Escape $request_uri for external auth
This commit is contained in:
takonomura
parent
48ee93f5a5
commit
587c2a8765
5 changed files with 7 additions and 6 deletions
|
|
@ -25,7 +25,7 @@ metadata:
|
||||||
name: application
|
name: application
|
||||||
annotations:
|
annotations:
|
||||||
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
|
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
|
||||||
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$request_uri"
|
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
|
||||||
...
|
...
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -3,7 +3,7 @@ kind: Ingress
|
||||||
metadata:
|
metadata:
|
||||||
annotations:
|
annotations:
|
||||||
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
|
nginx.ingress.kubernetes.io/auth-url: "https://$host/oauth2/auth"
|
||||||
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$request_uri"
|
nginx.ingress.kubernetes.io/auth-signin: "https://$host/oauth2/start?rd=$escaped_request_uri"
|
||||||
name: external-auth-oauth2
|
name: external-auth-oauth2
|
||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
spec:
|
spec:
|
||||||
|
|
|
||||||
|
|
@ -815,14 +815,14 @@ func buildAuthSignURL(input interface{}) string {
|
||||||
u, _ := url.Parse(s)
|
u, _ := url.Parse(s)
|
||||||
q := u.Query()
|
q := u.Query()
|
||||||
if len(q) == 0 {
|
if len(q) == 0 {
|
||||||
return fmt.Sprintf("%v?rd=$pass_access_scheme://$http_host$request_uri", s)
|
return fmt.Sprintf("%v?rd=$pass_access_scheme://$http_host$escaped_request_uri", s)
|
||||||
}
|
}
|
||||||
|
|
||||||
if q.Get("rd") != "" {
|
if q.Get("rd") != "" {
|
||||||
return s
|
return s
|
||||||
}
|
}
|
||||||
|
|
||||||
return fmt.Sprintf("%v&rd=$pass_access_scheme://$http_host$request_uri", s)
|
return fmt.Sprintf("%v&rd=$pass_access_scheme://$http_host$escaped_request_uri", s)
|
||||||
}
|
}
|
||||||
|
|
||||||
var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
|
var letters = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
|
||||||
|
|
|
||||||
|
|
@ -697,8 +697,8 @@ func TestBuildAuthSignURL(t *testing.T) {
|
||||||
cases := map[string]struct {
|
cases := map[string]struct {
|
||||||
Input, Output string
|
Input, Output string
|
||||||
}{
|
}{
|
||||||
"default url": {"http://google.com", "http://google.com?rd=$pass_access_scheme://$http_host$request_uri"},
|
"default url": {"http://google.com", "http://google.com?rd=$pass_access_scheme://$http_host$escaped_request_uri"},
|
||||||
"with random field": {"http://google.com?cat=0", "http://google.com?cat=0&rd=$pass_access_scheme://$http_host$request_uri"},
|
"with random field": {"http://google.com?cat=0", "http://google.com?cat=0&rd=$pass_access_scheme://$http_host$escaped_request_uri"},
|
||||||
"with rd field": {"http://google.com?cat&rd=$request", "http://google.com?cat&rd=$request"},
|
"with rd field": {"http://google.com?cat&rd=$request", "http://google.com?cat&rd=$request"},
|
||||||
}
|
}
|
||||||
for k, tc := range cases {
|
for k, tc := range cases {
|
||||||
|
|
|
||||||
|
|
@ -977,6 +977,7 @@ stream {
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
{{ if $location.ExternalAuth.SigninURL }}
|
{{ if $location.ExternalAuth.SigninURL }}
|
||||||
|
set_escape_uri $escaped_request_uri $request_uri;
|
||||||
error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }};
|
error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }};
|
||||||
{{ end }}
|
{{ end }}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue