Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: response handling for session store (bearer + cookie) #916

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
4 changes: 4 additions & 0 deletions pipeline/authn/authenticator_bearer_token.go
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,10 @@ func (a *AuthenticatorBearerToken) Authenticate(r *http.Request, session *Authen
return helper.ErrForbidden.WithReasonf("The configured extra_from GJSON path returned an error on JSON output: %s", err.Error()).WithDebugf("GJSON path: %s\nBody: %s\nResult: %s", cf.ExtraFrom, body, extraRaw).WithTrace(err)
}

if len(subject) == 0 {
till marked this conversation as resolved.
Show resolved Hide resolved
return errors.WithStack(helper.ErrForbidden.WithReasonf("Subject field from remote endpoint is empty."))
}

session.Subject = subject
session.Extra = extra
return nil
Expand Down
31 changes: 31 additions & 0 deletions pipeline/authn/authenticator_bearer_token_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -203,6 +203,24 @@ func TestAuthenticatorBearerToken(t *testing.T) {
Subject: "123",
},
},
{
d: "should NOT pass Accept-Encoding",
r: &http.Request{Host: "some-host", Header: http.Header{"Authorization": {"bearer zyx"}, "Accept-Encoding": {"gzip"}}, URL: &url.URL{Path: "/users/123", RawQuery: "query=string"}, Method: "PUT"},
router: func(w http.ResponseWriter, r *http.Request) {
assert.Equal(t, r.Method, "PUT")
assert.Equal(t, "some-host", r.Header.Get("X-Forwarded-Host"))
assert.Equal(t, "bar", r.Header.Get("X-Foo"))
assert.Equal(t, r.Header.Get("Authorization"), "bearer zyx")
assert.Equal(t, "", r.Header.Get("Accept-Encoding"))
w.WriteHeader(200)
w.Write([]byte(`{"sub": "123"}`))
},
config: []byte(`{"preserve_host": true, "additional_headers": {"X-Foo": "bar","X-Forwarded-For": "not-some-host"}}`),
expectErr: false,
expectSess: &AuthenticationSession{
Subject: "123",
},
},
{
d: "does not pass request body through to auth server",
r: &http.Request{
Expand Down Expand Up @@ -258,6 +276,19 @@ func TestAuthenticatorBearerToken(t *testing.T) {
Extra: map[string]interface{}{"session": map[string]interface{}{"foo": "bar"}, "identity": map[string]interface{}{"id": "123"}},
},
},
{
d: "it should error when the subject is empty",
r: &http.Request{Header: http.Header{"Authorization": {"bearer token"}}, URL: &url.URL{Path: ""}},
setup: func(t *testing.T, m *httprouter.Router) {
m.GET("/", func(w http.ResponseWriter, _ *http.Request, _ httprouter.Params) {
w.WriteHeader(200)
w.Write([]byte(`{"identity": {"id": ""}, "session": {"foo": "bar"}}`))
})
},
config: []byte(`{"subject_from": "identity.id", "extra_from": "@this"}`),
expectErr: true,
expectSess: &AuthenticationSession{},
},
{
d: "should work with custom header forwarded",
r: &http.Request{Header: http.Header{"Authorization": {"bearer token"}, "X-User": {"123"}}, URL: &url.URL{Path: ""}},
Expand Down
4 changes: 2 additions & 2 deletions pipeline/authn/authenticator_cookie_session.go
Original file line number Diff line number Diff line change
Expand Up @@ -197,9 +197,9 @@ func forwardRequestToSessionStore(client *http.Client, r *http.Request, cf Authe
return json.RawMessage{}, errors.WithStack(herodot.ErrInternalServerError.WithReasonf("Unable to fetch cookie session context from remote: %+v", err))
}
return body, nil
} else {
return json.RawMessage{}, errors.WithStack(helper.ErrUnauthorized)
}

return json.RawMessage{}, errors.WithStack(helper.ErrUnauthorized)
}

func PrepareRequest(r *http.Request, cf AuthenticatorForwardConfig) (http.Request, error) {
Expand Down