From 87f1625ccdd1227f105390240cea403fc9992950 Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Tue, 18 Jul 2023 11:17:25 +0200 Subject: [PATCH 1/4] fix: properly copy x-forwarded headers from upstream --- proxy/proxy.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/proxy/proxy.go b/proxy/proxy.go index b04682b34e..e21f253adb 100644 --- a/proxy/proxy.go +++ b/proxy/proxy.go @@ -110,7 +110,16 @@ func (d *Proxy) RoundTrip(r *http.Request) (*http.Response, error) { func (d *Proxy) Rewrite(r *httputil.ProxyRequest) { if d.c.ProxyTrustForwardedHeaders() { - r.SetXForwarded() + headers := []string{ + "X-Forwarded-Host", + "X-Forwarded-Proto", + "X-Forwarded-For", + } + for _, h := range headers { + if v := r.In.Header.Get(h); v != "" { + r.Out.Header.Set(h, v) + } + } } EnrichRequestedURL(r) From e455978ad546aebb7bf0858bf98937acff164254 Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Tue, 18 Jul 2023 11:21:21 +0200 Subject: [PATCH 2/4] chore: synchronize workspaces --- .schema/version.schema.json | 460 +++++++++++++++++------------------- 1 file changed, 214 insertions(+), 246 deletions(-) diff --git a/.schema/version.schema.json b/.schema/version.schema.json index 3d6ab013ef..84b767699d 100644 --- a/.schema/version.schema.json +++ b/.schema/version.schema.json @@ -1,278 +1,246 @@ { - "$id": "https://github.com/ory/oathkeeper/.schema/version.schema.json", - "$schema": "http://json-schema.org/draft-07/schema#", - "oneOf": [ + "$id": "https://github.com/ory/oathkeeper/.schema/version.schema.json", + "$schema": "http://json-schema.org/draft-07/schema#", + "oneOf": [ + { + "allOf": [ { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.40.5" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.40.5/.schema/config.schema.json" - } - ] + "properties": { + "version": { + "const": "v0.40.5" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.40.4" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.40.4/.schema/config.schema.json" - } - ] + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.40.5/.schema/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "properties": { + "version": { + "const": "v0.40.4" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.40.3" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.40.3/.schema/config.schema.json" - } - ] + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.40.4/.schema/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "properties": { + "version": { + "const": "v0.40.3" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.40.2" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.40.2/.schema/config.schema.json" - } - ] + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.40.3/.schema/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "properties": { + "version": { + "const": "v0.40.2" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.40.1" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.40.1/spec/config.schema.json" - } - ] + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.40.2/.schema/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "properties": { + "version": { + "const": "v0.40.1" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.40.0" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.40.0/spec/config.schema.json" - } - ] + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.40.1/spec/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "properties": { + "version": { + "const": "v0.40.0" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.38.4-beta.1" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.4-beta.1/.schema/config.schema.json" - } - ] + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.40.0/spec/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "properties": { + "version": { + "const": "v0.38.4-beta.1" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.38.5-beta.1" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.5-beta.1/.schema/config.schema.json" - } - ] + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.4-beta.1/.schema/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "properties": { + "version": { + "const": "v0.38.5-beta.1" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.38.9-beta.1" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.9-beta.1/.schema/config.schema.json" - } - ] + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.5-beta.1/.schema/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "properties": { + "version": { + "const": "v0.38.9-beta.1" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.38.14-beta.1" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.14-beta.1/.schema/config.schema.json" - } - ] + