mirror of
https://github.com/pomerium/pomerium.git
synced 2025-07-19 09:38:03 +02:00
846d709ba4
When proxy receives forward auth request, it should forward the request as-is to authorize for verification. Currently, it composes the check request with actual path, then send the request to authorize service. It makes the request works accidently, because the composed check request will satisfy the policy un-intentionally. Example, for forward auth request: http://pomerium/?uri=https://httpbin.localhost.pomerium.io the composed request will look like: &envoy_service_auth_v2.AttributeContext_HttpRequest{ Method: "GET", Headers: map[string]string{}, Path: "", Host: "httpbin.localhost.pomerium.io", Scheme: "https", } This check request has at least two problems. First, it will make authorize.handleForwardAuth always returns false, even though this is a real forward auth request. Because the "Host" field in check request is not the forward auth host, which is "pomerium" in this case. Second, it will accidently matches rule like: policy: - from: https://httpbin.localhost.pomerium.io to: https://httpbin allowed_domains: - pomerium.io If the rule contains other conditions, like "prefix", or "regex": policy: - from: https://httpbin.localhost.pomerium.io prefix: /headers to: https://httpbin allowed_domains: - pomerium.io Then the rule will never be triggered, because the "/headers" path can be passed in request via "X-Forwarded-Uri" (traefik), instead of directly from the path (nginx). To fix this, we just pass the forward auth request as-is to authorize. Fixes #873 |
||
|---|---|---|
| .. | ||
| evaluator | ||
| authorize.go | ||
| authorize_test.go | ||
| check_response.go | ||
| grpc.go | ||
| grpc_test.go | ||
| run.go | ||
| session.go | ||
| session_test.go | ||