Skip to content

Commit

Permalink
Revert "Merge branch 'master' into regexWhiteList"
Browse files Browse the repository at this point in the history
This reverts commit 3fdcd5f, reversing
changes made to b0b7fab.
  • Loading branch information
danielewood committed May 5, 2020
1 parent 6b66229 commit 04c4cf7
Show file tree
Hide file tree
Showing 45 changed files with 741 additions and 1,505 deletions.
2 changes: 1 addition & 1 deletion LICENSE
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
The MIT License (MIT)

Copyright (c) 2017 The Vouch Proxy Authors
Copyright (c) 2017 Benjamin Foote

Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
Expand Down
48 changes: 5 additions & 43 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -180,50 +180,21 @@ Helm Charts are maintained by [halkeye](https://github.com/halkeye) and are avai
./vouch-proxy
```

## /login and /logout endpoint redirection

As of `v0.11.0` we have put additional checks in place to reduce [the attack surface of url redirection](https://blog.detectify.com/2019/05/16/the-real-impact-of-an-open-redirect/).

### /login?url=POST_LOGIN_URL

The passed URL...

- must start with either `http` or `https`
- must have a domain overlap with either a domain in the `vouch.domains` list or the `vouch.cookie.domain` (if either of those are configured)
- cannot have a parameter which includes a URL to [prevent URL chaining attacks](https://hackerone.com/reports/202781)

### /logout?url=NEXT_URL
## /logout endpoint redirection

The Vouch Proxy `/logout` endpoint accepts a `url` parameter in the query string which can be used to `302` redirect a user to your orignal OAuth provider/IDP/OIDC provider's [revocation_endpoint](https://tools.ietf.org/html/rfc7009)

```bash
https://vouch.oursites.com/logout?url=https://oauth2.googleapis.com/revoke
```

this url must be present in the configuration file on the list `vouch.post_logout_redirect_uris`

