Skip to content
Snippets Groups Projects
Select Git revision
  • 2d9c8fdc9971b37a3c8c2fccf72e342a48752b8c
  • master default
  • method_check
  • custom_prefix
  • package
  • cookies
  • v2.1.1
  • v2.1.0
  • v2.1.0-rc5
  • v2.1.0-rc4
  • v2.1.0-rc3
  • v2.1.0-rc2
  • v2.1.0-rc1
  • v2.0.7
  • v2.0.6
  • v2.0.5
  • v2.0.4
  • v2.0.3
  • v2.0.2
  • v2.0.1
  • v2.0.0
  • v1.2.8
  • v1.2.7
  • v1.2.6
  • v1.2.5
  • v1.2.4
26 results

misc.go

Blame
    • misc.go 4.14 KiB 
    /*
Copyright 2015 All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package main

import (
	"context"
	"fmt"
	"net/http"
	"path"
	"strings"
	"time"

	"github.com/coreos/go-oidc/jose"
	"go.uber.org/zap"
)

// filterCookies is responsible for censoring any cookies we don't want sent
func filterCookies(req *http.Request, filter []string) error {
	// @NOTE: there doesn't appear to be a way of removing a cookie from the http.Request as
	// AddCookie() just append
	cookies := req.Cookies()
	// @step: empty the current cookies
	req.Header.Set("Cookie", "")
	// @step: iterate the cookies and filter out anything we
	for _, x := range cookies {
		var found bool
		// @step: does this cookie match our filter?
		for _, n := range filter {
			if strings.HasPrefix(x.Name, n) {
				req.AddCookie(&http.Cookie{Name: x.Name, Value: "censored"})
				found = true
				break
			}
		}
		if !found {
			req.AddCookie(x)
		}
	}

	return nil
}

// revokeProxy is responsible to stopping the middleware from proxying the request
func (r *oauthProxy) revokeProxy(w http.ResponseWriter, req *http.Request) context.Context {
	var scope *RequestScope
	sc := req.Context().Value(contextScopeName)
	switch sc {
	case nil:
		scope = &RequestScope{AccessDenied: true}
	default:
		scope = sc.(*RequestScope)
	}
	scope.AccessDenied = true

	return context.WithValue(req.Context(), contextScopeName, scope)
}

    // accessForbidden redirects the user to the forbidden page
func (r *oauthProxy) accessForbidden(w http.ResponseWriter, req *http.Request) context.Context {
	w.WriteHeader(http.StatusForbidden)
	// are we using a custom http template for 403?
	if r.config.hasCustomForbiddenPage() {
		name := path.Base(r.config.ForbiddenPage)
		if err := r.Render(w, name, r.config.Tags); err != nil {
			r.log.Error("failed to render the template", zap.Error(err), zap.String("template", name))
		}
	}

	return r.revokeProxy(w, req)
}

// redirectToURL redirects the user and aborts the context
func (r *oauthProxy) redirectToURL(url string, w http.ResponseWriter, req *http.Request, statusCode int) context.Context {
	http.Redirect(w, req, url, statusCode)

	return r.revokeProxy(w, req)
}

// redirectToAuthorization redirects the user to authorization handler
func (r *oauthProxy) redirectToAuthorization(w http.ResponseWriter, req *http.Request) context.Context {
	if r.config.NoRedirects {
		w.WriteHeader(http.StatusUnauthorized)
		return r.revokeProxy(w, req)
	}

	// step: add a state referrer to the authorization page
	uuid := r.writeStateParameterCookie(req, w)
	authQuery := fmt.Sprintf("?state=%s", uuid)

	// step: if verification is switched off, we can't authorization
	if r.config.SkipTokenVerification {
		r.log.Error("refusing to redirection to authorization endpoint, skip token verification switched on")
		w.WriteHeader(http.StatusForbidden)
		return r.revokeProxy(w, req)
	}
	if r.config.InvalidAuthRedirectsWith303 {
		r.redirectToURL(r.config.WithOAuthURI(authorizationURL+authQuery), w, req, http.StatusSeeOther)
	} else {
		r.redirectToURL(r.config.WithOAuthURI(authorizationURL+authQuery), w, req, http.StatusTemporaryRedirect)
	}

	return r.revokeProxy(w, req)
}

// getAccessCookieExpiration calucates the expiration of the access token cookie
func (r *oauthProxy) getAccessCookieExpiration(token jose.JWT, refresh string) time.Duration {
	// notes: by default the duration of the access token will be the configuration option, if
	// however we can decode the refresh token, we will set the duration to the duraction of the
	// refresh token
	duration := r.config.AccessTokenDuration
	if _, ident, err := parseToken(refresh); err == nil {
		delta := time.Until(ident.ExpiresAt)
		if delta > 0 {
			duration = delta
		}
	}

	return duration
}