Pass redirect field in login page to get a proper redirect

2017-10-05 01:55:42 -03:00 · 2017-10-05 01:55:42 -03:00 · 23af068e17
commit 23af068e17
parent 23916be991
4 changed files with 40 additions and 2 deletions
--- a/controllers/nginx/pkg/template/template.go
+++ b/controllers/nginx/pkg/template/template.go
@ -22,6 +22,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
+	"net/url"
 	"os"
 	"os/exec"
 	"strconv"
@ -153,6 +154,7 @@ var (
 		"buildForwardedFor":           buildForwardedFor,
 		"trustHTTPHeaders":            trustHTTPHeaders,
 		"trustProxyProtocol":          trustProxyProtocol,
+		"buildAuthSignURL":            buildAuthSignURL,
 	}
 )

@ -690,3 +692,23 @@ func trustProxyProtocol(input interface{}) bool {
 	return conf.Cfg.RealClientFrom == "tcp-proxy" ||
 		(conf.Cfg.RealClientFrom == "auto" && conf.Cfg.UseProxyProtocol)
 }
+
+func buildAuthSignURL(input interface{}) string {
+	s, ok := input.(string)
+	if !ok {
+		glog.Errorf("expected an 'string' type but %T was returned", input)
+		return ""
+	}
+
+	u, _ := url.Parse(s)
+	q := u.Query()
+	if len(q) == 0 {
+		return fmt.Sprintf("%v?rd=$request_uri", s)
+	}
+
+	if q.Get("rd") != "" {
+		return s
+	}
+
+	return fmt.Sprintf("%v&rd=$request_uri", s)
+}
--- a/controllers/nginx/pkg/template/template_test.go
+++ b/controllers/nginx/pkg/template/template_test.go
@ -354,3 +354,19 @@ func TestBuildRateLimit(t *testing.T) {
 		}
 	}
 }
+
+func TestBuildAuthSignURL(t *testing.T) {
+	cases := map[string]struct {
+		Input, Output string
+	}{
+		"default url":       {"http://google.com", "http://google.com?rd=$request_uri"},
+		"with random field": {"http://google.com?cat=0", "http://google.com?cat=0&rd=$request_uri"},
+		"with rd field":     {"http://google.com?cat&rd=$request", "http://google.com?cat&rd=$request"},
+	}
+	for k, tc := range cases {
+		res := buildAuthSignURL(tc.Input)
+		if res != tc.Output {
+			t.Errorf("%s: called buildAuthSignURL('%s'); expected '%v' but returned '%v'", k, tc.Input, tc.Output, res)
+		}
+	}
+}
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@ -727,7 +727,7 @@ stream {
            {{ end }}

            {{ if not (empty $location.ExternalAuth.SigninURL) }}
-            error_page 401 = {{ $location.ExternalAuth.SigninURL }};
+            error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }};
            {{ end }}

            {{/* if the location contains a rate limit annotation, create one */}}
--- a/examples/external-auth/nginx/dashboard-ingress.yaml
+++ b/examples/external-auth/nginx/dashboard-ingress.yaml
@ -2,7 +2,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  annotations:
-    ingress.kubernetes.io/auth-signin: https://$host/oauth2/sign_in
+    ingress.kubernetes.io/auth-signin: https://$host/oauth2/start
    ingress.kubernetes.io/auth-url: https://$host/oauth2/auth
  name: external-auth-oauth2
  namespace: kube-system