```yaml
# in order to prevent redirection attacks all redirected URLs to /logout must be specified
# the URL must still be passed to Vouch Proxy as https://vouch.yourdomain.com/logout?url=${ONE OF THE URLS BELOW}
post_logout_redirect_uris:
# your apps login page
- http://.yourdomain.com/login
# your IdPs logout enpoint
# from https://accounts.google.com/.well-known/openid-configuration
- https://oauth2.googleapis.com/revoke
# you may be daisy chaining to your IdP
- https://myorg.okta.com/oauth2/123serverid/v1/logout?post_logout_redirect_uri=http://myapp.yourdomain.com/login
```
Note that your IdP will likely carry their own, separate `post_logout_redirect_uri` list.

logout resources..

- [Google](https://developers.google.com/identity/protocols/OAuth2WebServer#tokenrevoke)
- [Okta](https://developer.okta.com/docs/api/resources/oidc#logout)
- [Auth0](https://auth0.com/docs/logout/guides/logout-idps)

## Troubleshooting, Support and Feature Requests (Read this before submitting an issue at GitHub)
## Troubleshooting, Support and Feature Requests

Getting the stars to align between Nginx, Vouch Proxy and your IdP can be tricky. We want to help you get up and running as quickly as possible. The most common problem is..

Expand Down Expand Up @@ -266,20 +237,11 @@ Please [submit a new issue](https://github.com/vouch/vouch-proxy/issues) in the
- then [open a new issue](https://github.com/vouch/vouch-proxy/issues/new) in this repository
- or visit our IRC channel [#vouch](irc://freenode.net/#vouch) on freenode

### submitting a Pull Request for a new feature

I really love Vouch Proxy! I wish it did XXXX...

Please make a proposal before you spend your time and our time integrating a new feature.

Code contributions should..
### I really love Vouch Proxy! I wish it did XXXX

- include unit tests and in some cases end-to-end tests
- be formatted with `go fmt`
- not break existing setups without a clear reason (usually security related)
- and generally be discussed beforehand in a GitHub issue
Thanks for the love, please open an issue describing your feature or idea before submitting a PR.

For larger contributions or code related to a platform that we don't currently support we will ask you to commit to supporting the feature for an agreed upon period. Invariably someone will pop up here with a question and we want to be able to support these requests.
Please know that Vouch Proxy is not sponsored and is developed and supported on a volunteer basis.

## Advanced Authorization Using OpenResty

Expand Down
14 changes: 1 addition & 13 deletions config/config.yml_example
Original file line number Diff line number Diff line change
Expand Up @@ -131,21 +131,9 @@ vouch:
# application. This is optional.
# idtoken: X-Vouch-IdP-IdToken

# test_url - add this URL to the page which vouch displays during testing (a convenience for testing)
# test_url - add this URL to the page which vouch displays
test_url: http://yourdomain.com

# in order to prevent redirection attacks all redirected URLs to /logout must be specified
# the URL must still be passed to Vouch Proxy as https://vouch.yourdomain.com/logout?url=${ONE OF THE URLS BELOW}
# in line with the OIDC spec https://openid.net/specs/openid-connect-session-1_0.html#RedirectionAfterLogout
post_logout_redirect_uris:
# your apps login page
- http://myapp.yourdomain.com/login
# your IdPs logout enpoint
# from https://accounts.google.com/.well-known/openid-configuration
- https://oauth2.googleapis.com/revoke
# you may be daisy chaining to your IdP
- https://myorg.okta.com/oauth2/123serverid/v1/logout?post_logout_redirect_uri=http://myapp.yourdomain.com/login

#
# OAuth Provider
# configure ONLY ONE of the following oauth providers
Expand Down
1 change: 0 additions & 1 deletion config/testing/handler_claims.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,6 @@ vouch:
- groups
- boolean_claim
- family_name
- http://www.example.com/favorite_color

cookie:
name: vouchTestingCookie
Expand Down
15 changes: 0 additions & 15 deletions config/testing/handler_login_url.yml

This file was deleted.

20 changes: 0 additions & 20 deletions config/testing/handler_logout_url.yml

This file was deleted.

124 changes: 41 additions & 83 deletions do.sh
Original file line number Diff line number Diff line change
Expand Up @@ -156,36 +156,45 @@ test() {
}

test_logging() {
build
# use Process Substitution to capture log output
# https://stackoverflow.com/questions/20017805/bash-capture-output-of-command-run-in-background

# set -b
# set -o notify
build
declare -a levels=(error warn info debug)

echo "testing loglevel set from command line"
levelcount=0
for ll in ${levels[*]}; do
# test that we can see the current level and no level below this level
coproc vpll (./vouch-proxy -logtest -loglevel ${ll} -config ./config/testing/test_config.yml)
exec 2> /dev/null # suppress process terminated messages since ubuntu's kill doesn't support `kill -0`

# echo "log level $ll vouch-proxy pid ${vpll_PID} fd ${vpll[0]}";
llpid=${vpll_PID}

# declare -a shouldnotfind=(info)
declare -a shouldnotfind=()
