Skip to content
Snippets Groups Projects
Verified Commit ce3ff1a2 authored by Janne Mareike Koschinski's avatar Janne Mareike Koschinski
Browse files

Attempt to fix whitelisting

parent 11b88cf2
Branches
No related tags found
No related merge requests found
linters-settings:
govet:
check-shadowing: true
golint:
min-confidence: 0
gocyclo:
min-complexity: 60
maligned:
suggest-new: true
dupl:
threshold: 100
goconst:
min-len: 2
min-occurrences: 2
linters:
enable-all: true
disable:
- maligned
- unparam
- lll
- gochecknoinits
- gochecknoglobals
language: go
matrix:
include:
- go: 1.12.x
env: GO111MODULE=on
- go: 1.11.x
env: GO111MODULE=on
install:
- go get github.com/mattn/goveralls
- go get -u github.com/client9/misspell/cmd/misspell
script:
- make test
- if ([[ ${TRAVIS_BRANCH} == "master" ]] && [[ ${TRAVIS_EVENT_TYPE} == "push" ]]); then
go get github.com/mattn/goveralls;
goveralls -service=travis-ci;
make bench;
fi
FROM golang:alpine as go_builder
RUN apk add --no-cache curl git gcc musl-dev
RUN curl https://glide.sh/get | sh
WORKDIR /go/src/app
COPY *.go go.* ./
RUN go mod download
RUN CGO_ENABLED=false go build -o app .
FROM alpine:3.10
RUN apk add --no-cache ca-certificates
WORKDIR /
COPY --from=go_builder /go/src/app/app /app
COPY templates /templates
ENTRYPOINT ["/app"]
\ No newline at end of file
#!/bin/sh
IMAGE=k8r.eu/justjanne/keycloak-proxy
TAGS=$(git describe --always --tags HEAD)
docker build -t $IMAGE:$TAGS .
docker tag $IMAGE:$TAGS $IMAGE:latest
echo Successfully tagged $IMAGE:latest
docker push $IMAGE:$TAGS
docker push $IMAGE:latest
\ No newline at end of file
#!/bin/bash -e
awk '/release.*=/ { print $3 }' doc.go | sed 's/"//g'
......@@ -35,3 +35,5 @@ require (
gopkg.in/resty.v1 v1.10.3
gopkg.in/yaml.v2 v2.2.2
)
go 1.13
......@@ -98,7 +98,7 @@ func (r *oauthProxy) loggingMiddleware(next http.Handler) http.Handler {
}
// authenticationMiddleware is responsible for verifying the access token
func (r *oauthProxy) authenticationMiddleware() func(http.Handler) http.Handler {
func (r *oauthProxy) authenticationMiddleware(whitelisted bool) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
clientIP := req.RemoteAddr
......@@ -106,6 +106,9 @@ func (r *oauthProxy) authenticationMiddleware() func(http.Handler) http.Handler
user, err := r.getIdentity(req)
if err != nil {
r.log.Error("no session found in request, redirecting for authorization", zap.Error(err))
if whitelisted {
return
}
next.ServeHTTP(w, req.WithContext(r.redirectToAuthorization(w, req)))
return
}
......@@ -123,6 +126,9 @@ func (r *oauthProxy) authenticationMiddleware() func(http.Handler) http.Handler
zap.String("username", user.name),
zap.String("expired_on", user.expiresAt.String()))
if whitelisted {
return
}
next.ServeHTTP(w, req.WithContext(r.redirectToAuthorization(w, req)))
return
}
......@@ -136,6 +142,9 @@ func (r *oauthProxy) authenticationMiddleware() func(http.Handler) http.Handler
zap.String("client_ip", clientIP),
zap.Error(err))
if whitelisted {
return
}
next.ServeHTTP(w, req.WithContext(r.accessForbidden(w, req)))
return
}
......@@ -147,6 +156,9 @@ func (r *oauthProxy) authenticationMiddleware() func(http.Handler) http.Handler
zap.String("email", user.name),
zap.String("expired_on", user.expiresAt.String()))
if whitelisted {
return
}
next.ServeHTTP(w, req.WithContext(r.redirectToAuthorization(w, req)))
return
}
......@@ -163,6 +175,9 @@ func (r *oauthProxy) authenticationMiddleware() func(http.Handler) http.Handler
zap.String("email", user.email),
zap.Error(err))
if whitelisted {
return
}
next.ServeHTTP(w, req.WithContext(r.redirectToAuthorization(w, req)))
return
}
......@@ -187,6 +202,9 @@ func (r *oauthProxy) authenticationMiddleware() func(http.Handler) http.Handler
default:
r.log.Error("failed to refresh the access token", zap.Error(err))
}
if whitelisted {
return
}
next.ServeHTTP(w, req.WithContext(r.redirectToAuthorization(w, req)))
return
......@@ -316,7 +334,7 @@ func (r *oauthProxy) checkClaim(user *userContext, claimName string, match *rege
}
// admissionMiddleware is responsible checking the access token against the protected resource
func (r *oauthProxy) admissionMiddleware(resource *Resource) func(http.Handler) http.Handler {
func (r *oauthProxy) admissionMiddleware(whitelisted bool, resource *Resource) func(http.Handler) http.Handler {
claimMatches := make(map[string]*regexp.Regexp)
for k, v := range r.config.MatchClaims {
claimMatches[k] = regexp.MustCompile(v)
......@@ -340,6 +358,9 @@ func (r *oauthProxy) admissionMiddleware(resource *Resource) func(http.Handler)
zap.String("resource", resource.URL),
zap.String("roles", resource.getRoles()))
if whitelisted {
return
}
next.ServeHTTP(w, req.WithContext(r.accessForbidden(w, req)))
return
}
......@@ -352,6 +373,9 @@ func (r *oauthProxy) admissionMiddleware(resource *Resource) func(http.Handler)
zap.String("resource", resource.URL),
zap.String("groups", strings.Join(resource.Groups, ",")))
if whitelisted {
return
}
next.ServeHTTP(w, req.WithContext(r.accessForbidden(w, req)))
return
}
......@@ -359,6 +383,9 @@ func (r *oauthProxy) admissionMiddleware(resource *Resource) func(http.Handler)
// step: if we have any claim matching, lets validate the tokens has the claims
for claimName, match := range claimMatches {
if !r.checkClaim(user, claimName, match, resource.URL) {
if whitelisted {
return
}
next.ServeHTTP(w, req.WithContext(r.accessForbidden(w, req)))
return
}
......
