forked from mystiq/dex
correctly handle path escaping for connector IDs
Signed-off-by: Bob Callaway <bob.callaway@gmail.com>
This commit is contained in:
parent
ff6e7c7688
commit
8fd69c16f5
3 changed files with 32 additions and 7 deletions
|
@ -153,7 +153,7 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
|
||||||
if connectorID != "" {
|
if connectorID != "" {
|
||||||
for _, c := range connectors {
|
for _, c := range connectors {
|
||||||
if c.ID == connectorID {
|
if c.ID == connectorID {
|
||||||
connURL.Path = s.absPath("/auth", c.ID)
|
connURL.Path = s.absPath("/auth", url.PathEscape(c.ID))
|
||||||
http.Redirect(w, r, connURL.String(), http.StatusFound)
|
http.Redirect(w, r, connURL.String(), http.StatusFound)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
@ -163,13 +163,13 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(connectors) == 1 && !s.alwaysShowLogin {
|
if len(connectors) == 1 && !s.alwaysShowLogin {
|
||||||
connURL.Path = s.absPath("/auth", connectors[0].ID)
|
connURL.Path = s.absPath("/auth", url.PathEscape(connectors[0].ID))
|
||||||
http.Redirect(w, r, connURL.String(), http.StatusFound)
|
http.Redirect(w, r, connURL.String(), http.StatusFound)
|
||||||
}
|
}
|
||||||
|
|
||||||
connectorInfos := make([]connectorInfo, len(connectors))
|
connectorInfos := make([]connectorInfo, len(connectors))
|
||||||
for index, conn := range connectors {
|
for index, conn := range connectors {
|
||||||
connURL.Path = s.absPath("/auth", conn.ID)
|
connURL.Path = s.absPath("/auth", url.PathEscape(conn.ID))
|
||||||
connectorInfos[index] = connectorInfo{
|
connectorInfos[index] = connectorInfo{
|
||||||
ID: conn.ID,
|
ID: conn.ID,
|
||||||
Name: conn.Name,
|
Name: conn.Name,
|
||||||
|
@ -200,7 +200,13 @@ func (s *Server) handleConnectorLogin(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
connID := mux.Vars(r)["connector"]
|
connID, err := url.PathUnescape(mux.Vars(r)["connector"])
|
||||||
|
if err != nil {
|
||||||
|
s.logger.Errorf("Failed to parse connector: %v", err)
|
||||||
|
s.renderError(r, w, http.StatusBadRequest, "Requested resource does not exist")
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
conn, err := s.getConnector(connID)
|
conn, err := s.getConnector(connID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
s.logger.Errorf("Failed to get connector: %v", err)
|
s.logger.Errorf("Failed to get connector: %v", err)
|
||||||
|
@ -316,7 +322,12 @@ func (s *Server) handlePasswordLogin(w http.ResponseWriter, r *http.Request) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if connID := mux.Vars(r)["connector"]; connID != "" && connID != authReq.ConnectorID {
|
connID, err := url.PathUnescape(mux.Vars(r)["connector"])
|
||||||
|
if err != nil {
|
||||||
|
s.logger.Errorf("Failed to parse connector: %v", err)
|
||||||
|
s.renderError(r, w, http.StatusBadRequest, "Requested resource does not exist")
|
||||||
|
return
|
||||||
|
} else if connID != "" && connID != authReq.ConnectorID {
|
||||||
s.logger.Errorf("Connector mismatch: authentication started with id %q, but password login for id %q was triggered", authReq.ConnectorID, connID)
|
s.logger.Errorf("Connector mismatch: authentication started with id %q, but password login for id %q was triggered", authReq.ConnectorID, connID)
|
||||||
s.renderError(r, w, http.StatusInternalServerError, "Requested resource does not exist.")
|
s.renderError(r, w, http.StatusInternalServerError, "Requested resource does not exist.")
|
||||||
return
|
return
|
||||||
|
@ -401,7 +412,12 @@ func (s *Server) handleConnectorCallback(w http.ResponseWriter, r *http.Request)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
if connID := mux.Vars(r)["connector"]; connID != "" && connID != authReq.ConnectorID {
|
connID, err := url.PathUnescape(mux.Vars(r)["connector"])
|
||||||
|
if err != nil {
|
||||||
|
s.logger.Errorf("Failed to get connector with id %q : %v", authReq.ConnectorID, err)
|
||||||
|
s.renderError(r, w, http.StatusInternalServerError, "Requested resource does not exist.")
|
||||||
|
return
|
||||||
|
} else if connID != "" && connID != authReq.ConnectorID {
|
||||||
s.logger.Errorf("Connector mismatch: authentication started with id %q, but callback for id %q was triggered", authReq.ConnectorID, connID)
|
s.logger.Errorf("Connector mismatch: authentication started with id %q, but callback for id %q was triggered", authReq.ConnectorID, connID)
|
||||||
s.renderError(r, w, http.StatusInternalServerError, "Requested resource does not exist.")
|
s.renderError(r, w, http.StatusInternalServerError, "Requested resource does not exist.")
|
||||||
return
|
return
|
||||||
|
|
|
@ -254,6 +254,15 @@ func mockConnectorDataTestStorage(t *testing.T, s storage.Storage) {
|
||||||
|
|
||||||
err = s.CreateConnector(c1)
|
err = s.CreateConnector(c1)
|
||||||
require.NoError(t, err)
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
c2 := storage.Connector{
|
||||||
|
ID: "http://any.valid.url/",
|
||||||
|
Type: "mock",
|
||||||
|
Name: "mockURLID",
|
||||||
|
}
|
||||||
|
|
||||||
|
err = s.CreateConnector(c2)
|
||||||
|
require.NoError(t, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestPasswordConnectorDataNotEmpty(t *testing.T) {
|
func TestPasswordConnectorDataNotEmpty(t *testing.T) {
|
||||||
|
|
|
@ -302,7 +302,7 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
r := mux.NewRouter()
|
r := mux.NewRouter().SkipClean(true).UseEncodedPath()
|
||||||
handle := func(p string, h http.Handler) {
|
handle := func(p string, h http.Handler) {
|
||||||
r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, h))
|
r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, h))
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue