Allow auth proxying only for configured domains and everything under pages domain

author: Tuomo Ala-Vannesluoma <tuomoav@gmail.com> 2018-08-10 00:06:43 +0300
committer: Tuomo Ala-Vannesluoma <tuomoav@gmail.com> 2018-08-10 00:23:53 +0300
commit: 3425634584820837fd88d14b944bbdc391823936 (patch)
tree: f199d9e79a8d2208c28871ea628ae2668d9d4fe3
parent: b30197c907c86e38740df5640642f2a5ea739c69 (diff)
3 files changed, 26 insertions, 8 deletions
diff --git a/app.go b/app.go
index 047e7ed9..3ffe9ad9 100644
--- a/app.go
+++ b/app.go
@@ -164,7 +164,7 @@ func (a *theApp) serveContent(ww http.ResponseWriter, r *http.Request, https boo
 
 	host, domain := a.getHostAndDomain(r)
 
-	if a.Auth.TryAuthenticate(&w, r) {
+	if a.Auth.TryAuthenticate(&w, r, a.dm, &a.lock) {
 		return
 	}
 
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index e88cf7a2..d3701207 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -7,11 +7,13 @@ import (
 	"fmt"
 	"net/http"
 	"strings"
+	"sync"
 	"time"
 
 	"github.com/gorilla/securecookie"
 	"github.com/gorilla/sessions"
 	log "github.com/sirupsen/logrus"
+	"gitlab.com/gitlab-org/gitlab-pages/internal/domain"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/httperrors"
 )
 
@@ -81,7 +83,7 @@ func (a *Auth) getSession(r *http.Request) *sessions.Session {
 }
 
 // TryAuthenticate tries to authenticate user and fetch access token if request is a callback to auth
-func (a *Auth) TryAuthenticate(w http.ResponseWriter, r *http.Request) bool {
+func (a *Auth) TryAuthenticate(w http.ResponseWriter, r *http.Request, dm domain.Map, lock *sync.RWMutex) bool {
 
 	if a == nil {
 		return false
@@ -100,7 +102,7 @@ func (a *Auth) TryAuthenticate(w http.ResponseWriter, r *http.Request) bool {
 
 	log.Debug("Authentication callback")
 
-	if a.handleProxyingAuth(session, w, r) {
+	if a.handleProxyingAuth(session, w, r, dm, lock) {
 		return true
 	}
 
@@ -149,11 +151,25 @@ func (a *Auth) TryAuthenticate(w http.ResponseWriter, r *http.Request) bool {
 	return false
 }
 
-func (a *Auth) handleProxyingAuth(session *sessions.Session, w http.ResponseWriter, r *http.Request) bool {
+func (a *Auth) domainAllowed(domain string, dm domain.Map, lock *sync.RWMutex) bool {
+	lock.RLock()
+	defer lock.RUnlock()
+	_, present := dm[domain]
+	return strings.HasSuffix(strings.ToLower(domain), a.pagesDomain) || present
+}
+
+func (a *Auth) handleProxyingAuth(session *sessions.Session, w http.ResponseWriter, r *http.Request, dm domain.Map, lock *sync.RWMutex) bool {
 	// If request is for authenticating via custom domain
 	if shouldProxyAuth(r) {
 		domain := r.URL.Query().Get("domain")
 		state := r.URL.Query().Get("state")
+
+		if !a.domainAllowed(domain, dm, lock) {
+			log.WithField("domain", domain).Debug("Domain is not configured")
+			httperrors.Serve401(w)
+			return true
+		}
+
 		log.WithField("domain", domain).Debug("User is authenticating via domain")
 
 		if r.TLS != nil {
diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go
index f95583b3..4973ce01 100644
--- a/internal/auth/auth_test.go
+++ b/internal/auth/auth_test.go
@@ -5,12 +5,14 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"sync"
 	"testing"
 
 	"github.com/gorilla/sessions"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/auth"
+	"gitlab.com/gitlab-org/gitlab-pages/internal/domain"
 )
 
 func createAuth(t *testing.T) *auth.Auth {
@@ -30,7 +32,7 @@ func TestTryAuthenticate(t *testing.T) {
 	require.NoError(t, err)
 	r := &http.Request{URL: reqURL}
 
-	assert.Equal(t, false, auth.TryAuthenticate(result, r))
+	assert.Equal(t, false, auth.TryAuthenticate(result, r, make(domain.Map), &sync.RWMutex{}))
 }
 
 func TestTryAuthenticateWithError(t *testing.T) {
@@ -41,7 +43,7 @@ func TestTryAuthenticateWithError(t *testing.T) {
 	require.NoError(t, err)
 	r := &http.Request{URL: reqURL}
 
-	assert.Equal(t, true, auth.TryAuthenticate(result, r))
+	assert.Equal(t, true, auth.TryAuthenticate(result, r, make(domain.Map), &sync.RWMutex{}))
 	assert.Equal(t, 401, result.Code)
 }
 
@@ -58,7 +60,7 @@ func TestTryAuthenticateWithCodeButInvalidState(t *testing.T) {
 	session.Values["state"] = "state"
 	session.Save(r, result)
 
-	assert.Equal(t, true, auth.TryAuthenticate(result, r))
+	assert.Equal(t, true, auth.TryAuthenticate(result, r, make(domain.Map), &sync.RWMutex{}))
 	assert.Equal(t, 401, result.Code)
 }
 
@@ -100,7 +102,7 @@ func TestTryAuthenticateWithCodeAndState(t *testing.T) {
 	session.Values["state"] = "state"
 	session.Save(r, result)
 
-	assert.Equal(t, true, auth.TryAuthenticate(result, r))
+	assert.Equal(t, true, auth.TryAuthenticate(result, r, make(domain.Map), &sync.RWMutex{}))
 	assert.Equal(t, 302, result.Code)
 	assert.Equal(t, "http://pages.gitlab-example.com/project/", result.Header().Get("Location"))
 }
author	Tuomo Ala-Vannesluoma <tuomoav@gmail.com>	2018-08-10 00:06:43 +0300
committer	Tuomo Ala-Vannesluoma <tuomoav@gmail.com>	2018-08-10 00:23:53 +0300
commit	3425634584820837fd88d14b944bbdc391823936 (patch)
tree	f199d9e79a8d2208c28871ea628ae2668d9d4fe3
parent	b30197c907c86e38740df5640642f2a5ea739c69 (diff)