 +3,7 @@ package proxy import ( "net" "net/http" + "strconv" ) var xForwardedHost = http.CanonicalHeaderKey("X-Forwarded-Host") @@ -18,3 +19,16 @@ func getHost(req *http.Request) string { } return hostOnly } + +// toString Generic to string function, currently supports actual strings and integers +func toString(in interface{}) string { + switch v := in.(type) { + case string: + return v + case *string: + return *v + case int: + return strconv.Itoa(v) + } + return "" +} diff --git a/website/docs/policies/index.md b/website/docs/policies/index.md index 8a9b20145..46e751aa6 100644 --- a/website/docs/policies/index.md +++ b/website/docs/policies/index.md @@ -6,16 +6,18 @@ title: Policies This policy is used by the events subsystem. You can use this policy to match events by multiple different criteria, to choose when you get notified. -## Reputation Policy - -authentik keeps track of failed login attempts by source IP and attempted username. These values are saved as scores. Each failed login decreases the score for the client IP as well as the targeted username by 1 (one). - -This policy can be used, for example, to prompt clients with a low score to pass a captcha before they can continue. - ## Expression Policy See [Expression Policy](expression.mdx). +## Have I Been Pwned Policy + +This policy checks the hashed password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within authentik. + +## Password-Expiry Policy + +This policy can enforce regular password rotation by expiring set passwords after a finite amount of time. This forces users to set a new password. + ## Password Policy This policy allows you to specify password rules, such as length and required characters. @@ -27,14 +29,10 @@ The following rules can be set: - Minimum length. - Symbol charset (define which characters are counted as symbols). -## Have I Been Pwned Policy - -This policy checks the hashed password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within authentik. - -## Password-Expiry Policy - -This policy can enforce regular password rotation by expiring set passwords after a finite amount of time. This forces users to set a new password. - ## Reputation Policy -This policy checks the reputation of the client's IP address and the username is attempted to be authenticated as. +authentik keeps track of failed login attempts by source IP and attempted username. These values are saved as scores. Each failed login decreases the score for the client IP as well as the targeted username by 1 (one). + +This policy can be used, for example, to prompt clients with a low score to pass a captcha before they can continue. + +To make sure this policy is executed correctly, set `Re-evaluate policies` when using it with a flow.