for (( i=0; i<${#levels[@]}; i++ )); do
if (( $i > $levelcount )); then
if (( i > $levelcount )); then
shouldnotfind+=(${levels[$i]})
fi
done

linesread=0
IFS=$'\n';for line in $(./vouch-proxy -logtest -loglevel ${ll} -config ./config/testing/test_config.yml); do
while read -t 1 -u ${vpll[0]} line; do
let "linesread+=1"
# echo "$linesread $line"
# first line is log info
if (( $linesread > 1 )); then
for nono in ${shouldnotfind[*]} ; do
if echo $line | grep $nono; then
echo "error: line should not contain '$nono' when loglevel is '$ll'"
echo "$linesread $line"
exit 1;
fi
done
fi
for nono in ${shouldnotfind[*]} ; do
# first line is log info
if (( $linesread > 1 )) && echo $line | grep $nono; then
echo "line should not contain $nono"
echo "$linesread $line"
echo "bad case of the nonos: $nono"
exit 1;
fi
done
done
let "levelcount+=1"
done
Expand All @@ -195,33 +204,37 @@ test_logging() {
levelcount=0
for ll in ${levels[*]}; do
# test that we can see the current level and no level below this level
coproc vpll (./vouch-proxy -logtest -config ./config/testing/logging_${ll}.yml )
# echo "log level $ll vouch-proxy pid ${vpll_PID} fd ${vpll[0]}";

# declare -a shouldnotfind=(info)
declare -a shouldnotfind=()
for (( i=0; i<${#levels[@]}; i++ )); do
if (( $i > $levelcount )); then
shouldnotfind+=(${levels[$i]})
fi
done

# exec 2> /dev/null # suppress process terminated messages
linesread=0
IFS=$'\n';for line in $(./vouch-proxy -logtest -config ./config/testing/logging_${ll}.yml); do
while read -t 1 -u ${vpll[0]} line; do
let "linesread+=1"
# the first four messages are log and info when starting from the command line
if (( $linesread > 4 )); then
# echo "$linesread $line"
for nono in ${shouldnotfind[*]} ; do
# echo "testing $nono"
if echo $line | grep $nono; then
echo "error: line should not contain '$nono' when loglevel is '$ll'"
echo "$linesread $line"
exit 1;
fi
done
fi
# echo "$linesread $line"
for nono in ${shouldnotfind[*]} ; do
# the first three messages are log and info when starting from the command line
if (( $linesread > 3 )) && echo $line | grep $nono; then
echo "line should not contain $nono"
echo "$linesread $line"
echo "bad case of the nonos: $nono"
exit 1;
fi
done
done
let "levelcount+=1"

done
echo "passed"
killall vouch-proxy
exit 0
}

Expand All @@ -231,60 +244,6 @@ stats () {

echo -n "number of go files: "
find . -name '*.go' | wc -l

echo -n "number of covered packages: "
covered=$(coverage | grep ok | wc -l)
echo $covered
echo -n "number of packages not covered: "
coverage | grep -v ok | wc -l

echo -n "average of coverage for all covered packages: "
sumcoverage=$(coverage | grep ok | awk '{print $5}' | sed 's/%//' | paste -sd+ - | bc)
# echo " sumcoverage: $sumcoverage "
perl -le "print $sumcoverage/$covered, '%'"
exit 0;
}

license() {
local FILE=$1;
if [ ! -f "${FILE}" ]; then
echo "need filename";
exit 1;
fi
FOUND=$(_has_license $FILE)
if [ -z "${FOUND}" ]; then
local YEAR=$(git log -1 --format="%ai" -- $FILE | cut -d- -f1);
_print_license $YEAR > ${FILE}_licensed
cat $FILE >> ${FILE}_licensed
mv ${FILE}_licensed $FILE
echo "added license to the header of $FILE"
fi
}

_print_license() {
local YEAR=$1;
if [ -z "$YEAR" ]; then
YEAR=$(date +%Y)
fi
cat <<EOF
/*
Copyright $YEAR The Vouch Proxy Authors.
Use of this source code is governed by The MIT License (MIT) that
can be found in the LICENSE file. Software distributed under The
MIT License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
OR CONDITIONS OF ANY KIND, either express or implied.
*/
EOF

}

_has_license() {
local FILE=$1;
# echo checking $FILE
echo $(grep -P 'Copyright \d\d\d\d The Vouch Proxy Authors' ${FILE})
}

usage() {
Expand All @@ -302,8 +261,7 @@ usage() {
$0 bug_report domain.com - print config file removing secrets and each provided domain
$0 gogo [gocmd] - run, build, any go cmd
$0 stats - simple metrics (lines of code in project, number of go files)
$0 watch [cmd] - watch the $CWD for any change and re-reun the [cmd]
$0 license [file] - apply the license to the file
$0 watch [cmd]] - watch the $CWD for any change and re-reun the [cmd]
do is like make
Expand All @@ -315,7 +273,7 @@ EOF
ARG=$1;

case "$ARG" in
'run'|'build'|'dbuild'|'drun'|'install'|'test'|'goget'|'gogo'|'watch'|'gobuildstatic'|'coverage'|'stats'|'usage'|'bug_report'|'test_logging'|'license')
'run'|'build'|'dbuild'|'drun'|'install'|'test'|'goget'|'gogo'|'watch'|'gobuildstatic'|'coverage'|'stats'|'usage'|'bug_report'|'test_logging')
shift
$ARG $*
;;
Expand Down
10 changes: 0 additions & 10 deletions handlers/adfs/adfs.go
Original file line number Diff line number Diff line change
@@ -1,13 +1,3 @@
/*
Copyright 2020 The Vouch Proxy Authors.
Use of this source code is governed by The MIT License (MIT) that
can be found in the LICENSE file. Software distributed under The
MIT License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES
OR CONDITIONS OF ANY KIND, either express or implied.
*/

package adfs

import (
Expand Down
Loading

0 comments on commit 04c4cf7

Please sign in to comment.