Merge branch 'main' into dev

* main: outposts/proxy: Fix invalid redirect on external hosts containing path components (#8915) core: cache user application list under policies (#8895) web: bump the eslint group in /web with 2 updates (#8959) web: bump core-js from 3.36.0 to 3.36.1 in /web (#8960) website: bump @types/react from 18.2.66 to 18.2.67 in /website (#8962) web: bump the eslint group in /tests/wdio with 2 updates (#8963)
goauthentik · Mar 19, 2024 · 8946b81 · 8946b81
2 parents db96e1a + 1b81973
commit 8946b81
Show file tree

Hide file tree

Showing 9 changed files with 128 additions and 138 deletions.
diff --git a/authentik/core/api/applications.py b/authentik/core/api/applications.py
@@ -37,7 +37,7 @@
 )
 from authentik.policies.api.exec import PolicyTestResultSerializer
 from authentik.policies.engine import PolicyEngine
-from authentik.policies.types import PolicyResult
+from authentik.policies.types import CACHE_PREFIX, PolicyResult
 from authentik.rbac.decorators import permission_required
 from authentik.rbac.filters import ObjectFilter
 
@@ -46,7 +46,7 @@
 
 def user_app_cache_key(user_pk: str) -> str:
     """Cache key where application list for user is saved"""
-    return f"goauthentik.io/core/app_access/{user_pk}"
+    return f"{CACHE_PREFIX}/app_access/{user_pk}"
 
 
 class ApplicationSerializer(ModelSerializer):
@@ -214,7 +214,7 @@ def list(self, request: Request) -> Response:
             return super().list(request)
 
         queryset = self._filter_queryset_for_list(self.get_queryset())
-        pagined_apps = self.paginate_queryset(queryset)
+        paginated_apps = self.paginate_queryset(queryset)
 
         if "for_user" in request.query_params:
             try:
@@ -228,18 +228,18 @@ def list(self, request: Request) -> Response:
                     raise ValidationError({"for_user": "User not found"})
             except ValueError as exc:
                 raise ValidationError from exc
-            allowed_applications = self._get_allowed_applications(pagined_apps, user=for_user)
+            allowed_applications = self._get_allowed_applications(paginated_apps, user=for_user)
             serializer = self.get_serializer(allowed_applications, many=True)
             return self.get_paginated_response(serializer.data)
 
         allowed_applications = []
         if not should_cache:
-            allowed_applications = self._get_allowed_applications(pagined_apps)
+            allowed_applications = self._get_allowed_applications(paginated_apps)
         if should_cache:
             allowed_applications = cache.get(user_app_cache_key(self.request.user.pk))
             if not allowed_applications:
                 LOGGER.debug("Caching allowed application list")
-                allowed_applications = self._get_allowed_applications(pagined_apps)
+                allowed_applications = self._get_allowed_applications(paginated_apps)
                 cache.set(
                     user_app_cache_key(self.request.user.pk),
                     allowed_applications,

diff --git a/internal/outpost/proxyv2/application/mode_proxy_test.go b/internal/outpost/proxyv2/application/mode_proxy_test.go
@@ -56,7 +56,7 @@ func TestProxy_Redirect_Subdirectory(t *testing.T) {
 	loc, _ := rr.Result().Location()
 	assert.Equal(
 		t,
-		"https://ext.t.goauthentik.io/subdir/outpost.goauthentik.io/start?rd=https%3A%2F%2Fext.t.goauthentik.io%2Ffoo",
+		"https://ext.t.goauthentik.io/subdir/outpost.goauthentik.io/start?rd=https%3A%2F%2Fext.t.goauthentik.io%2Fsubdir%2Ffoo",
 		loc.String(),
 	)
 }

diff --git a/internal/outpost/proxyv2/application/utils.go b/internal/outpost/proxyv2/application/utils.go
@@ -3,30 +3,19 @@ package application
 import (
 	"net/http"
 	"net/url"
-	"path"
 	"strconv"
 	"strings"
 
 	"goauthentik.io/api/v3"
 	"goauthentik.io/internal/outpost/proxyv2/constants"
 )
 
-func urlPathSet(originalUrl string, newPath string) string {
-	u, err := url.Parse(originalUrl)
-	if err != nil {
-		return originalUrl
-	}
-	u.Path = newPath
-	return u.String()
-}
-
 func urlJoin(originalUrl string, newPath string) string {
-	u, err := url.Parse(originalUrl)
+	u, err := url.JoinPath(originalUrl, newPath)
 	if err != nil {
 		return originalUrl
 	}
-	u.Path = path.Join(u.Path, newPath)
-	return u.String()
+	return u
 }
 
 func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
@@ -46,7 +35,7 @@ func (a *Application) redirectToStart(rw http.ResponseWriter, r *http.Request) {
 		}
 	}
 
-	redirectUrl := urlPathSet(a.proxyConfig.ExternalHost, r.URL.Path)
+	redirectUrl := urlJoin(a.proxyConfig.ExternalHost, r.URL.Path)
 
 	if a.Mode() == api.PROXYMODE_FORWARD_DOMAIN {
 		dom := strings.TrimPrefix(*a.proxyConfig.CookieDomain, ".")

diff --git a/tests/wdio/package-lock.json b/tests/wdio/package-lock.json
diff --git a/tests/wdio/package.json b/tests/wdio/package.json
@@ -4,8 +4,8 @@
     "type": "module",
     "devDependencies": {
         "@trivago/prettier-plugin-sort-imports": "^4.3.0",
-        "@typescript-eslint/eslint-plugin": "^7.2.0",
-        "@typescript-eslint/parser": "^7.2.0",
+        "@typescript-eslint/eslint-plugin": "^7.3.1",
+        "@typescript-eslint/parser": "^7.3.1",
         "@wdio/cli": "^8.34.1",
         "@wdio/local-runner": "^8.34.1",
         "@wdio/mocha-framework": "^8.33.1",