Protect Options from being mutated by services

- Change Options URLs from pointers to values - Remove special handling for AuthenticateURL checksum - Change Options itself to a value
2025-08-03 08:50:42 +02:00 · 2019-06-03 22:19:24 -04:00 · 2019-06-03 22:19:24 -04:00 · 64eb992854
commit 64eb992854
parent 49bc8274f1
12 changed files with 117 additions and 125 deletions
--- a/internal/config/options.go
+++ b/internal/config/options.go
@ -70,8 +70,8 @@ type Options struct {

 	// AuthenticateURL represents the externally accessible http endpoints
 	// used for authentication requests and callbacks
-	AuthenticateURLString string   `mapstructure:"authenticate_service_url"`
-	AuthenticateURL       *url.URL `hash:"ignore"`
+	AuthenticateURLString string `mapstructure:"authenticate_service_url"`
+	AuthenticateURL       url.URL

 	// Session/Cookie management
 	// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
@ -103,13 +103,13 @@ type Options struct {
 	// NOTE: As many load balancers do not support externally routed gRPC so
 	// this may be an internal location.
 	AuthenticateInternalAddrString string `mapstructure:"authenticate_internal_url"`
-	AuthenticateInternalAddr       *url.URL
+	AuthenticateInternalAddr       url.URL

 	// AuthorizeURL is the routable destination of the authorize service's
 	// gRPC endpoint. NOTE: As many load balancers do not support
 	// externally routed gRPC so this may be an internal location.
 	AuthorizeURLString string `mapstructure:"authorize_service_url"`
-	AuthorizeURL       *url.URL
+	AuthorizeURL       url.URL

 	// Settings to enable custom behind-the-ingress service communication
 	OverrideCertificateName string `mapstructure:"override_certificate_name"`
@ -136,8 +136,8 @@ type Options struct {
 }

 // NewOptions returns a new options struct with default values
-func NewOptions() *Options {
-	o := &Options{
+func NewOptions() Options {
+	o := Options{
 		Debug:                  false,
 		LogLevel:               "debug",
 		Services:               "all",
@ -153,25 +153,22 @@ func NewOptions() *Options {
 			"X-XSS-Protection":          "1; mode=block",
 			"Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
 		},
-		Addr:                     ":https",
-		CertFile:                 filepath.Join(findPwd(), "cert.pem"),
-		KeyFile:                  filepath.Join(findPwd(), "privkey.pem"),
-		ReadHeaderTimeout:        10 * time.Second,
-		ReadTimeout:              30 * time.Second,
-		WriteTimeout:             0, // support streaming by default
-		IdleTimeout:              5 * time.Minute,
-		AuthenticateURL:          new(url.URL),
-		AuthenticateInternalAddr: new(url.URL),
-		AuthorizeURL:             new(url.URL),
-		RefreshCooldown:          time.Duration(5 * time.Minute),
-		AllowWebsockets:          false,
+		Addr:              ":https",
+		CertFile:          filepath.Join(findPwd(), "cert.pem"),
+		KeyFile:           filepath.Join(findPwd(), "privkey.pem"),
+		ReadHeaderTimeout: 10 * time.Second,
+		ReadTimeout:       30 * time.Second,
+		WriteTimeout:      0, // support streaming by default
+		IdleTimeout:       5 * time.Minute,
+		RefreshCooldown:   time.Duration(5 * time.Minute),
+		AllowWebsockets:   false,
 	}
 	return o
 }

 // OptionsFromViper builds the main binary's configuration
 // options by parsing environmental variables and config file
-func OptionsFromViper(configFile string) (*Options, error) {
+func OptionsFromViper(configFile string) (Options, error) {
 	o := NewOptions()

 	// Load up config
@ -184,25 +181,25 @@ func OptionsFromViper(configFile string) (*Options, error) {
 		viper.SetConfigFile(configFile)
 		err := viper.ReadInConfig()
 		if err != nil {
-			return nil, fmt.Errorf("failed to read config: %s", err)
+			return o, fmt.Errorf("failed to read config: %s", err)
 		}
 	}

-	err := viper.Unmarshal(o)
+	err := viper.Unmarshal(&o)
 	if err != nil {
-		return nil, fmt.Errorf("failed to load options from config: %s", err)
+		return o, fmt.Errorf("failed to load options from config: %s", err)
 	}

 	// Turn URL strings into url structs
 	err = o.parseURLs()
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse URLs: %s", err)
+		return o, fmt.Errorf("failed to parse URLs: %s", err)
 	}

 	// Load and initialize policy
 	err = o.parsePolicy()
 	if err != nil {
-		return nil, fmt.Errorf("failed to parse Policy: %s", err)
+		return o, fmt.Errorf("failed to parse Policy: %s", err)
 	}

 	if o.Debug {
@ -217,7 +214,7 @@ func OptionsFromViper(configFile string) (*Options, error) {

 	err = o.validate()
 	if err != nil {
-		return nil, err
+		return o, err
 	}

 	log.Debug().
@ -302,7 +299,7 @@ func (o *Options) parseURLs() error {
 		if err != nil {
 			return fmt.Errorf("internal/config: bad authenticate-url %s : %v", o.AuthenticateURLString, err)
 		}
-		o.AuthenticateURL = AuthenticateURL
+		o.AuthenticateURL = *AuthenticateURL
 	}

 	if o.AuthorizeURLString != "" {
@ -310,7 +307,7 @@ func (o *Options) parseURLs() error {
 		if err != nil {
 			return fmt.Errorf("internal/config: bad authorize-url %s : %v", o.AuthorizeURLString, err)
 		}
-		o.AuthorizeURL = AuthorizeURL
+		o.AuthorizeURL = *AuthorizeURL
 	}

 	if o.AuthenticateInternalAddrString != "" {
@ -318,7 +315,7 @@ func (o *Options) parseURLs() error {
 		if err != nil {
 			return fmt.Errorf("internal/config: bad authenticate-internal-addr %s : %v", o.AuthenticateInternalAddrString, err)
 		}
-		o.AuthenticateInternalAddr = AuthenticateInternalAddr
+		o.AuthenticateInternalAddr = *AuthenticateInternalAddr
 	}

 	return nil
@ -396,7 +393,7 @@ func IsProxy(s string) bool {

 // OptionsUpdater updates local state based on an Options struct
 type OptionsUpdater interface {
-	UpdateOptions(*Options) error
+	UpdateOptions(Options) error
 }

 // Checksum returns the checksum of the current options struct