mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 16:59:22 +02:00
config: fix redirect response code (#5346)
This commit is contained in:
Kenneth Jenkins
GitHub
parent
dc427a4078
commit
3d958ff9c5
4 changed files with 109 additions and 8 deletions
|
|
@ -4,6 +4,7 @@ import (
|
|||
"crypto/tls"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"net/http"
|
||||
"net/url"
|
||||
"os"
|
||||
"regexp"
|
||||
|
|
@ -12,6 +13,7 @@ import (
|
|||
"time"
|
||||
|
||||
envoy_config_cluster_v3 "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3"
|
||||
envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
|
||||
"google.golang.org/protobuf/proto"
|
||||
"google.golang.org/protobuf/types/known/durationpb"
|
||||
|
||||
|
|
@ -218,6 +220,40 @@ type PolicyRedirect struct {
|
|||
StripQuery *bool `mapstructure:"strip_query" yaml:"strip_query,omitempty" json:"strip_query,omitempty"`
|
||||
}
|
||||
|
||||
func (r *PolicyRedirect) validate() error {
|
||||
if r == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
if _, err := r.GetEnvoyResponseCode(); err != nil {
|
||||
return err
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// GetEnvoyResponseCode returns the ResponseCode as the corresponding Envoy enum value.
|
||||
func (r *PolicyRedirect) GetEnvoyResponseCode() (envoy_config_route_v3.RedirectAction_RedirectResponseCode, error) {
|
||||
var code int32
|
||||
if r != nil && r.ResponseCode != nil {
|
||||
code = *r.ResponseCode
|
||||
}
|
||||
|
||||
switch code {
|
||||
case http.StatusMovedPermanently:
|
||||
return envoy_config_route_v3.RedirectAction_MOVED_PERMANENTLY, nil
|
||||
case http.StatusFound:
|
||||
return envoy_config_route_v3.RedirectAction_FOUND, nil
|
||||
case http.StatusSeeOther:
|
||||
return envoy_config_route_v3.RedirectAction_SEE_OTHER, nil
|
||||
case http.StatusTemporaryRedirect:
|
||||
return envoy_config_route_v3.RedirectAction_TEMPORARY_REDIRECT, nil
|
||||
case http.StatusPermanentRedirect:
|
||||
return envoy_config_route_v3.RedirectAction_PERMANENT_REDIRECT, nil
|
||||
default:
|
||||
return 0, fmt.Errorf("unsupported redirect response code %d (supported values: 301, 302, 303, 307, 308)", code)
|
||||
}
|
||||
}
|
||||
|
||||
// A DirectResponse is the response to an HTTP request.
|
||||
type DirectResponse struct {
|
||||
Status int `mapstructure:"status" yaml:"status,omitempty" json:"status,omitempty"`
|
||||
|
|
@ -529,6 +565,10 @@ func (p *Policy) Validate() error {
|
|||
return fmt.Errorf("config: cannot mix tcp and non-tcp To URLs")
|
||||
}
|
||||
|
||||
if err := p.Redirect.validate(); err != nil {
|
||||
return fmt.Errorf("config: %w", err)
|
||||
}
|
||||
|
||||
// Only allow public access if no other whitelists are in place
|
||||
if p.AllowPublicUnauthenticatedAccess && (p.AllowAnyAuthenticatedUser || p.AllowedDomains != nil || p.AllowedUsers != nil) {
|
||||
return fmt.Errorf("config: policy route marked as public but contains whitelists")
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue