Fix logout path check for oidc overrides (#40)

tetrateio · Feb 22, 2024 · c924e2c · c924e2c
1 parent cfe4795
commit c924e2c
Show file tree

Hide file tree

Showing 3 changed files with 76 additions and 5 deletions.
diff --git a/internal/config.go b/internal/config.go
@@ -155,6 +155,13 @@ func mergeAndValidateOIDCConfigs(cfg *configv1.Config) error {
 			// Set the defaults
 			applyOIDCDefaults(f.GetOidc())
 
+			// validate the logout path is not the root path
+			if f.GetOidc().GetLogout() != nil {
+				if isRootPath(f.GetOidc().GetLogout().GetPath()) {
+					return fmt.Errorf("%w: invalid logout path", ErrMustNotBeRootPath)
+				}
+			}
+
 			// validate the callback and the logout path are different
 			callbackURI, _ := url.Parse(f.GetOidc().GetCallbackUri())
 			if f.GetOidc().GetLogout() != nil && callbackURI.Path == f.GetOidc().GetLogout().GetPath() {
@@ -245,11 +252,6 @@ func validateOIDCConfigURLs(c *oidcv1.OIDCConfig) error {
 	if hasRootPath(c.GetCallbackUri()) {
 		return fmt.Errorf("%w: invalid callback URL", ErrMustNotBeRootPath)
 	}
-	if c.GetLogout() != nil {
-		if isRootPath(c.GetLogout().GetPath()) {
-			return fmt.Errorf("%w: invalid logout path", ErrMustNotBeRootPath)
-		}
-	}
 	return nil
 }
 

diff --git a/internal/config_test.go b/internal/config_test.go
@@ -64,6 +64,7 @@ func TestValidateConfig(t *testing.T) {
 		{"invalid-health-port", "testdata/invalid-health-port.json", errCheck{is: ErrHealthPortInUse}},
 		{"invalid-callback-uri", "testdata/invalid-callback.json", errCheck{is: ErrMustNotBeRootPath}},
 		{"invalid-logout-path", "testdata/invalid-logout.json", errCheck{is: ErrMustNotBeRootPath}},
+		{"valid-logout-override-default", "testdata/valid-logout-override-default.json", errCheck{is: nil}},
 		{"invalid-callback-and-logout-path", "testdata/invalid-callback-logout.json", errCheck{is: ErrMustBeDifferentPath}},
 		{"oidc-dynamic", "testdata/oidc-dynamic.json", errCheck{is: nil}},
 		{"valid", "testdata/mock.json", errCheck{is: nil}},

diff --git a/internal/testdata/valid-logout-override-default.json b/internal/testdata/valid-logout-override-default.json
@@ -0,0 +1,68 @@
+{
+  "allow_unmatched_requests": true,
+  "listen_address": "0.0.0.0",
+  "listen_port": "10003",
+  "log_level": "trace",
+  "default_oidc_config": {
+    "authorization_uri": "https://fake/auth",
+    "token_uri": "https://fake/token",
+    "jwks_fetcher": {
+      "jwks_uri": "https://fake/certs"
+    },
+    "client_id": "global_id",
+    "client_secret": "global_secret",
+    "id_token": {
+      "preamble": "Bearer",
+      "header": "Authorization"
+    },
+    "logout": {
+      "path": "/globallogout",
+      "redirect_uri": "https://fake/logout"
+    }
+  },
+  "threads": 8,
+  "chains": [
+    {
+      "name": "jaeger",
+      "match": {
+        "header": ":authority",
+        "prefix": "some"
+      },
+      "filters": [
+        {
+          "oidc_override": {
+            "authorization_uri": "https://fake/auth",
+            "token_uri": "https://fale/token",
+            "callback_uri": "https://some/login",
+            "client_id": "client-id",
+            "logout": {
+              "redirect_uri": "https://fake/logout"
+            }
+          }
+        }
+      ]
+    },
+    {
+      "name": "local",
+      "match": {
+        "header": ":local",
+        "prefix": "localhost"
+      },
+      "filters": [
+        {
+          "oidc_override": {
+            "callback_uri": "https://localhost/login",
+            "client_id": "local_id",
+            "client_secret": "local_secret",
+            "cookie_name_prefix": "local",
+            "logout": {
+              "path": "/local",
+              "redirect_uri": "https://localhost/logout"
+            },
+            "scopes": []
+          }
+        }
+      ]
+    }
+  ]
+}