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.9-beta.1/.schema/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "properties": { + "version": { + "const": "v0.38.14-beta.1" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.38.15-beta.1" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.15-beta.1/.schema/config.schema.json" - } - ] + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.14-beta.1/.schema/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "properties": { + "version": { + "const": "v0.38.15-beta.1" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.38.17-beta.1" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.17-beta.1/.schema/config.schema.json" - } - ] + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.15-beta.1/.schema/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "properties": { + "version": { + "const": "v0.38.17-beta.1" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.38.19-beta.1" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.19-beta.1/.schema/config.schema.json" - } - ] + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.17-beta.1/.schema/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "properties": { + "version": { + "const": "v0.38.19-beta.1" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "properties": { - "version": { - "const": "v0.38.20-beta.1" - } - }, - "required": [ - "version" - ] - }, - { - "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.20-beta.1/.schema/config.schema.json" - } - ] + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.19-beta.1/.schema/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "properties": { + "version": { + "const": "v0.38.20-beta.1" + } + }, + "required": ["version"] }, { - "allOf": [ - { - "oneOf": [ - { - "properties": { - "version": { - "type": "string", - "maxLength": 0 - } - }, - "required": [ - "version" - ] - }, - { - "not": { - "properties": { - "version": {} - }, - "required": [ - "version" - ] - } - } - ] - }, - { - "$ref": "#/oneOf/0/allOf/1" + "$ref": "https://raw.githubusercontent.com/ory/oathkeeper/v0.38.20-beta.1/.schema/config.schema.json" + } + ] + }, + { + "allOf": [ + { + "oneOf": [ + { + "properties": { + "version": { + "type": "string", + "maxLength": 0 } - ] + }, + "required": ["version"] + }, + { + "not": { + "properties": { + "version": {} + }, + "required": ["version"] + } + } + ] + }, + { + "$ref": "#/oneOf/0/allOf/1" } - ], - "title": "All Versions of the ORY Oathkeeper Configuration", - "type": "object" -} \ No newline at end of file + ] + } + ], + "title": "All Versions of the ORY Oathkeeper Configuration", + "type": "object" +} From 938c9b389b37932c9b8c96049815a0aa6171b9e7 Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Tue, 18 Jul 2023 11:30:15 +0200 Subject: [PATCH 3/4] chore: synchronize workspaces --- proxy/proxy_test.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/proxy/proxy_test.go b/proxy/proxy_test.go index 816c2174ca..e41c371412 100644 --- a/proxy/proxy_test.go +++ b/proxy/proxy_test.go @@ -209,7 +209,7 @@ func TestProxy(t *testing.T) { conf.SetForTest(t, configuration.ProxyTrustForwardedHeaders, true) }, transform: func(r *http.Request) { - r.Header.Set("X-Forwarded-For", "foobar.com") + r.Header.Set("X-Forwarded-Host", "foobar.com") }, url: ts.URL + "/authn-anon/authz-allow/cred-noop/1234", rulesRegexp: []rule.Rule{{ @@ -231,13 +231,13 @@ func TestProxy(t *testing.T) { "authorization=", "url=/authn-anon/authz-allow/cred-noop/1234", "host=" + x.ParseURLOrPanic(backend.URL).Host, - "header X-Forwarded-Proto=http", + "header X-Forwarded-Host=foobar.com", }, }, { d: "should pass and remove x-forwarded headers", transform: func(r *http.Request) { - r.Header.Set("X-Forwarded-For", "foobar.com") + r.Header.Set("X-Forwarded-Host", "foobar.com") }, url: ts.URL + "/authn-anon/authz-allow/cred-noop/1234", rulesRegexp: []rule.Rule{{ @@ -256,7 +256,7 @@ func TestProxy(t *testing.T) { }}, code: http.StatusOK, messagesNot: []string{ - "header X-Forwarded-Proto=http", + "header X-Forwarded-Host=foobar.com",t }, }, { From 1cb3c41d7ac9ab6e215d12ef288a9018850e2c7e Mon Sep 17 00:00:00 2001 From: aeneasr <3372410+aeneasr@users.noreply.github.com> Date: Tue, 18 Jul 2023 11:32:20 +0200 Subject: [PATCH 4/4] chore: synchronize workspaces --- proxy/proxy_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/proxy/proxy_test.go b/proxy/proxy_test.go index e41c371412..579919529a 100644 --- a/proxy/proxy_test.go +++ b/proxy/proxy_test.go @@ -256,7 +256,7 @@ func TestProxy(t *testing.T) { }}, code: http.StatusOK, messagesNot: []string{ - "header X-Forwarded-Host=foobar.com",t + "header X-Forwarded-Host=foobar.com", }, }, {