Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Escape $request_uri for external auth #2811

Merged
merged 2 commits into from
Jul 21, 2018
Merged

Escape $request_uri for external auth #2811

merged 2 commits into from
Jul 21, 2018

Conversation

takonomura
Copy link
Contributor

What this PR does / why we need it:

Escape $request_uri to correct external auth redirect

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #

Special notes for your reviewer:

How to reproduce issue:

  1. Deploy https://github.com/kubernetes/ingress-nginx/tree/master/docs/examples/auth/oauth-external-auth
  2. Access to https://foo.bar.com/?a=b&c=d (without signed in)
  3. Sign in
  4. Redirected to https://foo.bar.com/?a=b (c=d is out)

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 19, 2018
@codecov-io
Copy link

codecov-io commented Jul 19, 2018
edited
Loading

Codecov Report

Merging #2811 into master will increase coverage by 0.01%.
The diff coverage is 100%.

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #2811      +/-   ##
==========================================
+ Coverage   47.33%   47.34%   +0.01%     
==========================================
  Files          75       75              
  Lines        5413     5413              
==========================================
+ Hits         2562     2563       +1     
+ Misses       2527     2525       -2     
- Partials      324      325       +1
Impacted Files Coverage Δ
internal/ingress/controller/template/template.go 66.52% <100%> (ø) ⬆️
internal/watch/file_watcher.go 84.61% <0%> (+3.84%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7784d73...3ce0ad9. Read the comment docs.

@antoineco
Copy link
Contributor

Thanks @takonomura, would you mind adding an e2e test for this?

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Jul 19, 2018
@takonomura takonomura force-pushed the escape-request-uri branch 2 times, most recently from 636ca10 to 0f125d1 Compare July 19, 2018 14:47
antoineco
antoineco suggested changes Jul 19, 2018
View reviewed changes
test/e2e/framework/httpbin.go Outdated
return f.NewHttpbinDeploymentWithReplicas(1)
}

// NewHttpbinDeploymentWithReplicas creates a new deployment of the echoserver image in a particular namespace. Number of
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems like a lot of repetitive code just for using a different image.

@takonomura takonomura force-pushed the escape-request-uri branch 3 times, most recently from 510315a to ed84fc7 Compare July 21, 2018 05:57
@takonomura
Copy link
Contributor Author

I added e2e tests and the CI passed.

@antoineco
Copy link
Contributor

/lgtm

Thanks @takonomura!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 21, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: antoineco, takonomura

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 21, 2018
@k8s-ci-robot k8s-ci-robot merged commit 237dcd7 into kubernetes:master Jul 21, 2018
@takonomura takonomura deleted the escape-request-uri branch July 21, 2018 09:25
Bluston added a commit to Bluston/ingress-nginx that referenced this pull request Sep 25, 2019
@Bluston
change nginx-ingress-controller tag
fbbcdda 
you can see kubernetes#2811
YenTheFirst added a commit to YenTheFirst/oauth2_proxy that referenced this pull request Oct 1, 2019
@YenTheFirst
Escape original request URI in sample kubernetes ingress configuration
513af9b 
The current sample configuration for kubernetes ingress demonstrates
using the `auth-signin` annotation to redirect a user to oauth2_proxy's
signin page. It constructs the link to do so by directly concatenating
`$request_uri` as the `rd` parameter, so the sign-in page knows where to
send the user after signin is complete.

However, this does not work correctly if the original request URI
contains multiple query parameters separated by an ampersand, as that
ampersand is interpereted as separating query parameters of the
`/oauth2/start` URI. For example:

If the user requests a URL:
  https://example.com/foo?q1=v1&q2=v2
they may be redirected to the signin url
  https://example.com/oauth2/start?rd=https://example.com/foo?q1=v1&q2=v2
and after completing signin, oauth2_proxy will redirect them to
  https://example.com/foo?q1=v1

nginx-ingress added an $escaped_request_uri variable about a year ago,
to help resolve this kind of issue
(kubernetes/ingress-nginx#2811)
@YenTheFirst YenTheFirst mentioned this pull request Oct 1, 2019
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@antoineco antoineco antoineco requested changes

Assignees

@antoineco antoineco

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@takonomura @codecov-io @antoineco @k8s-ci-robot