NotificationsYou must be signed in to change notification settings
Fork190
Star3.1k

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

sso_proxy: reduce direct calls to ValidateGroup() and clean up logic#275

Open

Jusshersmith wants to merge16 commits intomain

base:main

Choose a base branch

fromjusshersmith-session-expiry-validations

Open

sso_proxy: reduce direct calls to ValidateGroup() and clean up logic#275

Jusshersmith wants to merge16 commits intomainfromjusshersmith-session-expiry-validations

+554 −452

Conversation

Copy link

Contributor

Jusshersmith commentedDec 6, 2019•
edited
Loading

Problem

We are still callingValidateGroup() directly withinsso_proxy, but using the options/validator package elsewhere in the same logic path (originally partially due to circular imports). This makes it increasingly difficult to make sure we were running the right validations at the right time, and certain methods were growing in complexity and responsibility.

Solution

Attempt to reunite some of the most problematic portions of code in related to the above.

High level overview of included changes:

MovesextendDeadline andwithinGracePeriod to be part of the sessions package, instead of the providers package. (In fact, a version ofextendDeadline already exists in the session package. We now use that instead)
Changes direct calls toValidateGroup withininternal/proxy/providers/sso.go to options/validator package calls withininternal/proxy/providers/oauthproxy.go.
- Introduces therunValidatorsWithGracePeriod helper method here to help handle cases where we want to check if the auth provider is unavailable instead of explicitly denying authentication.
Renames theValidateSessionState method toValidateSessionToken, which seemed to better fit its responsibility.
Modify tests to explicitly test new logic
Some formatting simplification/changes of the validator errors, and other general refactoring

Notes

The perhaps less obvious change is that within theAuthenticate() methodwe'll now only run validators when the refresh or validation period has expired.
This is instead of running group validations when the refresh or validation period has expired, and domain/email validations on all proxied requests.

---------- EDIT -----------

Additional changes

This also now includes some logic to prevent the copying + use of a cookie authorised with upstream 'foo' with upstream 'bar'. A newAuthorisedUpstream value has been added to the session which is checked against the request host.
For the time being, when caught this check will re-trigger the start of the oauth flow, primarily to help introduce this additional check in a graceful manner.
options package now renamed tovalidators to better represent its responsibility.

Jusshersmith force-pushed thejusshersmith-session-expiry-validations branch from26a857d to7ccc864Compare

December 9, 2019 17:16

Copy link

codecovbot commentedDec 12, 2019•
edited
Loading

Codecov Report

Merging#275 intomaster willdecrease coverage by0.2%.
The diff coverage is47.82%.

@@            Coverage Diff            @@##           master    #275      +/-   ##=========================================- Coverage   62.51%   62.3%   -0.21%=========================================  Files          54      54                Lines        4199    4197       -2     =========================================- Hits         2625    2615      -10- Misses       1385    1394       +9+ Partials      189     188       -1

Impacted Files	Coverage Δ
internal/pkg/validators/validators.go	`0% <ø> (ø)`
internal/pkg/validators/email_domain_validator.go	`100% <ø> (ø)`
internal/pkg/validators/email_address_validator.go	`100% <ø> (ø)`
internal/proxy/providers/providers.go	`0% <ø> (ø)`	⬆️
internal/pkg/validators/email_group_validator.go	`0% <0%> (ø)`
internal/proxy/providers/test_provider.go	`0% <0%> (ø)`	⬆️
...nternal/proxy/providers/singleflight_middleware.go	`0% <0%> (ø)`	⬆️
internal/proxy/proxy.go	`20% <0%> (ø)`	⬆️
internal/pkg/validators/mock_validator.go	`0% <0%> (ø)`
internal/auth/authenticator.go	`86.18% <100%> (ø)`	⬆️
... and6 more

Jusshersmith added2 commits

December 12, 2019 17:53

sso_*:clean up some validation calls

b27f1f8

sso: fix and add tests

0ae7ffd

sso_auth: fix testssso_proxy: fix sso provider testssso_proxy: more testssession_state: add extra tests

Jusshersmith force-pushed thejusshersmith-session-expiry-validations branch from1afa378 to0ae7ffdCompare

December 12, 2019 17:53

proxy: small comment change

8e49702

Jusshersmith requested a review fromjphines

December 12, 2019 17:59

metric change

6b9497e

jphines suggested changes

Jan 6, 2020

View reviewed changes

internal/proxy/providers/providers.go OutdatedShow resolvedHide resolved

internal/proxy/oauthproxy.goShow resolvedHide resolved

Jusshersmith added3 commits

January 8, 2020 10:56

changes from review:

fcef7d3

- rename 'RefreshSession' to 'RefreshSessionToken'- rename 'options' package (containing the validators) to 'validators'

extra validator rename fixes

461036b

quick test to test upstream verification through session state

54d03fb

jphines reviewed

Jan 14, 2020

View reviewed changes

internal/pkg/sessions/session_state.goShow resolvedHide resolved

jphines reviewed

Jan 14, 2020

View reviewed changes

internal/proxy/oauthproxy.go Outdated

		return err
		}
		}
		allowedGroups := p.upstreamConfig.AllowedGroups

Copy link

Contributor

jphinesJan 14, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Can we put the allowed groups in the validator error message instead of pulling them out this way? I think it could make the logline easier to understand which set of validators rejected a user?

Copy link

ContributorAuthor

JusshersmithJan 28, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Added the allowed groups into the group validator error message. Below is an example of the error message displayed to users (the same formatting is used for the log lines).

Also removed a chunk of formatting logic around the errors as it was becoming over-engineered and unnecessary. We could also add some extra context to errors coming from the domain/email address validators, but as is the error message would become pretty bloated if multiple validators returned errors - so perhaps worth addressing that separately?

jphines reviewed

Jan 14, 2020

View reviewed changes

internal/proxy/oauthproxy.go OutdatedShow resolvedHide resolved

jphines reviewed

Jan 14, 2020

View reviewed changes

internal/proxy/oauthproxy.goShow resolvedHide resolved

jphines previously approved these changes

Jan 14, 2020

View reviewed changes

Copy link

Contributor

jphines left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

A few comment nits -- but once those are cleared up I think this is good to go.

changes following review

1b7d6d3

Jusshersmith dismissedjphines’sstale review via1b7d6d3

January 27, 2020 10:55

Jusshersmith added7 commits

January 27, 2020 11:59

extra logging

d69ebed

change error to allow for graceful introduction of this session change

1e8a5f4

change log level

161e37c

some small formatting changes

5684a89

removed overengineered formatting logic

5041e5a

missing word in comment

b13dfde

re-word comment

2ab3891

Copy link

ContributorAuthor

Jusshersmith commentedJan 28, 2020

@jphines - ready for re-review. Main new logic changes consist of the change to the raised error if an unauthorised upstream is being requested to better handle the graceful introduction of this check, and formatting of the errors returned by the validators.

Other than that, it's largely comment changes/additions.