Add whitelist domains flag

This commit is contained in:
Joel Speed 2017-09-29 16:55:50 +01:00
parent ae49c7d23c
commit 2e75a863be
No known key found for this signature in database
GPG Key ID: 83695B8B3A376982
3 changed files with 34 additions and 2 deletions

View File

@ -18,6 +18,7 @@ func main() {
flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError) flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError)
emailDomains := StringArray{} emailDomains := StringArray{}
whitelistDomains := StringArray{}
upstreams := StringArray{} upstreams := StringArray{}
skipAuthRegex := StringArray{} skipAuthRegex := StringArray{}
googleGroups := StringArray{} googleGroups := StringArray{}
@ -43,6 +44,7 @@ func main() {
flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS") flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS")
flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email") flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
flagSet.Var(&whitelistDomains, "whitelist-domains", "allowed domains for redirection after authentication")
flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.") flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
flagSet.String("github-org", "", "restrict logins to members of this organisation") flagSet.String("github-org", "", "restrict logins to members of this organisation")
flagSet.String("github-team", "", "restrict logins to members of this team") flagSet.String("github-team", "", "restrict logins to members of this team")

View File

@ -54,6 +54,7 @@ type OAuthProxy struct {
AuthOnlyPath string AuthOnlyPath string
redirectURL *url.URL // the url to receive requests at redirectURL *url.URL // the url to receive requests at
whitelistDomains []string
provider providers.Provider provider providers.Provider
ProxyPrefix string ProxyPrefix string
SignInMessage string SignInMessage string
@ -194,6 +195,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
provider: opts.provider, provider: opts.provider,
serveMux: serveMux, serveMux: serveMux,
redirectURL: redirectURL, redirectURL: redirectURL,
whitelistDomains: opts.WhitelistDomains,
skipAuthRegex: opts.SkipAuthRegex, skipAuthRegex: opts.SkipAuthRegex,
skipAuthPreflight: opts.SkipAuthPreflight, skipAuthPreflight: opts.SkipAuthPreflight,
compiledRegex: opts.CompiledRegex, compiledRegex: opts.CompiledRegex,
@ -426,13 +428,40 @@ func (p *OAuthProxy) GetRedirect(req *http.Request) (redirect string, err error)
} }
redirect = req.Form.Get("rd") redirect = req.Form.Get("rd")
if redirect == "" || !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") { if !p.IsValidRedirect(redirect) {
redirect = "/" redirect = "/"
} }
return return
} }
func (p *OAuthProxy) IsValidRedirect(redirect string) bool {
switch {
case strings.HasPrefix(redirect, "/") && !strings.HasPrefix(redirect, "//"):
return true
case strings.HasPrefix(redirect, "http://"):
redirect = strings.TrimPrefix(redirect, "http://")
redirect = strings.Split(redirect, "/")[0]
for _, domain := range p.whitelistDomains {
if strings.HasSuffix(redirect, domain) {
return true
}
}
return false
case strings.HasPrefix(redirect, "https://"):
redirect = strings.TrimPrefix(redirect, "https://")
redirect = strings.Split(redirect, "/")[0]
for _, domain := range p.whitelistDomains {
if strings.HasSuffix(redirect, domain) {
return true
}
}
return false
default:
return false
}
}
func (p *OAuthProxy) IsWhitelistedRequest(req *http.Request) (ok bool) { func (p *OAuthProxy) IsWhitelistedRequest(req *http.Request) (ok bool) {
isPreflightRequestAllowed := p.skipAuthPreflight && req.Method == "OPTIONS" isPreflightRequestAllowed := p.skipAuthPreflight && req.Method == "OPTIONS"
return isPreflightRequestAllowed || p.IsWhitelistedPath(req.URL.Path) return isPreflightRequestAllowed || p.IsWhitelistedPath(req.URL.Path)
@ -562,7 +591,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
return return
} }
if !strings.HasPrefix(redirect, "/") || strings.HasPrefix(redirect, "//") { if !p.IsValidRedirect(redirect) {
redirect = "/" redirect = "/"
} }

View File

@ -32,6 +32,7 @@ type Options struct {
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"` AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
AzureTenant string `flag:"azure-tenant" cfg:"azure_tenant"` AzureTenant string `flag:"azure-tenant" cfg:"azure_tenant"`
EmailDomains []string `flag:"email-domain" cfg:"email_domains"` EmailDomains []string `flag:"email-domain" cfg:"email_domains"`
WhitelistDomains []string `flag:"whitelist-domains" cfg:"whitelist_domains"`
GitHubOrg string `flag:"github-org" cfg:"github_org"` GitHubOrg string `flag:"github-org" cfg:"github_org"`
GitHubTeam string `flag:"github-team" cfg:"github_team"` GitHubTeam string `flag:"github-team" cfg:"github_team"`
GoogleGroups []string `flag:"google-group" cfg:"google_group"` GoogleGroups []string `flag:"google-group" cfg:"google_group"`