diff options
author | Tuomo Ala-Vannesluoma <tuomoav@gmail.com> | 2018-08-12 12:36:10 +0300 |
---|---|---|
committer | Tuomo Ala-Vannesluoma <tuomoav@gmail.com> | 2018-08-12 12:36:10 +0300 |
commit | 1966ab9bf8592a32a7ff88e1d1439ed80f7f65bb (patch) | |
tree | 67050bfeab8865fd3b4db2746fa403932157c992 | |
parent | 3425634584820837fd88d14b944bbdc391823936 (diff) |
Use reserved namespace 'projects' for the redirect uri to handle situation where root pages domain is not handled with pages daemon
-rw-r--r-- | README.md | 4 | ||||
-rw-r--r-- | acceptance_test.go | 16 | ||||
-rw-r--r-- | helpers_test.go | 6 | ||||
-rw-r--r-- | internal/auth/auth.go | 6 |
4 files changed, 16 insertions, 16 deletions
@@ -162,12 +162,12 @@ Pages and another HTTP server have to co-exist on the same server. ### GitLab access control -GitLab access control is configured with properties `auth-client-id`, `auth-client-secret`, `auth-redirect-uri`, `auth-server` and `auth-secret`. Client ID, secret and redirect uri are configured in the GitLab and should match. `auth-server` points to a GitLab instance used for authentication. `auth-redirect-uri` should be `http(s)://pages-domain/auth`. Using HTTPS is _strongly_ encouraged. `auth-secret` is used to encrypt the session cookie, and it should be strong enough. +GitLab access control is configured with properties `auth-client-id`, `auth-client-secret`, `auth-redirect-uri`, `auth-server` and `auth-secret`. Client ID, secret and redirect uri are configured in the GitLab and should match. `auth-server` points to a GitLab instance used for authentication. `auth-redirect-uri` should be `http(s)://pages-domain/auth`. Note that if the pages-domain is not handled by GitLab pages, then the `auth-redirect-uri` should use some reserved namespace prefix (such as `http(s)://projects.pages-domain/auth`). Using HTTPS is _strongly_ encouraged. `auth-secret` is used to encrypt the session cookie, and it should be strong enough. Example: ``` $ make -$ ./gitlab-pages -listen-http "10.0.0.1:8080" -listen-https "[fd00::1]:8080" -pages-root path/to/gitlab/shared/pages -pages-domain example.com -auth-client-id <id> -auth-client-secret <secret> -auth-redirect-uri https://example.com/auth -auth-secret something-very-secret -auth-server https://gitlab.com +$ ./gitlab-pages -listen-http "10.0.0.1:8080" -listen-https "[fd00::1]:8080" -pages-root path/to/gitlab/shared/pages -pages-domain example.com -auth-client-id <id> -auth-client-secret <secret> -auth-redirect-uri https://projects.example.com/auth -auth-secret something-very-secret -auth-server https://gitlab.com ``` #### How it works diff --git a/acceptance_test.go b/acceptance_test.go index 516b90d2..98db0203 100644 --- a/acceptance_test.go +++ b/acceptance_test.go @@ -614,7 +614,7 @@ func TestWhenAuthIsEnabledPrivateWillRedirectToAuthorize(t *testing.T) { assert.Equal(t, "gitlab-auth.com", url.Host) assert.Equal(t, "/oauth/authorize", url.Path) assert.Equal(t, "1", url.Query().Get("client_id")) - assert.Equal(t, "https://gitlab-example.com/auth", url.Query().Get("redirect_uri")) + assert.Equal(t, "https://projects.gitlab-example.com/auth", url.Query().Get("redirect_uri")) assert.NotEqual(t, "", url.Query().Get("state")) } @@ -623,7 +623,7 @@ func TestWhenAuthDeniedWillCauseUnauthorized(t *testing.T) { teardown := RunPagesProcessWithAuth(t, *pagesBinary, listeners, "") defer teardown() - rsp, err := GetPageFromListener(t, httpsListener, "gitlab-example.com", "/auth?error=access_denied") + rsp, err := GetPageFromListener(t, httpsListener, "projects.gitlab-example.com", "/auth?error=access_denied") require.NoError(t, err) defer rsp.Body.Close() @@ -641,7 +641,7 @@ func TestWhenLoginCallbackWithWrongStateShouldFail(t *testing.T) { defer rsp.Body.Close() // Go to auth page with wrong state will cause failure - authrsp, err := GetPageFromListener(t, httpsListener, "gitlab-example.com", "/auth?code=0&state=0") + authrsp, err := GetPageFromListener(t, httpsListener, "projects.gitlab-example.com", "/auth?code=0&state=0") require.NoError(t, err) defer authrsp.Body.Close() @@ -665,7 +665,7 @@ func TestWhenLoginCallbackWithCorrectStateWithoutEndpoint(t *testing.T) { require.NoError(t, err) // Go to auth page with correct state will cause