Use x-original-url instead of host to deduce domain to check permissions for

This commit is contained in:
Clement Michaud 2018-04-25 00:41:41 +02:00
parent 4be299d6eb
commit bc72f5c508
5 changed files with 65 additions and 48 deletions

View File

@ -75,9 +75,13 @@ http {
location /auth_verify { location /auth_verify {
internal; internal;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_body off;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_pass $upstream_verify; proxy_pass $upstream_verify;
@ -138,9 +142,13 @@ http {
location /auth_verify { location /auth_verify {
internal; internal;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_body off;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_pass $upstream_verify; proxy_pass $upstream_verify;
@ -184,9 +192,13 @@ http {
location /auth_verify { location /auth_verify {
internal; internal;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_body off;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_pass $upstream_verify; proxy_pass $upstream_verify;
@ -230,9 +242,13 @@ http {
location /auth_verify { location /auth_verify {
internal; internal;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_body off;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_pass $upstream_verify; proxy_pass $upstream_verify;
@ -277,11 +293,14 @@ http {
location /auth_verify { location /auth_verify {
internal; internal;
proxy_set_header Host $http_host; proxy_set_header Host $http_host;
proxy_set_header X-Original-URI $request_uri; proxy_set_header X-Original-URI $request_uri;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass_request_body off;
proxy_set_header Content-Length ""; proxy_set_header Content-Length "";
proxy_set_header Proxy-Authorization $http_authorization;
proxy_pass $upstream_verify; proxy_pass $upstream_verify;
} }

View File

@ -1,10 +1,20 @@
import express = require("express"); import express = require("express");
import { AuthenticationSessionHandler } from "../../AuthenticationSessionHandler"; import { AuthenticationSessionHandler } from "../../AuthenticationSessionHandler";
import Constants = require("../../../../../shared/constants");
import { ServerVariables } from "../../ServerVariables";
export default function(req: express.Request, res: express.Response) { function getRedirectParam(req: express.Request) {
const redirect_param = req.query.redirect; return req.query[Constants.REDIRECT_QUERY_PARAM] != "undefined"
? req.query[Constants.REDIRECT_QUERY_PARAM]
: undefined;
}
export default function (vars: ServerVariables) {
return function(req: express.Request, res: express.Response) {
const redirect_param = getRedirectParam(req);
const redirect_url = redirect_param || "/"; const redirect_url = redirect_param || "/";
AuthenticationSessionHandler.reset(req); AuthenticationSessionHandler.reset(req);
res.redirect(redirect_url); res.redirect(redirect_url);
};
} }

View File

@ -129,7 +129,7 @@ export class RestApi {
RequireValidatedFirstFactor.middleware(vars.logger), RequireValidatedFirstFactor.middleware(vars.logger),
SecondFactorGet.default(vars)); SecondFactorGet.default(vars));
app.get(Endpoints.LOGOUT_GET, LogoutGet.default); app.get(Endpoints.LOGOUT_GET, LogoutGet.default(vars));
app.get(Endpoints.VERIFY_GET, VerifyGet.default(vars)); app.get(Endpoints.VERIFY_GET, VerifyGet.default(vars));
app.post(Endpoints.FIRST_FACTOR_POST, FirstFactorPost.default(vars)); app.post(Endpoints.FIRST_FACTOR_POST, FirstFactorPost.default(vars));

View File

@ -27,7 +27,7 @@ describe("test /api/verify endpoint", function () {
redirect: "undefined" redirect: "undefined"
}; };
AuthenticationSessionHandler.reset(req as any); AuthenticationSessionHandler.reset(req as any);
req.headers.host = "secret.example.com"; req.headers["x-original-url"] = "https://secret.example.com/";
const s = ServerVariablesMockBuilder.build(false); const s = ServerVariablesMockBuilder.build(false);
mocks = s.mocks; mocks = s.mocks;
vars = s.variables; vars = s.variables;
@ -130,7 +130,7 @@ describe("test /api/verify endpoint", function () {
authSession.first_factor = true; authSession.first_factor = true;
authSession.second_factor = true; authSession.second_factor = true;
authSession.userid = "myuser"; authSession.userid = "myuser";
req.headers.host = "test.example.com"; req.headers["x-original-url"] = "https://test.example.com/";
mocks.accessController.isAccessAllowedMock.returns(false); mocks.accessController.isAccessAllowedMock.returns(false);
return test_unauthorized_403({ return test_unauthorized_403({
@ -147,7 +147,7 @@ describe("test /api/verify endpoint", function () {
describe("given user tries to access a single factor endpoint", function () { describe("given user tries to access a single factor endpoint", function () {
beforeEach(function () { beforeEach(function () {
req.headers["host"] = "redirect.url"; req.headers["x-original-url"] = "https://redirect.url/";
mocks.config.authentication_methods.per_subdomain_methods = { mocks.config.authentication_methods.per_subdomain_methods = {
"redirect.url": "single_factor" "redirect.url": "single_factor"
}; };
@ -238,7 +238,7 @@ describe("test /api/verify endpoint", function () {
mocks.ldapAuthenticator.authenticateStub.rejects(new Error( mocks.ldapAuthenticator.authenticateStub.rejects(new Error(
"Invalid credentials")); "Invalid credentials"));
req.headers["proxy-authorization"] = "Basic am9objpwYXNzd29yZA=="; req.headers["proxy-authorization"] = "Basic am9objpwYXNzd29yZA==";
req.query["redirect"] = REDIRECT_URL; req.query["rd"] = REDIRECT_URL;
return VerifyGet.default(vars)(req as express.Request, res as any) return VerifyGet.default(vars)(req as express.Request, res as any)
.then(function () { .then(function () {

View File

@ -18,16 +18,4 @@ describe("test DomainExtractor", function () {
Assert.equal(domain, "www.example.com"); Assert.equal(domain, "www.example.com");
}); });
}); });
describe("test fromHostHeader", function () {
it("should return domain when default port is used", function () {
const domain = DomainExtractor.fromHostHeader("www.example.com");
Assert.equal(domain, "www.example.com");
});
it("should return domain when non default port is used", function () {
const domain = DomainExtractor.fromHostHeader("www.example.com:8080");
Assert.equal(domain, "www.example.com");
});
});
}); });