-
-
Notifications
You must be signed in to change notification settings - Fork 359
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
create custom forward request authenticator #949
base: master
Are you sure you want to change the base?
Conversation
2d4b289
to
c9310a7
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #949 +/- ##
==========================================
- Coverage 78.05% 77.57% -0.49%
==========================================
Files 83 84 +1
Lines 3992 4089 +97
==========================================
+ Hits 3116 3172 +56
- Misses 597 628 +31
- Partials 279 289 +10 ☔ View full report in Codecov by Sentry. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if you have done that already, but could you also please create a PR against ory/docs to document this new functionality? :)
.schema/config.schema.json
Outdated
@@ -1459,6 +1504,38 @@ | |||
} | |||
] | |||
}, | |||
"forward": { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would prefer calling this remote_json
similar to the authorizer, as we expect a JSON response from the upstream! :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Renamed the authenticator into remote_json
c9310a7
to
598f646
Compare
598f646
to
2b78ace
Compare
Created a new PR into ory/docs: ory/docs#827 |
2b78ace
to
96fa276
Compare
96fa276
to
73f7fb1
Compare
A polite reminder here, as the change requests have been addressed 😄 Fixed linting issues, as well. |
A polite ping here again 😉 |
@hperl could you please help review this one? :) |
73f7fb1
to
54d6d85
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR. It looks very good already, I left just a few comments :)
) | ||
|
||
if err = json.Unmarshal(subjectRaw, &subject); err != nil { | ||
return helper.ErrForbidden.WithReasonf("The configured subject_from GJSON path returned an error on JSON output: %s", err.Error()).WithDebugf("GJSON path: %s\nBody: %s\nResult: %s", cfg.SubjectFrom, body, subjectRaw).WithTrace(err) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor: Please break long lines into multiple lines, e.g., after the dots.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Solved
// Unfortunately the body reader needs to be read once to forward the request, | ||
// thus the upstream request will fail miserably without recreating a fresh ReaderCloser | ||
forwardRequestBody = ioutil.NopCloser(bytes.NewReader(body)) | ||
r.Body = ioutil.NopCloser(bytes.NewReader(body)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think by reassigning r.Body
you will leak the original body, which will not be closed. Usually, the HTTP server takes care of closing the body after the handler is done, but in this case we are replacing the body with a NopCloser
and are leaving the original r.Body
unclosed. I think it should be fine to manually Close()
the original body here, but I'd feel more comfortable having a test for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a manual close to the original body stream. Not sure how to add a specific test for it.
if len(c.ExtraFrom) == 0 { | ||
c.ExtraFrom = "extra" | ||
} | ||
|
||
if len(c.SubjectFrom) == 0 { | ||
c.SubjectFrom = "subject" | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these checks really necessary, given that you already set the default values in the JSON schema?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed unnecessary checks
|
||
var forwardRequestBody io.ReadCloser = nil | ||
if r.Body != nil { | ||
body, err := ioutil.ReadAll(r.Body) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ioutil
is deprecated. Please replace with calls from the io
package. (Here and elsewhere). Thanks :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Replace ioutil
with io
err := pipelineAuthenticator.Authenticate( | ||
makeRemoteJSONRequest("GET", "/", map[string]string{"sessionid": "zyx"}, ""), | ||
session, | ||
json.RawMessage(fmt.Sprintf(`{"check_session_url": "%s"}`, testServer.URL)), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
json.RawMessage(fmt.Sprintf(`{"check_session_url": "%s"}`, testServer.URL)), | |
json.RawMessage(fmt.Sprintf(`{"service_url": "%s"}`, testServer.URL)), |
;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed :) Thanks
…ault to the auth service
- Split long lines on multiple lines - Remove unnecessary checks - Move schema to new location in `spec` directory - Replace ioutil with io packages - Add manual close to the original request body stream.
54d6d85
to
53ead8f
Compare
Adds a new authenticator which forwards the requests to an upstream service to perform the authentication. This adds the possibility to authenticate a request where the request body is needed.
Related issue(s)
Related to issue #841
Checklist
introduces a new feature.
contributing code guidelines.
vulnerability. If this pull request addresses a security. vulnerability, I
confirm that I got green light (please contact
[email protected]) from the maintainers to push
the changes.
works.