Merge pull request #1 from iits-consulting/testing/forward-auth-fix

Testfix: forward auth
iits-consulting · Jul 18, 2024 · 5fe2889 · 5fe2889
2 parents c3aaeb3 + 0fac0b2
commit 5fe2889
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/pkg/keycloak/config/config.go b/pkg/keycloak/config/config.go
@@ -280,6 +280,9 @@ type Config struct {
 
 	// Verbose switches on debug logging
 	Verbose bool `env:"VERBOSE" json:"verbose" usage:"switch on debug / verbose logging" yaml:"verbose"`
+
+	// Verbose switches on debug logging
+	ForwardAuthMode bool `env:"FORWARD_AUTH_MODE" json:"forward-auth-mode" usage:"toggle overriding of request information from the X-FORWARD-* headers" yaml:"forward-auth-mode"`
 	// EnableProxyProtocol controls the proxy protocol
 	EnableProxyProtocol bool `env:"ENABLE_PROXY_PROTOCOL" json:"enabled-proxy-protocol" usage:"enable proxy protocol" yaml:"enabled-proxy-protocol"`
 

diff --git a/pkg/keycloak/proxy/server.go b/pkg/keycloak/proxy/server.go
@@ -245,7 +245,7 @@ func (r *OauthProxy) useDefaultStack(engine chi.Router) {
 	}
 
 	// @step: enable the entrypoint middleware
-	engine.Use(gmiddleware.EntrypointMiddleware(r.Log))
+	engine.Use(gmiddleware.EntrypointMiddleware(r.Log, r.Config.ForwardAuthMode))
 
 	if r.Config.EnableLogging {
 		engine.Use(gmiddleware.LoggingMiddleware(r.Log, r.Config.Verbose))

diff --git a/pkg/proxy/middleware/base.go b/pkg/proxy/middleware/base.go
@@ -29,11 +29,27 @@ const (
 )
 
 // entrypointMiddleware is custom filtering for incoming requests
-func EntrypointMiddleware(logger *zap.Logger) func(http.Handler) http.Handler {
+func EntrypointMiddleware(logger *zap.Logger, forwardAuthMode bool) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(wrt http.ResponseWriter, req *http.Request) {
 			// @step: create a context for the request
 			scope := &models.RequestScope{}
+
+			if forwardAuthMode {
+				if forwardedPath := req.Header.Get("X-Forwarded-Uri"); forwardedPath != "" {
+					req.URL.Path = forwardedPath
+				}
+				if forwardedMethod := req.Header.Get("X-Forwarded-Method"); forwardedMethod != "" {
+					req.Method = forwardedMethod
+				}
+				if forwardedProto := req.Header.Get("X-Forwarded-Proto"); forwardedProto != "" {
+					req.Proto = forwardedProto
+				}
+				if forwardedHost := req.Header.Get("X-Forwarded-Host"); forwardedHost != "" {
+					req.Host = forwardedHost
+				}
+			}
+
 			// Save the exact formatting of the incoming request so we can use it later
 			scope.Path = req.URL.Path
 			scope.RawPath = req.URL.RawPath