fix(authn-network): handles r.RemoteAddr without port

feat(authn): do not allow additional options
chore: tidy deps
2024-05-22 15:24:40 +02:00 · 2024-05-22 14:41:54 +02:00 · 2024-05-21 17:24:51 +02:00
4 changed files with 73 additions and 5 deletions
--- a/go.mod
+++ b/go.mod
@ -131,7 +131,7 @@ require (
 	github.com/urfave/cli/v2 v2.25.3
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	gitlab.com/wpetit/goweb v0.0.0-20240226160244-6b2826c79f88
-	golang.org/x/crypto v0.19.0 // indirect
+	golang.org/x/crypto v0.19.0
 	golang.org/x/mod v0.14.0 // indirect
 	golang.org/x/sys v0.17.0 // indirect
 	golang.org/x/term v0.17.0 // indirect
--- a/internal/proxy/director/layer/authn/layer-options.json
+++ b/internal/proxy/director/layer/authn/layer-options.json
@ -43,5 +43,6 @@
                }
            }
        }
-    }
+    },
    "additionalProperties": false
 }
--- a/internal/proxy/director/layer/authn/network/authenticator.go
+++ b/internal/proxy/director/layer/authn/network/authenticator.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"net"
 	"net/http"
 	"strings"
 	"forge.cadoles.com/cadoles/bouncer/internal/proxy/director/layer/authn"
 	"forge.cadoles.com/cadoles/bouncer/internal/store"
@ -49,10 +50,16 @@ func (a *Authenticator) Authenticate(w http.ResponseWriter, r *http.Request, lay
 }
 func (a *Authenticator) matchAnyAuthorizedCIDRs(ctx context.Context, remoteHostPort string, CIDRs []string) (bool, error) {
-	remoteHost, _, err := net.SplitHostPort(remoteHostPort)
+	var remoteHost string
 	if strings.Contains(remoteHostPort, ":") {
 		var err error
 		remoteHost, _, err = net.SplitHostPort(remoteHostPort)
 		if err != nil {
 			return false, errors.WithStack(err)
 		}
 	} else {
 		remoteHost = remoteHostPort
 	}
 	remoteAddr := net.ParseIP(remoteHost)
 	if remoteAddr == nil {
--- a/internal/proxy/director/layer/authn/network/authenticator_test.go
+++ b/internal/proxy/director/layer/authn/network/authenticator_test.go
@ -0,0 +1,60 @@
 package network
 import (
 	"context"
 	"fmt"
 	"testing"
 	"github.com/pkg/errors"
 )
 func TestMatchAuthorizedCIDRs(t *testing.T) {
 	type testCase struct {
 		RemoteHostPort  string
 		AuthorizedCIDRs []string
 		ExpectedResult  bool
 		ExpectedError   error
 	}
 	testCases := []testCase{
 		{
 			RemoteHostPort: "192.168.1.15",
 			AuthorizedCIDRs: []string{
 				"192.168.1.0/24",
 			},
 			ExpectedResult: true,
 		},
 		{
 			RemoteHostPort: "192.168.1.15:43349",
 			AuthorizedCIDRs: []string{
 				"192.168.1.0/24",
 			},
 			ExpectedResult: true,
 		},
 		{
 			RemoteHostPort: "192.168.1.15:43349",
 			AuthorizedCIDRs: []string{
 				"192.168.1.5/32",
 			},
 			ExpectedResult: false,
 		},
 	}
 	auth := Authenticator{}
 	ctx := context.Background()
 	for idx, tc := range testCases {
 		t.Run(fmt.Sprintf("Case #%d", idx), func(t *testing.T) {
 			result, err := auth.matchAnyAuthorizedCIDRs(ctx, tc.RemoteHostPort, tc.AuthorizedCIDRs)
 			if g, e := result, tc.ExpectedResult; e != g {
 				t.Errorf("result: expected '%v', got '%v'", e, g)
 			}
 			if e, g := tc.ExpectedError, err; !errors.Is(err, tc.ExpectedError) {
 				t.Errorf("err: expected '%v', got '%v'", e, g)
 			}
 		})
 	}
 }
Author	SHA1	Message	Date
William Petit	499bb3696d	fix(authn-network): handles r.RemoteAddr without port Some checks are pending Cadoles/bouncer/pipeline/head This commit looks good Details Cadoles/bouncer/pipeline/pr-authn-oidc-redirect-url Build started... Details	2024-05-22 15:24:40 +02:00
William Petit	572093536a	feat(authn): do not allow additional options All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-22 14:41:54 +02:00
William Petit	0d4319fcbb	chore: tidy deps All checks were successful Cadoles/bouncer/pipeline/head This commit looks good Details	2024-05-21 17:24:51 +02:00