diff options
author | Tuomo Ala-Vannesluoma <tuomoav@gmail.com> | 2018-08-10 00:06:43 +0300 |
---|---|---|
committer | Tuomo Ala-Vannesluoma <tuomoav@gmail.com> | 2018-08-10 00:23:53 +0300 |
commit | 3425634584820837fd88d14b944bbdc391823936 (patch) | |
tree | f199d9e79a8d2208c28871ea628ae2668d9d4fe3 /internal/auth | |
parent | b30197c907c86e38740df5640642f2a5ea739c69 (diff) |
Allow auth proxying only for configured domains and everything under pages domain
Diffstat (limited to 'internal/auth')
-rw-r--r-- | internal/auth/auth.go | 22 | ||||
-rw-r--r-- | internal/auth/auth_test.go | 10 |
2 files changed, 25 insertions, 7 deletions
diff --git a/internal/auth/auth.go b/internal/auth/auth.go index e88cf7a2..d3701207 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -7,11 +7,13 @@ import ( "fmt" "net/http" "strings" + "sync" "time" "github.com/gorilla/securecookie" "github.com/gorilla/sessions" log "github.com/sirupsen/logrus" + "gitlab.com/gitlab-org/gitlab-pages/internal/domain" "gitlab.com/gitlab-org/gitlab-pages/internal/httperrors" ) @@ -81,7 +83,7 @@ func (a *Auth) getSession(r *http.Request) *sessions.Session { } // TryAuthenticate tries to authenticate user and fetch access token if request is a callback to auth -func (a *Auth) TryAuthenticate(w http.ResponseWriter, r *http.Request) bool { +func (a *Auth) TryAuthenticate(w http.ResponseWriter, r *http.Request, dm domain.Map, lock *sync.RWMutex) bool { if a == nil { return false @@ -100,7 +102,7 @@ func (a *Auth) TryAuthenticate(w http.ResponseWriter, r *http.Request) bool { log.Debug("Authentication callback") - if a.handleProxyingAuth(session, w, r) { + if a.handleProxyingAuth(session, w, r, dm, lock) { return true } @@ -149,11 +151,25 @@ func (a *Auth) TryAuthenticate(w http.ResponseWriter, r *http.Request) bool { return false } -func (a *Auth) handleProxyingAuth(session *sessions.Session, w http.ResponseWriter, r *http.Request) bool { +func (a *Auth) domainAllowed(domain string, dm domain.Map, lock *sync.RWMutex) bool { + lock.RLock() + defer lock.RUnlock() + _, present := dm[domain] + return strings.HasSuffix(strings.ToLower(domain), a.pagesDomain) || present +} + +func (a *Auth) handleProxyingAuth(session *sessions.Session, w http.ResponseWriter, r *http.Request, dm domain.Map, lock *sync.RWMutex) bool { // If request is for authenticating via custom domain if shouldProxyAuth(r) { domain := r.URL.Query().Get("domain") state := r.URL.Query().Get("state") + + if !a.domainAllowed(domain, dm, lock) { + log.WithField("domain", domain).Debug("Domain is not configured") + httperrors.Serve401(w) + return true + } + log.WithField("domain", domain).Debug("User is authenticating via domain") if r.TLS != nil { diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go index f95583b3..4973ce01 100644 --- a/internal/auth/auth_test.go +++ b/internal/auth/auth_test.go @@ -5,12 +5,14 @@ import ( "net/http" "net/http/httptest" "net/url" + "sync" "testing" "github.com/gorilla/sessions" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitlab-pages/internal/auth" + "gitlab.com/gitlab-org/gitlab-pages/internal/domain" ) func createAuth(t *testing.T) *auth.Auth { @@ -30,7 +32,7 @@ func TestTryAuthenticate(t *testing.T) { require.NoError(t, err) r := &http.Request{URL: reqURL} - assert.Equal(t, false, auth.TryAuthenticate(result, r)) + assert.Equal(t, false, auth.TryAuthenticate(result, r, make(domain.Map), &sync.RWMutex{})) } func TestTryAuthenticateWithError(t *testing.T) { @@ -41,7 +43,7 @@ func TestTryAuthenticateWithError(t *testing.T) { require.NoError(t, err) r := &http.Request{URL: reqURL} - assert.Equal(t, true, auth.TryAuthenticate(result, r)) + assert.Equal(t, true, auth.TryAuthenticate(result, r, make(domain.Map), &sync.RWMutex{})) assert.Equal(t, 401, result.Code) } @@ -58,7 +60,7 @@ func TestTryAuthenticateWithCodeButInvalidState(t *testing.T) { session.Values["state"] = "state" session.Save(r, result) - assert.Equal(t, true, auth.TryAuthenticate(result, r)) + assert.Equal(t, true, auth.TryAuthenticate(result, r, make(domain.Map), &sync.RWMutex{})) assert.Equal(t, 401, result.Code) } @@ -100,7 +102,7 @@ func TestTryAuthenticateWithCodeAndState(t *testing.T) { session.Values["state"] = "state" session.Save(r, result) - assert.Equal(t, true, auth.TryAuthenticate(result, r)) + assert.Equal(t, true, auth.TryAuthenticate(result, r, make(domain.Map), &sync.RWMutex{})) assert.Equal(t, 302, result.Code) assert.Equal(t, "http://pages.gitlab-example.com/project/", result.Header().Get("Location")) } |