traefik/pkg/middlewares/auth/forward.go

package auth

import (
	"context"
	"crypto/tls"
	"fmt"
	"io/ioutil"
	"net"
	"net/http"
	"strings"

	"github.com/containous/traefik/pkg/config"
	"github.com/containous/traefik/pkg/middlewares"
	"github.com/containous/traefik/pkg/tracing"
	"github.com/opentracing/opentracing-go/ext"
	"github.com/vulcand/oxy/forward"
	"github.com/vulcand/oxy/utils"
)

const (
	xForwardedURI     = "X-Forwarded-Uri"
	xForwardedMethod  = "X-Forwarded-Method"
	forwardedTypeName = "ForwardedAuthType"
)

type forwardAuth struct {
	address             string
	authResponseHeaders []string
	next                http.Handler
	name                string
	tlsConfig           *tls.Config
	trustForwardHeader  bool
}

// NewForward creates a forward auth middleware.
func NewForward(ctx context.Context, next http.Handler, config config.ForwardAuth, name string) (http.Handler, error) {
	middlewares.GetLogger(ctx, name, forwardedTypeName).Debug("Creating middleware")

	fa := &forwardAuth{
		address:             config.Address,
		authResponseHeaders: config.AuthResponseHeaders,
		next:                next,
		name:                name,
		trustForwardHeader:  config.TrustForwardHeader,
	}

	if config.TLS != nil {
		tlsConfig, err := config.TLS.CreateTLSConfig()
		if err != nil {
			return nil, err
		}

		fa.tlsConfig = tlsConfig
	}

	return fa, nil
}

func (fa *forwardAuth) GetTracingInformation() (string, ext.SpanKindEnum) {
	return fa.name, ext.SpanKindRPCClientEnum
}

func (fa *forwardAuth) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
	logger := middlewares.GetLogger(req.Context(), fa.name, forwardedTypeName)

	// Ensure our request client does not follow redirects
	httpClient := http.Client{
		CheckRedirect: func(r *http.Request, via []*http.Request) error {
			return http.ErrUseLastResponse
		},
	}

	if fa.tlsConfig != nil {
		httpClient.Transport = &http.Transport{
			TLSClientConfig: fa.tlsConfig,
		}
	}

	forwardReq, err := http.NewRequest(http.MethodGet, fa.address, nil)
	tracing.LogRequest(tracing.GetSpan(req), forwardReq)
	if err != nil {
		logMessage := fmt.Sprintf("Error calling %s. Cause %s", fa.address, err)
		logger.Debug(logMessage)
		tracing.SetErrorWithEvent(req, logMessage)

		rw.WriteHeader(http.StatusInternalServerError)
		return
	}

	writeHeader(req, forwardReq, fa.trustForwardHeader)

	tracing.InjectRequestHeaders(forwardReq)

	forwardResponse, forwardErr := httpClient.Do(forwardReq)
	if forwardErr != nil {
		logMessage := fmt.Sprintf("Error calling %s. Cause: %s", fa.address, forwardErr)
		logger.Debug(logMessage)
		tracing.SetErrorWithEvent(req, logMessage)

		rw.WriteHeader(http.StatusInternalServerError)
		return
	}

	body, readError := ioutil.ReadAll(forwardResponse.Body)
	if readError != nil {
		logMessage := fmt.Sprintf("Error reading body %s. Cause: %s", fa.address, readError)
		logger.Debug(logMessage)
		tracing.SetErrorWithEvent(req, logMessage)

		rw.WriteHeader(http.StatusInternalServerError)
		return
	}
	defer forwardResponse.Body.Close()

	// Pass the forward response's body and selected headers if it
	// didn't return a response within the range of [200, 300).
	if forwardResponse.StatusCode < http.StatusOK || forwardResponse.StatusCode >= http.StatusMultipleChoices {
		logger.Debugf("Remote error %s. StatusCode: %d", fa.address, forwardResponse.StatusCode)

		utils.CopyHeaders(rw.Header(), forwardResponse.Header)
		utils.RemoveHeaders(rw.Header(), forward.HopHeaders...)

