hoelee/cloudflared
1
0
Fork 0
mirror of https://github.com/cloudflare/cloudflared.git synced 2025-07-27 19:19:57 +00:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

TUN-6774: Validate OriginRequest.Access to add Ingress.Middleware

Browse Source 
We take advantage of the JWTValidator middleware and attach it to an
ingress rule based on Access configurations. We attach the Validator
directly to the ingress rules because we want to take advantage of
caching and token revert/handling that comes with go-oidc.
This commit is contained in:
Sudarsan Reddy
2022-09-22 14:04:47 +01:00
parent 0aa21f302e
commit 462d2f87df
5 changed files with 48 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
ingress/ingress.go
View File

@@ -13,6 +13,7 @@ import (
"github.com/urfave/cli/v2"
"github.com/cloudflare/cloudflared/config"
"github.com/cloudflare/cloudflared/ingress/middleware"
"github.com/cloudflare/cloudflared/ipaccess"
)
@@ -168,6 +169,28 @@ func (ing Ingress) CatchAll() *Rule {
return &ing.Rules[len(ing.Rules)-1]
}
func validateAccessConfiguration(cfg *config.AccessConfig) error {
if !cfg.Required {
return nil
}
// It is possible to set `required:true` and not have these two configured yet.
// But if one of them is configured, we'd validate for correctness.
if len(cfg.AudTag) == 0 && cfg.TeamName == "" {
return nil
}
if len(cfg.AudTag) == 0 {
return errors.New("access audtag cannot be empty")
}
if cfg.TeamName == "" {
return errors.New("access.TeamName cannot be blank")
}
return nil
}
func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginRequestConfig) (Ingress, error) {
rules := make([]Rule, len(ingress))
for i, r := range ingress {
@@ -237,6 +260,17 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq
}
}
var handlers []middleware.Handler
if access := r.OriginRequest.Access; access != nil {
if err := validateAccessConfiguration(access); err != nil {
return Ingress{}, err
}
if access.Required {
verifier := middleware.NewJWTValidator(access.TeamName, "", access.AudTag)
handlers = append(handlers, verifier)
}
}
if err := validateHostname(r, i, len(ingress)); err != nil {
return Ingress{}, err
}
@@ -255,6 +289,7 @@ func validateIngress(ingress []config.UnvalidatedIngressRule, defaults OriginReq
Hostname: r.Hostname,
Service: service,
Path: pathRegexp,
Handlers: handlers,
Config: cfg,
}
}