Add whitelist domains flag
This commit is contained in:
parent
090ff11923
commit
2a1691a994
2
main.go
2
main.go
@ -18,6 +18,7 @@ func main() {
|
|||||||
flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError)
|
flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError)
|
||||||
|
|
||||||
emailDomains := StringArray{}
|
emailDomains := StringArray{}
|
||||||
|
whitelistDomains := StringArray{}
|
||||||
upstreams := StringArray{}
|
upstreams := StringArray{}
|
||||||
skipAuthRegex := StringArray{}
|
skipAuthRegex := StringArray{}
|
||||||
googleGroups := StringArray{}
|
googleGroups := StringArray{}
|
||||||
@ -45,6 +46,7 @@ func main() {
|
|||||||
flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS")
|
flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS")
|
||||||
|
|
||||||
flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
|
flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
|
||||||
|
flagSet.Var(&whitelistDomains, "whitelist-domains", "allowed domains for redirection after authentication")
|
||||||
flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
|
flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
|
||||||
flagSet.String("github-org", "", "restrict logins to members of this organisation")
|
flagSet.String("github-org", "", "restrict logins to members of this organisation")
|
||||||
flagSet.String("github-team", "", "restrict logins to members of this team")
|
flagSet.String("github-team", "", "restrict logins to members of this team")
|
||||||
|
@ -68,6 +68,7 @@ type OAuthProxy struct {
|
|||||||
AuthOnlyPath string
|
AuthOnlyPath string
|
||||||
|
|
||||||
redirectURL *url.URL // the url to receive requests at
|
redirectURL *url.URL // the url to receive requests at
|
||||||
|
whitelistDomains []string
|
||||||
provider providers.Provider
|
provider providers.Provider
|
||||||
ProxyPrefix string
|
ProxyPrefix string
|
||||||
SignInMessage string
|
SignInMessage string
|
||||||
@ -220,6 +221,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
|
|||||||
provider: opts.provider,
|
provider: opts.provider,
|
||||||
serveMux: serveMux,
|
serveMux: serveMux,
|
||||||
redirectURL: redirectURL,
|
redirectURL: redirectURL,
|
||||||
|
whitelistDomains: opts.WhitelistDomains,
|
||||||
skipAuthRegex: opts.SkipAuthRegex,
|
skipAuthRegex: opts.SkipAuthRegex,
|
||||||
skipAuthPreflight: opts.SkipAuthPreflight,
|
skipAuthPreflight: opts.SkipAuthPreflight,
|
||||||
compiledRegex: opts.CompiledRegex,
|
compiledRegex: opts.CompiledRegex,
|
||||||
@ -563,7 +565,7 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
|
|||||||
}
|
}
|
||||||
|
|
||||||
redirect = req.Form.Get("rd")
|
redirect = req.Form.Get("rd")
|
||||||
if redirect == "" || !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") {
|
if !p.IsValidRedirect(redirect) {
|
||||||
redirect = req.URL.Path
|
redirect = req.URL.Path
|
||||||
if strings.HasPrefix(redirect, p.ProxyPrefix) {
|
if strings.HasPrefix(redirect, p.ProxyPrefix) {
|
||||||
redirect = "/"
|
redirect = "/"
|
||||||
@ -573,6 +575,34 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// IsValidRedirect checks whether the redirect URL is whitelisted
|
||||||
|
func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
|
||||||
|
switch {
|
||||||
|
case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"):
|
||||||
|
return true
|
||||||
|
case strings.HasPrefix(redirect, "http://"):
|
||||||
|
redirect = strings.TrimPrefix(redirect, "http://")
|
||||||
|
redirect = strings.Split(redirect, "/")[0]
|
||||||
|
for _, domain := range p.whitelistDomains {
|
||||||
|
if strings.HasSuffix(redirect, domain) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
case strings.HasPrefix(redirect, "https://"):
|
||||||
|
redirect = strings.TrimPrefix(redirect, "https://")
|
||||||
|
redirect = strings.Split(redirect, "/")[0]
|
||||||
|
for _, domain := range p.whitelistDomains {
|
||||||
|
if strings.HasSuffix(redirect, domain) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
default:
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// IsWhitelistedRequest is used to check if auth should be skipped for this request
|
// IsWhitelistedRequest is used to check if auth should be skipped for this request
|
||||||
func (p *OAuthProxy) IsWhitelistedRequest(req *http.Request) (ok bool) {
|
func (p *OAuthProxy) IsWhitelistedRequest(req *http.Request) (ok bool) {
|
||||||
isPreflightRequestAllowed := p.skipAuthPreflight && req.Method == "OPTIONS"
|
isPreflightRequestAllowed := p.skipAuthPreflight && req.Method == "OPTIONS"
|
||||||
@ -709,7 +739,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
|
|||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") {
|
if !p.IsValidRedirect(redirect) {
|
||||||
redirect = "/"
|
redirect = "/"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -33,6 +33,7 @@ type Options struct {
|
|||||||
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
|
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
|
||||||
AzureTenant string `flag:"azure-tenant" cfg:"azure_tenant"`
|
AzureTenant string `flag:"azure-tenant" cfg:"azure_tenant"`
|
||||||
EmailDomains []string `flag:"email-domain" cfg:"email_domains"`
|
EmailDomains []string `flag:"email-domain" cfg:"email_domains"`
|
||||||
|
WhitelistDomains []string `flag:"whitelist-domains" cfg:"whitelist_domains"`
|
||||||
GitHubOrg string `flag:"github-org" cfg:"github_org"`
|
GitHubOrg string `flag:"github-org" cfg:"github_org"`
|
||||||
GitHubTeam string `flag:"github-team" cfg:"github_team"`
|
GitHubTeam string `flag:"github-team" cfg:"github_team"`
|
||||||
GoogleGroups []string `flag:"google-group" cfg:"google_group"`
|
GoogleGroups []string `flag:"google-group" cfg:"google_group"`
|
||||||
|
Loading…
Reference in New Issue
Block a user