		// Grab the location header, if any.
		redirectURL, err := forwardResponse.Location()

		if err != nil {
			if err != http.ErrNoLocation {
				logMessage := fmt.Sprintf("Error reading response location header %s. Cause: %s", fa.address, err)
				logger.Debug(logMessage)
				tracing.SetErrorWithEvent(req, logMessage)

				rw.WriteHeader(http.StatusInternalServerError)
				return
			}
		} else if redirectURL.String() != "" {
			// Set the location in our response if one was sent back.
			rw.Header().Set("Location", redirectURL.String())
		}

		tracing.LogResponseCode(tracing.GetSpan(req), forwardResponse.StatusCode)
		rw.WriteHeader(forwardResponse.StatusCode)

		if _, err = rw.Write(body); err != nil {
			logger.Error(err)
		}
		return
	}

	for _, headerName := range fa.authResponseHeaders {
		req.Header.Set(headerName, forwardResponse.Header.Get(headerName))
	}

	req.RequestURI = req.URL.RequestURI()
	fa.next.ServeHTTP(rw, req)
}

func writeHeader(req *http.Request, forwardReq *http.Request, trustForwardHeader bool) {
	utils.CopyHeaders(forwardReq.Header, req.Header)
	utils.RemoveHeaders(forwardReq.Header, forward.HopHeaders...)

	if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {
		if trustForwardHeader {
			if prior, ok := req.Header[forward.XForwardedFor]; ok {
				clientIP = strings.Join(prior, ", ") + ", " + clientIP
			}
		}
		forwardReq.Header.Set(forward.XForwardedFor, clientIP)
	}

	xMethod := req.Header.Get(xForwardedMethod)
	switch {
	case xMethod != "" && trustForwardHeader:
		forwardReq.Header.Set(xForwardedMethod, xMethod)
	case req.Method != "":
		forwardReq.Header.Set(xForwardedMethod, req.Method)
	default:
		forwardReq.Header.Del(xForwardedMethod)
	}

	xfp := req.Header.Get(forward.XForwardedProto)
	switch {
	case xfp != "" && trustForwardHeader:
		forwardReq.Header.Set(forward.XForwardedProto, xfp)
	case req.TLS != nil:
		forwardReq.Header.Set(forward.XForwardedProto, "https")
	default:
		forwardReq.Header.Set(forward.XForwardedProto, "http")
	}

	if xfp := req.Header.Get(forward.XForwardedPort); xfp != "" && trustForwardHeader {
		forwardReq.Header.Set(forward.XForwardedPort, xfp)
	}

	xfh := req.Header.Get(forward.XForwardedHost)
	switch {
	case xfh != "" && trustForwardHeader:
		forwardReq.Header.Set(forward.XForwardedHost, xfh)
	case req.Host != "":
		forwardReq.Header.Set(forward.XForwardedHost, req.Host)
	default:
		forwardReq.Header.Del(forward.XForwardedHost)
	}

	xfURI := req.Header.Get(xForwardedURI)
	switch {
	case xfURI != "" && trustForwardHeader:
		forwardReq.Header.Set(xForwardedURI, xfURI)
	case req.URL.RequestURI() != "":
		forwardReq.Header.Set(xForwardedURI, req.URL.RequestURI())
	default:
		forwardReq.Header.Del(xForwardedURI)
	}
}
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`package auth`

			`import (`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`"context"`
			`"crypto/tls"`
			`"fmt"`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`"io/ioutil"`
			`"net"`
			`"net/http"`
			`"strings"`

