Made setting of proxied headers deterministic based on configuration
alone Previously some headers that are normally set by the proxy (and may be replied upstream for authorization decisiions) were not being set depending on values in the users sesssion. This change ensure that if a given header is sometimes set, it will always be either set or removed. It might be worth considerating always deleting these headers if we didn't add them.
This commit is contained in:
parent
c4559ea372
commit
d5d4878a29
@ -39,6 +39,7 @@
|
|||||||
- [#234](https://github.com/pusher/oauth2_proxy/pull/234) Added option `-ssl-upstream-insecure-skip-validation` to skip validation of upstream SSL certificates (@jansinger)
|
- [#234](https://github.com/pusher/oauth2_proxy/pull/234) Added option `-ssl-upstream-insecure-skip-validation` to skip validation of upstream SSL certificates (@jansinger)
|
||||||
- [#224](https://github.com/pusher/oauth2_proxy/pull/224) Check Google group membership using hasMember to support nested groups and external users (@jpalpant)
|
- [#224](https://github.com/pusher/oauth2_proxy/pull/224) Check Google group membership using hasMember to support nested groups and external users (@jpalpant)
|
||||||
- [#231](https://github.com/pusher/oauth2_proxy/pull/231) Add optional group membership and email domain checks to the GitLab provider (@Overv)
|
- [#231](https://github.com/pusher/oauth2_proxy/pull/231) Add optional group membership and email domain checks to the GitLab provider (@Overv)
|
||||||
|
- [#226](https://github.com/pusher/oauth2_proxy/pull/226) Made setting of proxied headers deterministic based on configuration alone (@aeijdenberg)
|
||||||
- [#178](https://github.com/pusher/oauth2_proxy/pull/178) Add Silence Ping Logging and Exclude Logging Paths flags (@kskewes)
|
- [#178](https://github.com/pusher/oauth2_proxy/pull/178) Add Silence Ping Logging and Exclude Logging Paths flags (@kskewes)
|
||||||
- [#209](https://github.com/pusher/oauth2_proxy/pull/209) Improve docker build caching of layers (@dekimsey)
|
- [#209](https://github.com/pusher/oauth2_proxy/pull/209) Improve docker build caching of layers (@dekimsey)
|
||||||
- [#186](https://github.com/pusher/oauth2_proxy/pull/186) Make config consistent (@JoelSpeed)
|
- [#186](https://github.com/pusher/oauth2_proxy/pull/186) Make config consistent (@JoelSpeed)
|
||||||
|
@ -820,32 +820,60 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
|
|||||||
req.Header["X-Forwarded-User"] = []string{session.User}
|
req.Header["X-Forwarded-User"] = []string{session.User}
|
||||||
if session.Email != "" {
|
if session.Email != "" {
|
||||||
req.Header["X-Forwarded-Email"] = []string{session.Email}
|
req.Header["X-Forwarded-Email"] = []string{session.Email}
|
||||||
|
} else {
|
||||||
|
req.Header.Del("X-Forwarded-Email")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if p.PassUserHeaders {
|
if p.PassUserHeaders {
|
||||||
req.Header["X-Forwarded-User"] = []string{session.User}
|
req.Header["X-Forwarded-User"] = []string{session.User}
|
||||||
if session.Email != "" {
|
if session.Email != "" {
|
||||||
req.Header["X-Forwarded-Email"] = []string{session.Email}
|
req.Header["X-Forwarded-Email"] = []string{session.Email}
|
||||||
|
} else {
|
||||||
|
req.Header.Del("X-Forwarded-Email")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if p.SetXAuthRequest {
|
if p.SetXAuthRequest {
|
||||||
rw.Header().Set("X-Auth-Request-User", session.User)
|
rw.Header().Set("X-Auth-Request-User", session.User)
|
||||||
if session.Email != "" {
|
if session.Email != "" {
|
||||||
rw.Header().Set("X-Auth-Request-Email", session.Email)
|
rw.Header().Set("X-Auth-Request-Email", session.Email)
|
||||||
|
} else {
|
||||||
|
rw.Header().Del("X-Auth-Request-Email")
|
||||||
}
|
}
|
||||||
if p.PassAccessToken && session.AccessToken != "" {
|
|
||||||
|
if p.PassAccessToken {
|
||||||
|
if session.AccessToken != "" {
|
||||||
rw.Header().Set("X-Auth-Request-Access-Token", session.AccessToken)
|
rw.Header().Set("X-Auth-Request-Access-Token", session.AccessToken)
|
||||||
|
} else {
|
||||||
|
rw.Header().Del("X-Auth-Request-Access-Token")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if p.PassAccessToken && session.AccessToken != "" {
|
}
|
||||||
|
|
||||||
|
if p.PassAccessToken {
|
||||||
|
if session.AccessToken != "" {
|
||||||
req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken}
|
req.Header["X-Forwarded-Access-Token"] = []string{session.AccessToken}
|
||||||
|
} else {
|
||||||
|
req.Header.Del("X-Forwarded-Access-Token")
|
||||||
}
|
}
|
||||||
if p.PassAuthorization && session.IDToken != "" {
|
}
|
||||||
|
|
||||||
|
if p.PassAuthorization {
|
||||||
|
if session.IDToken != "" {
|
||||||
req.Header["Authorization"] = []string{fmt.Sprintf("Bearer %s", session.IDToken)}
|
req.Header["Authorization"] = []string{fmt.Sprintf("Bearer %s", session.IDToken)}
|
||||||
|
} else {
|
||||||
|
req.Header.Del("Authorization")
|
||||||
}
|
}
|
||||||
if p.SetAuthorization && session.IDToken != "" {
|
}
|
||||||
|
if p.SetAuthorization {
|
||||||
|
if session.IDToken != "" {
|
||||||
rw.Header().Set("Authorization", fmt.Sprintf("Bearer %s", session.IDToken))
|
rw.Header().Set("Authorization", fmt.Sprintf("Bearer %s", session.IDToken))
|
||||||
|
} else {
|
||||||
|
rw.Header().Del("Authorization")
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
if session.Email == "" {
|
if session.Email == "" {
|
||||||
rw.Header().Set("GAP-Auth", session.User)
|
rw.Header().Set("GAP-Auth", session.User)
|
||||||
} else {
|
} else {
|
||||||
|
Loading…
Reference in New Issue
Block a user