From 1899b603e51ab16c13389c5610d38ab04439da46 Mon Sep 17 00:00:00 2001 From: Pierce Lopez Date: Wed, 22 Jul 2020 16:19:53 -0400 Subject: [PATCH] new option --skip-auth-strip-headers inspired by https://github.com/oauth2-proxy/oauth2-proxy/pull/624 Co-authored-by: Nick Meves --- README.md | 1 + main.go | 1 + oauthproxy.go | 19 +++++++++++++++++++ options.go | 2 ++ 4 files changed, 23 insertions(+) diff --git a/README.md b/README.md index 18b70d705..68161ad9d 100644 --- a/README.md +++ b/README.md @@ -318,6 +318,7 @@ Usage of oauth2_proxy: -signature-key string: GAP-Signature request signature key (algorithm:secretkey) -skip-auth-preflight: will skip authentication for OPTIONS requests -skip-auth-regex value: bypass authentication for requests path's that match (may be given multiple times) + -skip-auth-strip-headers: strip upstream request http headers that are normally set by this proxy, also for requests allowed by --skip-auth-regex (default true) -skip-oidc-discovery: Skip OIDC discovery (login-url, redeem-url and oidc-jwks-url must be configured) -skip-provider-button: will skip sign-in-page to directly reach the next step: oauth/start -ssl-insecure-skip-verify: skip validation of certificates presented when using HTTPS diff --git a/main.go b/main.go index 9cb8f9b31..246d1cfa2 100644 --- a/main.go +++ b/main.go @@ -39,6 +39,7 @@ func mainFlagSet() *flag.FlagSet { flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header") flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream") flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)") + flagSet.Bool("skip-auth-strip-headers", true, "strip upstream request http headers that are normally set by this proxy, also for requests allowed by --skip-auth-regex") flagSet.Bool("skip-provider-button", false, "will skip sign-in-page to directly reach the next step: oauth/start") flagSet.Bool("skip-auth-preflight", false, "will skip authentication for OPTIONS requests") flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS") diff --git a/oauthproxy.go b/oauthproxy.go index 60e548c1a..ceaf9374d 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -73,6 +73,7 @@ type OAuthProxy struct { ClientIPHeader string CookieCipher *cookie.Cipher skipAuthRegex []string + skipAuthStripHdrs bool skipAuthPreflight bool compiledRegex []*regexp.Regexp templates *template.Template @@ -229,6 +230,7 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy { redirectURL: redirectURL, whitelistDomains: opts.WhitelistDomains, skipAuthRegex: opts.SkipAuthRegex, + skipAuthStripHdrs: opts.SkipAuthStripHeaders, skipAuthPreflight: opts.SkipAuthPreflight, compiledRegex: opts.CompiledRegex, SetXAuthRequest: opts.SetXAuthRequest, @@ -380,6 +382,22 @@ func (p *OAuthProxy) SaveSession(rw http.ResponseWriter, req *http.Request, s *p return nil } +func (p *OAuthProxy) stripAuthHeaders(req *http.Request) { + if !p.skipAuthStripHdrs { + return + } + if p.PassBasicAuth { + req.Header.Del("Authorization") + } + if p.PassUserHeaders { + req.Header.Del("X-Forwarded-User") + req.Header.Del("X-Forwarded-Email") + } + if p.PassAccessToken { + req.Header.Del("X-Forwarded-Access-Token") + } +} + func (p *OAuthProxy) RobotsTxt(rw http.ResponseWriter) { rw.WriteHeader(http.StatusOK) fmt.Fprintf(rw, "User-agent: *\nDisallow: /") @@ -538,6 +556,7 @@ func (p *OAuthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) { case path == p.PingPath: p.PingPage(rw) case p.IsWhitelistedRequest(req): + p.stripAuthHeaders(req) p.serveMux.ServeHTTP(rw, req) case path == p.SignInPath: p.SignIn(rw, req) diff --git a/options.go b/options.go index 38e62ab17..2f4a505ce 100644 --- a/options.go +++ b/options.go @@ -57,6 +57,7 @@ type Options struct { Upstreams []string `flag:"upstream" cfg:"upstreams"` SkipAuthRegex []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"` + SkipAuthStripHeaders bool `flag:"skip-auth-strip-headers" cfg:"skip_auth_strip_headers"` PassBasicAuth bool `flag:"pass-basic-auth" cfg:"pass_basic_auth"` BasicAuthPassword string `flag:"basic-auth-password" cfg:"basic_auth_password"` PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token"` @@ -118,6 +119,7 @@ func NewOptions() *Options { CookieRefresh: time.Duration(0), SetXAuthRequest: false, SkipAuthPreflight: false, + SkipAuthStripHeaders: true, PassBasicAuth: true, PassUserHeaders: true, PassAccessToken: false,