Move code to pkg 2019-03-15 08:42:03 +00:00			`"github.com/containous/traefik/pkg/config"`
			`"github.com/containous/traefik/pkg/middlewares"`
			`"github.com/containous/traefik/pkg/tracing"`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`"github.com/opentracing/opentracing-go/ext"`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`"github.com/vulcand/oxy/forward"`
			`"github.com/vulcand/oxy/utils"`
			`)`

Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00			`const (`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`xForwardedURI = "X-Forwarded-Uri"`
			`xForwardedMethod = "X-Forwarded-Method"`
			`forwardedTypeName = "ForwardedAuthType"`
Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00			`)`

Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`type forwardAuth struct {`
			`address string`
			`authResponseHeaders []string`
			`next http.Handler`
			`name string`
			`tlsConfig *tls.Config`
			`trustForwardHeader bool`
			`}`

			`// NewForward creates a forward auth middleware.`
			`func NewForward(ctx context.Context, next http.Handler, config config.ForwardAuth, name string) (http.Handler, error) {`
			`middlewares.GetLogger(ctx, name, forwardedTypeName).Debug("Creating middleware")`

			`fa := &forwardAuth{`
			`address: config.Address,`
			`authResponseHeaders: config.AuthResponseHeaders,`
			`next: next,`
			`name: name,`
			`trustForwardHeader: config.TrustForwardHeader,`
Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00			`}`
Forward auth: copy response headers when auth failed. 2018-04-23 13:28:04 +00:00
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`if config.TLS != nil {`
			`tlsConfig, err := config.TLS.CreateTLSConfig()`
			`if err != nil {`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`return nil, err`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`}`
Forward auth: copy response headers when auth failed. 2018-04-23 13:28:04 +00:00
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`fa.tlsConfig = tlsConfig`
			`}`

			`return fa, nil`
			`}`

			`func (fa *forwardAuth) GetTracingInformation() (string, ext.SpanKindEnum) {`
			`return fa.name, ext.SpanKindRPCClientEnum`
			`}`

			`func (fa forwardAuth) ServeHTTP(rw http.ResponseWriter, req http.Request) {`
			`logger := middlewares.GetLogger(req.Context(), fa.name, forwardedTypeName)`

			`// Ensure our request client does not follow redirects`
			`httpClient := http.Client{`
			`CheckRedirect: func(r http.Request, via []http.Request) error {`
			`return http.ErrUseLastResponse`
			`},`
			`}`

			`if fa.tlsConfig != nil {`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`httpClient.Transport = &http.Transport{`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`TLSClientConfig: fa.tlsConfig,`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`}`
			`}`
Forward auth: copy response headers when auth failed. 2018-04-23 13:28:04 +00:00
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`forwardReq, err := http.NewRequest(http.MethodGet, fa.address, nil)`
			`tracing.LogRequest(tracing.GetSpan(req), forwardReq)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`if err != nil {`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`logMessage := fmt.Sprintf("Error calling %s. Cause %s", fa.address, err)`
			`logger.Debug(logMessage)`
			`tracing.SetErrorWithEvent(req, logMessage)`

			`rw.WriteHeader(http.StatusInternalServerError)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`return`
			`}`

Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`writeHeader(req, forwardReq, fa.trustForwardHeader)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00
Opentracing support 2018-01-10 16:48:04 +00:00			`tracing.InjectRequestHeaders(forwardReq)`

Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardResponse, forwardErr := httpClient.Do(forwardReq)`
			`if forwardErr != nil {`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`logMessage := fmt.Sprintf("Error calling %s. Cause: %s", fa.address, forwardErr)`
			`logger.Debug(logMessage)`
			`tracing.SetErrorWithEvent(req, logMessage)`

			`rw.WriteHeader(http.StatusInternalServerError)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`return`
			`}`

			`body, readError := ioutil.ReadAll(forwardResponse.Body)`
			`if readError != nil {`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`logMessage := fmt.Sprintf("Error reading body %s. Cause: %s", fa.address, readError)`
			`logger.Debug(logMessage)`
			`tracing.SetErrorWithEvent(req, logMessage)`

