mirror of
https://github.com/pomerium/pomerium.git
synced 2025-08-03 08:50:42 +02:00
config: return errors on invalid URLs, fix linting (#1829)
This commit is contained in:
Caleb Doxsey
GitHub
parent
a8a703218f
commit
bec98051ae
12 changed files with 256 additions and 149 deletions
|
|
@ -49,7 +49,7 @@ func (a *Authorize) okResponse(reply *evaluator.Result) *envoy_service_auth_v2.C
|
|||
func (a *Authorize) deniedResponse(
|
||||
in *envoy_service_auth_v2.CheckRequest,
|
||||
code int32, reason string, headers map[string]string,
|
||||
) *envoy_service_auth_v2.CheckResponse {
|
||||
) (*envoy_service_auth_v2.CheckResponse, error) {
|
||||
returnHTMLError := true
|
||||
inHeaders := in.GetAttributes().GetRequest().GetHttp().GetHeaders()
|
||||
if inHeaders != nil {
|
||||
|
|
@ -59,15 +59,19 @@ func (a *Authorize) deniedResponse(
|
|||
if returnHTMLError {
|
||||
return a.htmlDeniedResponse(in, code, reason, headers)
|
||||
}
|
||||
return a.plainTextDeniedResponse(code, reason, headers)
|
||||
return a.plainTextDeniedResponse(code, reason, headers), nil
|
||||
}
|
||||
|
||||
func (a *Authorize) htmlDeniedResponse(
|
||||
in *envoy_service_auth_v2.CheckRequest,
|
||||
code int32, reason string, headers map[string]string,
|
||||
) *envoy_service_auth_v2.CheckResponse {
|
||||
) (*envoy_service_auth_v2.CheckResponse, error) {
|
||||
opts := a.currentOptions.Load()
|
||||
debugEndpoint := opts.GetAuthenticateURL().ResolveReference(&url.URL{Path: "/.pomerium/"})
|
||||
authenticateURL, err := opts.GetAuthenticateURL()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
debugEndpoint := authenticateURL.ResolveReference(&url.URL{Path: "/.pomerium/"})
|
||||
|
||||
// create go-style http request
|
||||
r := getHTTPRequestFromCheckRequest(in)
|
||||
|
|
@ -97,7 +101,7 @@ func (a *Authorize) htmlDeniedResponse(
|
|||
}
|
||||
|
||||
var buf bytes.Buffer
|
||||
err := a.templates.ExecuteTemplate(&buf, "error.html", map[string]interface{}{
|
||||
err = a.templates.ExecuteTemplate(&buf, "error.html", map[string]interface{}{
|
||||
"Status": code,
|
||||
"StatusText": reason,
|
||||
"CanDebug": code/100 == 4,
|
||||
|
|
@ -127,7 +131,7 @@ func (a *Authorize) htmlDeniedResponse(
|
|||
Body: buf.String(),
|
||||
},
|
||||
},
|
||||
}
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (a *Authorize) plainTextDeniedResponse(code int32, reason string, headers map[string]string) *envoy_service_auth_v2.CheckResponse {
|
||||
|
|
@ -152,10 +156,16 @@ func (a *Authorize) plainTextDeniedResponse(code int32, reason string, headers m
|
|||
}
|
||||
}
|
||||
|
||||
func (a *Authorize) redirectResponse(in *envoy_service_auth_v2.CheckRequest) *envoy_service_auth_v2.CheckResponse {
|
||||
func (a *Authorize) redirectResponse(in *envoy_service_auth_v2.CheckRequest) (*envoy_service_auth_v2.CheckResponse, error) {
|
||||
opts := a.currentOptions.Load()
|
||||
authenticateURL, err := opts.GetAuthenticateURL()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
signinURL := opts.GetAuthenticateURL().ResolveReference(&url.URL{Path: "/.pomerium/sign_in"})
|
||||
signinURL := authenticateURL.ResolveReference(&url.URL{
|
||||
Path: "/.pomerium/sign_in",
|
||||
})
|
||||
q := signinURL.Query()
|
||||
|
||||
// always assume https scheme
|
||||
|
|
|
|||
|
|
@ -280,7 +280,8 @@ func TestAuthorize_deniedResponse(t *testing.T) {
|
|||
tc := tc
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
got := a.deniedResponse(tc.in, tc.code, tc.reason, tc.headers)
|
||||
got, err := a.deniedResponse(tc.in, tc.code, tc.reason, tc.headers)
|
||||
require.NoError(t, err)
|
||||
assert.Equal(t, tc.want.Status.Code, got.Status.Code)
|
||||
assert.Equal(t, tc.want.Status.Message, got.Status.Message)
|
||||
assert.Equal(t, tc.want.GetDeniedResponse().GetHeaders(), got.GetDeniedResponse().GetHeaders())
|
||||
|
|
|
|||
|
|
@ -78,11 +78,11 @@ func (a *Authorize) Check(ctx context.Context, in *envoy_service_auth_v2.CheckRe
|
|||
return a.okResponse(reply), nil
|
||||
case reply.Status == http.StatusUnauthorized:
|
||||
if isForwardAuth && hreq.URL.Path == "/verify" {
|
||||
return a.deniedResponse(in, http.StatusUnauthorized, "Unauthenticated", nil), nil
|
||||
return a.deniedResponse(in, http.StatusUnauthorized, "Unauthenticated", nil)
|
||||
}
|
||||
return a.redirectResponse(in), nil
|
||||
return a.redirectResponse(in)
|
||||
}
|
||||
return a.deniedResponse(in, int32(reply.Status), reply.Message, nil), nil
|
||||
return a.deniedResponse(in, int32(reply.Status), reply.Message, nil)
|
||||
}
|
||||
|
||||
func (a *Authorize) forceSync(ctx context.Context, ss *sessions.State) error {
|
||||
|
|
@ -212,9 +212,14 @@ func (a *Authorize) isForwardAuth(req *envoy_service_auth_v2.CheckRequest) bool
|
|||
return false
|
||||
}
|
||||
|
||||
forwardAuthURL, err := opts.GetForwardAuthURL()
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
|
||||
checkURL := getCheckRequestURL(req)
|
||||
|
||||
return urlutil.StripPort(checkURL.Host) == urlutil.StripPort(opts.GetForwardAuthURL().Host)
|
||||
return urlutil.StripPort(checkURL.Host) == urlutil.StripPort(forwardAuthURL.Host)
|
||||
}
|
||||
|
||||
func (a *Authorize) getEvaluatorRequestFromCheckRequest(in *envoy_service_auth_v2.CheckRequest, sessionState *sessions.State) *evaluator.Request {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue