Skip to content

Commit

Permalink
Showing 4 changed files with 34 additions and 3 deletions.
5 changes: 5 additions & 0 deletions .schemas/authenticators.cookie_session.schema.json
Original file line number Diff line number Diff line change
@@ -22,6 +22,11 @@
},
"title": "Only Cookies",
"description": "A list of possible cookies to look for on incoming requests, and will fallthrough to the next authenticator if none of the passed cookies are set on the request."
},
"preserve_path": {
"title": "Preserve Path",
"type": "boolean",
"description": "When set to true, any path specified in `check_session_url` will be preserved instead of overwriting the path with the path from the original request"
}
},
"required": [
5 changes: 5 additions & 0 deletions .schemas/config.schema.json
Original file line number Diff line number Diff line change
@@ -215,6 +215,11 @@
},
"title": "Only Cookies",
"description": "A list of possible cookies to look for on incoming requests, and will fallthrough to the next authenticator if none of the passed cookies are set on the request."
},
"preserve_path": {
"title": "Preserve Path",
"type": "boolean",
"description": "When set to true, any path specified in `check_session_url` will be preserved instead of overwriting the path with the path from the original request"
}
},
"required": [
11 changes: 8 additions & 3 deletions pipeline/authn/authenticator_cookie_session.go
Original file line number Diff line number Diff line change
@@ -19,6 +19,7 @@ type AuthenticatorCookieSessionFilter struct {
type AuthenticatorCookieSessionConfiguration struct {
Only []string `json:"only"`
CheckSessionURL string `json:"check_session_url"`
PreservePath bool `json:"preserve_path"`
}

type AuthenticatorCookieSession struct {
@@ -64,7 +65,8 @@ func (a *AuthenticatorCookieSession) Authenticate(r *http.Request, config json.R
}

origin := cf.CheckSessionURL
body, err := forwardRequestToSessionStore(r, origin)
preservePath := cf.PreservePath
body, err := forwardRequestToSessionStore(r, origin, preservePath)
if err != nil {
return nil, helper.ErrForbidden.WithReason(err.Error()).WithTrace(err)
}
@@ -96,12 +98,15 @@ func cookieSessionResponsible(r *http.Request, only []string) bool {
return false
}

func forwardRequestToSessionStore(r *http.Request, checkSessionURL string) (json.RawMessage, error) {
func forwardRequestToSessionStore(r *http.Request, checkSessionURL string, preservePath bool) (json.RawMessage, error) {
reqUrl, err := url.Parse(checkSessionURL)
if err != nil {
return nil, helper.ErrForbidden.WithReason(err.Error()).WithTrace(err)
}
reqUrl.Path = r.URL.Path

if !preservePath {
reqUrl.Path = r.URL.Path
}

res, err := http.DefaultClient.Do(&http.Request{
Method: r.Method,
16 changes: 16 additions & 0 deletions pipeline/authn/authenticator_cookie_session_test.go
Original file line number Diff line number Diff line change
@@ -68,6 +68,22 @@ func TestAuthenticatorCookieSession(t *testing.T) {
assert.Equal(t, &AuthenticationSession{Subject: "123"}, session)
})

t.Run("description=should pass through method and headers ONLY to auth server when PreservePath is true", func(t *testing.T) {
testServer, requestRecorder := makeServer(200, `{"subject": "123"}`)
session, err := pipelineAuthenticator.Authenticate(
makeRequest("PUT", "/users/123?query=string", map[string]string{"sessionid": "zyx"}, ""),
json.RawMessage(fmt.Sprintf(`{"check_session_url": "%s", "preserve_path": true}`, testServer.URL)),
nil,
)
require.NoError(t, err, "%#v", errors.Cause(err))
assert.Len(t, requestRecorder.requests, 1)
r := requestRecorder.requests[0]
assert.Equal(t, r.Method, "PUT")
assert.Equal(t, r.URL.Path, "/")
assert.Equal(t, r.Header.Get("Cookie"), "sessionid=zyx")
assert.Equal(t, &AuthenticationSession{Subject: "123"}, session)
})

t.Run("description=does not pass request body through to auth server", func(t *testing.T) {
testServer, requestRecorder := makeServer(200, `{}`)
pipelineAuthenticator.Authenticate(

0 comments on commit 7e86b78

Please sign in to comment.