trustchain-oc1-orchestral
/
authentik
Archived
10
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

outposts/proxy: fix additionalHeaders not being set 

closes #1050

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-06-19 15:24:51 +02:00
parent 641872a33a
commit b88eb430c1
4 changed files with 31 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
outpost/Makefile
View File

@ -1,9 +1,5 @@
all: clean all: clean
run:
go run -v .
clean: clean:
go mod tidy go mod tidy
go clean . go clean .

6
outpost/pkg/proxy/proxy.go
View File

@ -446,15 +446,17 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
username = session.Email username = session.Email
} }
authVal := b64.StdEncoding.EncodeToString([]byte(username + ":" + password)) authVal := b64.StdEncoding.EncodeToString([]byte(username + ":" + password))
p.logger.WithField("username", username).Trace("setting http basic auth")
req.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)} req.Header["Authorization"] = []string{fmt.Sprintf("Basic %s", authVal)}
} }
// Check if user has additional headers set that we should sent // Check if user has additional headers set that we should sent
if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]string); ok { if additionalHeaders, ok := userAttributes["additionalHeaders"].(map[string]interface{}); ok {
p.logger.WithField("headers", additionalHeaders).Trace("setting additional headers")
if additionalHeaders == nil { if additionalHeaders == nil {
return return
} }
for key, value := range additionalHeaders { for key, value := range additionalHeaders {
req.Header.Set(key, value) req.Header.Set(key, toString(value))
} }
} }
} }

14
outpost/pkg/proxy/utils.go
View File

@ -3,6 +3,7 @@ package proxy
import ( import (
"net" "net"
"net/http" "net/http"
"strconv"
) )
var xForwardedHost = http.CanonicalHeaderKey("X-Forwarded-Host") var xForwardedHost = http.CanonicalHeaderKey("X-Forwarded-Host")
@ -18,3 +19,16 @@ func getHost(req *http.Request) string {
} }
return hostOnly return hostOnly
} }
// toString Generic to string function, currently supports actual strings and integers
func toString(in interface{}) string {
switch v := in.(type) {
case string:
return v
case *string:
return *v
case int:
return strconv.Itoa(v)
}
return ""
}

28
website/docs/policies/index.md
View File

@ -6,16 +6,18 @@ title: Policies
This policy is used by the events subsystem. You can use this policy to match events by multiple different criteria, to choose when you get notified. This policy is used by the events subsystem. You can use this policy to match events by multiple different criteria, to choose when you get notified.
## Reputation Policy
authentik keeps track of failed login attempts by source IP and attempted username. These values are saved as scores. Each failed login decreases the score for the client IP as well as the targeted username by 1 (one).
This policy can be used, for example, to prompt clients with a low score to pass a captcha before they can continue.
## Expression Policy ## Expression Policy
See [Expression Policy](expression.mdx). See [Expression Policy](expression.mdx).
## Have I Been Pwned Policy
This policy checks the hashed password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within authentik.
## Password-Expiry Policy
This policy can enforce regular password rotation by expiring set passwords after a finite amount of time. This forces users to set a new password.
## Password Policy ## Password Policy
This policy allows you to specify password rules, such as length and required characters. This policy allows you to specify password rules, such as length and required characters.
@ -27,14 +29,10 @@ The following rules can be set:
- Minimum length. - Minimum length.
- Symbol charset (define which characters are counted as symbols). - Symbol charset (define which characters are counted as symbols).
## Have I Been Pwned Policy
This policy checks the hashed password against the [Have I Been Pwned](https://haveibeenpwned.com/) API. This only sends the first 5 characters of the hashed password. The remaining comparison is done within authentik.
## Password-Expiry Policy
This policy can enforce regular password rotation by expiring set passwords after a finite amount of time. This forces users to set a new password.
## Reputation Policy ## Reputation Policy
This policy checks the reputation of the client's IP address and the username is attempted to be authenticated as. authentik keeps track of failed login attempts by source IP and attempted username. These values are saved as scores. Each failed login decreases the score for the client IP as well as the targeted username by 1 (one).
This policy can be used, for example, to prompt clients with a low score to pass a captcha before they can continue.
To make sure this policy is executed correctly, set `Re-evaluate policies` when using it with a flow.