#!/bin/bash -e
NAME="keycloak-gatekeeper"
PLATFORMS="darwin linux windows"
ARCHITECTURES="amd64"
GIT_SHA=$(git --no-pager describe --always --dirty)
BUILD_TIME=$(date '+%s')
LFLAGS="-X main.gitsha=$GIT_SHA -X main.compiled=$BUILD_TIME"
DIR="$PWD"
VERSION=`./get-version.sh`
echo "Version: $VERSION"
TMP=`mktemp -d`
# Perform some clean up before building it
clean() {
rm -rf ./bin/* 2>/dev/null
rm -rf ./release/* 2>/dev/null
}
release() {
mkdir -p release
for PLATFORM in $PLATFORMS; do
EXT=""
if [ "$PLATFORM" == "windows" ]; then
EXT=".exe"
fi
for ARCH in $ARCHITECTURES; do
env GOOS=$PLATFORM GOARCH=$ARCH CGO_ENABLED=0 go build -a -tags netgo -ldflags " -w $LFLAGS" -o bin/$NAME$EXT
tar -czvf release/"$NAME-$PLATFORM-$ARCH".tar.gz -C bin/ $NAME$EXT >/dev/null
sha1sum release/"$NAME-$PLATFORM-$ARCH".tar.gz | cut -d " " -f1 > release/"$NAME-$GOOS-$GOARCH".tar.gz.sha1
# Test if tar file is not corrupted
if ! tar -tf release/"$NAME-$PLATFORM-$ARCH".tar.gz &>/dev/null;then
echo "Corrupted tar file"
exit 1
fi
done
done
}
echo "------------------------------------------------------------------------------------------------------------"
echo "Building: $NAME-$VERSION"
echo ""
clean
release
echo "------------------------------------------------------------------------------------------------------------"
echo "Upload to jboss.org:"
echo ""
rsync -rv --protocol=28 $DIR/release/* keycloak@filemgmt.jboss.org:/downloads_htdocs/keycloak/$VERSION/gatekeeper/
echo "------------------------------------------------------------------------------------------------------------"
echo "Done"
echo "------------------------------------------------------------------------------------------------------------"
......@@ -204,8 +204,8 @@ func (r *oauthProxy) createReverseProxy() error {
e.Get(callbackURL, r.oauthCallbackHandler)
e.Get(expiredURL, r.expirationHandler)
e.Get(healthURL, r.healthHandler)
e.With(r.authenticationMiddleware()).Get(logoutURL, r.logoutHandler)
e.With(r.authenticationMiddleware()).Get(tokenURL, r.tokenHandler)
e.With(r.authenticationMiddleware(false)).Get(logoutURL, r.logoutHandler)
e.With(r.authenticationMiddleware(false)).Get(tokenURL, r.tokenHandler)
e.Post(loginURL, r.loginHandler)
if r.config.EnableMetrics {
r.log.Info("enabled the service metrics middleware", zap.String("path", r.config.WithOAuthURI(metricsURL)))
......@@ -260,16 +260,21 @@ func (r *oauthProxy) createReverseProxy() error {
for _, x := range r.config.Resources {
r.log.Info("protecting resource", zap.String("resource", x.String()))
e := engine.With(
r.authenticationMiddleware(),
r.admissionMiddleware(x),
r.authenticationMiddleware(false),
r.admissionMiddleware(false, x),
r.identityHeadersMiddleware(r.config.AddClaims))
w := engine.With(
r.authenticationMiddleware(true),
r.admissionMiddleware(true, x),
r.identityHeadersMiddleware(r.config.AddClaims))
for _, m := range x.Methods {
if !x.WhiteListed {
if x.WhiteListed {
w.MethodFunc(m, x.URL, emptyHandler)
} else {
e.MethodFunc(m, x.URL, emptyHandler)
continue
}
engine.MethodFunc(m, x.URL, emptyHandler)
}
}
......
#!/bin/bash -e
NEW_VERSION=$1
CURRENT=`awk '/release.*=/ { print $3 }' doc.go | sed 's/"//g'`
sed -i "s/$CURRENT/$NEW_VERSION/g" doc.go
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment