3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-06-02 19:04:14 +02:00
Code Issues Projects Releases Packages Wiki Activity

proxy: fix wrong forward auth request

Browse source 
When proxy receives forward auth request, it should forward the request
as-is to authorize for verification. Currently, it composes the check
request with actual path, then send the request to authorize service.

It makes the request works accidently, because the composed check
request will satisfy the policy un-intentionally. Example, for forward
auth request:

	http://pomerium/?uri=https://httpbin.localhost.pomerium.io

the composed request will look like:

	&envoy_service_auth_v2.AttributeContext_HttpRequest{
		Method:   "GET",
		Headers:  map[string]string{},
		Path:     "",
		Host:     "httpbin.localhost.pomerium.io",
		Scheme:   "https",
	}

This check request has at least two problems.

First, it will make authorize.handleForwardAuth always returns false,
even though this is a real forward auth request. Because the "Host"
field in check request is not the forward auth host, which is "pomerium"
in this case.

Second, it will accidently matches rule like:

	policy:
	  - from: https://httpbin.localhost.pomerium.io
	    to: https://httpbin
	    allowed_domains:
	      - pomerium.io

If the rule contains other conditions, like "prefix", or "regex":

	policy:
	  - from: https://httpbin.localhost.pomerium.io
	    prefix: /headers
	    to: https://httpbin
	    allowed_domains:
	      - pomerium.io

Then the rule will never be triggered, because the "/headers" path can
be passed in request via "X-Forwarded-Uri" (traefik), instead of
directly from the path (nginx).

To fix this, we just pass the forward auth request as-is to authorize.

Fixes #873
This commit is contained in:
Cuong Manh Le 2020-07-02 15:49:14 +07:00
parent 48639a48fb
commit 846d709ba4
3 changed files with 8 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

10
proxy/forward_auth.go
View file

@ -118,8 +118,7 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
return httputil.NewError(http.StatusBadRequest, err)
}
original := p.getOriginalRequest(r, uri)
authorized, err := p.isAuthorized(w, original)
authorized, err := p.isAuthorized(w, r)
if err != nil {
return httputil.NewError(http.StatusBadRequest, err)
}
@ -152,10 +151,3 @@ func (p *Proxy) Verify(verifyOnly bool) http.Handler {
return nil
})
}
func (p *Proxy) getOriginalRequest(r *http.Request, originalURL *url.URL) *http.Request {
originalRequest := r.Clone(r.Context())
originalRequest.Host = originalURL.Host
originalRequest.URL = originalURL
return originalRequest
}