fetching the token - authrsp, err := GetPageFromListenerWithCookie(t, httpsListener, "gitlab-example.com", "/auth?code=1&state="+ + authrsp, err := GetPageFromListenerWithCookie(t, httpsListener, "projects.gitlab-example.com", "/auth?code=1&state="+ url.Query().Get("state"), cookie) require.NoError(t, err) @@ -718,7 +718,7 @@ func TestAccessControlUnderCustomDomain(t *testing.T) { pagescookie := pagesrsp.Header.Get("Set-Cookie") // Go to auth page with correct state will cause fetching the token - authrsp, err := GetRedirectPageWithCookie(t, httpListener, "gitlab-example.com", "/auth?code=1&state="+ + authrsp, err := GetRedirectPageWithCookie(t, httpListener, "projects.gitlab-example.com", "/auth?code=1&state="+ state, pagescookie) require.NoError(t, err) @@ -857,10 +857,10 @@ func TestAccessControl(t *testing.T) { assert.Equal(t, http.StatusFound, rsp.StatusCode) cookie := rsp.Header.Get("Set-Cookie") - // Redirects to the gitlab pages root domain for authentication flow + // Redirects to the projects under gitlab pages domain for authentication flow url, err := url.Parse(rsp.Header.Get("Location")) require.NoError(t, err) - assert.Equal(t, "gitlab-example.com", url.Host) + assert.Equal(t, "projects.gitlab-example.com", url.Host) assert.Equal(t, "/auth", url.Path) state := url.Query().Get("state") @@ -873,7 +873,7 @@ func TestAccessControl(t *testing.T) { pagesDomainCookie := rsp.Header.Get("Set-Cookie") // Go to auth page with correct state will cause fetching the token - authrsp, err := GetRedirectPageWithCookie(t, httpsListener, "gitlab-example.com", "/auth?code=1&state="+ + authrsp, err := GetRedirectPageWithCookie(t, httpsListener, "projects.gitlab-example.com", "/auth?code=1&state="+ state, pagesDomainCookie) require.NoError(t, err) diff --git a/helpers_test.go b/helpers_test.go index 8ee27d0a..83107488 100644 --- a/helpers_test.go +++ b/helpers_test.go @@ -148,7 +148,7 @@ func RunPagesProcessWithAuth(t *testing.T, pagesPath string, listeners []ListenS return runPagesProcess(t, true, pagesPath, listeners, promPort, nil, "-auth-client-id=1", "-auth-client-secret=1", "-auth-server=https://gitlab-auth.com", - "-auth-redirect-uri=https://gitlab-example.com/auth", + "-auth-redirect-uri=https://projects.gitlab-example.com/auth", "-auth-secret=something-very-secret") } @@ -156,7 +156,7 @@ func RunPagesProcessWithAuthServer(t *testing.T, pagesPath string, listeners []L return runPagesProcess(t, true, pagesPath, listeners, promPort, nil, "-auth-client-id=1", "-auth-client-secret=1", "-auth-server="+authServer, - "-auth-redirect-uri=https://gitlab-example.com/auth", + "-auth-redirect-uri=https://projects.gitlab-example.com/auth", "-auth-secret=something-very-secret") } @@ -164,7 +164,7 @@ func RunPagesProcessWithAuthServerWithSSL(t *testing.T, pagesPath string, listen return runPagesProcess(t, true, pagesPath, listeners, promPort, []string{"SSL_CERT_FILE=" + sslCertFile}, "-auth-client-id=1", "-auth-client-secret=1", "-auth-server="+authServer, - "-auth-redirect-uri=https://gitlab-example.com/auth", + "-auth-redirect-uri=https://projects.gitlab-example.com/auth", "-auth-secret=something-very-secret") } diff --git a/internal/auth/auth.go b/internal/auth/auth.go index d3701207..936754cc 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -24,7 +24,7 @@ const ( tokenURLTemplate = "%s/oauth/token" tokenContentTemplate = "client_id=%s&client_secret=%s&code=%s&grant_type=authorization_code&redirect_uri=%s" callbackPath = "/auth" - authorizeProxyTemplate = "%s/auth?domain=%s&state=%s" + authorizeProxyTemplate = "%s?domain=%s&state=%s" ) // Auth handles authenticating users with GitLab API @@ -308,9 +308,9 @@ func (a *Auth) checkTokenExists(session *sessions.Session, w http.ResponseWriter func (a *Auth) getProxyAddress(r *http.Request, state string) string { if r.TLS != nil { - return fmt.Sprintf(authorizeProxyTemplate, "https://"+a.pagesDomain, r.Host, state) + return fmt.Sprintf(authorizeProxyTemplate, a.redirectURI, r.Host, state) } - return fmt.Sprintf(authorizeProxyTemplate, "http://"+a.pagesDomain, r.Host, state) + return fmt.Sprintf(authorizeProxyTemplate, a.redirectURI, r.Host, state) } func destroySession(session *sessions.Session, w http.ResponseWriter, r *http.Request) { |