			`rw.WriteHeader(http.StatusInternalServerError)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`return`
			`}`
			`defer forwardResponse.Body.Close()`

Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00			`// Pass the forward response's body and selected headers if it`
			`// didn't return a response within the range of [200, 300).`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`if forwardResponse.StatusCode < http.StatusOK \|\| forwardResponse.StatusCode >= http.StatusMultipleChoices {`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`logger.Debugf("Remote error %s. StatusCode: %d", fa.address, forwardResponse.StatusCode)`
Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`utils.CopyHeaders(rw.Header(), forwardResponse.Header)`
			`utils.RemoveHeaders(rw.Header(), forward.HopHeaders...)`
Forward auth: copy response headers when auth failed. 2018-04-23 13:28:04 +00:00
Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00			`// Grab the location header, if any.`
			`redirectURL, err := forwardResponse.Location()`

			`if err != nil {`
			`if err != http.ErrNoLocation {`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`logMessage := fmt.Sprintf("Error reading response location header %s. Cause: %s", fa.address, err)`
			`logger.Debug(logMessage)`
			`tracing.SetErrorWithEvent(req, logMessage)`

			`rw.WriteHeader(http.StatusInternalServerError)`
Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00			`return`
			`}`
			`} else if redirectURL.String() != "" {`
			`// Set the location in our response if one was sent back.`
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`rw.Header().Set("Location", redirectURL.String())`
Pass through certain forward auth negative response headers 2017-11-02 10:06:03 +00:00			`}`

Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`tracing.LogResponseCode(tracing.GetSpan(req), forwardResponse.StatusCode)`
			`rw.WriteHeader(forwardResponse.StatusCode)`
Small code enhancements 2018-08-06 18:00:03 +00:00
Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`if _, err = rw.Write(body); err != nil {`
			`logger.Error(err)`
Small code enhancements 2018-08-06 18:00:03 +00:00			`}`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`return`
			`}`

Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`for _, headerName := range fa.authResponseHeaders {`
			`req.Header.Set(headerName, forwardResponse.Header.Get(headerName))`
Forward auth headers 2018-06-30 05:54:03 +00:00			`}`

Dynamic Configuration Refactoring 2018-11-14 09:18:03 +00:00			`req.RequestURI = req.URL.RequestURI()`
			`fa.next.ServeHTTP(rw, req)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`}`

			`func writeHeader(req http.Request, forwardReq http.Request, trustForwardHeader bool) {`
			`utils.CopyHeaders(forwardReq.Header, req.Header)`
Merge v1.7.0 into master 2018-09-25 13:06:03 +00:00			`utils.RemoveHeaders(forwardReq.Header, forward.HopHeaders...)`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00
			`if clientIP, _, err := net.SplitHostPort(req.RemoteAddr); err == nil {`
			`if trustForwardHeader {`
			`if prior, ok := req.Header[forward.XForwardedFor]; ok {`
			`clientIP = strings.Join(prior, ", ") + ", " + clientIP`
			`}`
			`}`
			`forwardReq.Header.Set(forward.XForwardedFor, clientIP)`
			`}`

refactor: applies linting. 2019-02-05 16:10:03 +00:00			`xMethod := req.Header.Get(xForwardedMethod)`
			`switch {`
			`case xMethod != "" && trustForwardHeader:`
Add xforwarded method 2018-06-13 13:14:03 +00:00			`forwardReq.Header.Set(xForwardedMethod, xMethod)`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`case req.Method != "":`
Add xforwarded method 2018-06-13 13:14:03 +00:00			`forwardReq.Header.Set(xForwardedMethod, req.Method)`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`default:`
Add xforwarded method 2018-06-13 13:14:03 +00:00			`forwardReq.Header.Del(xForwardedMethod)`
			`}`

refactor: applies linting. 2019-02-05 16:10:03 +00:00			`xfp := req.Header.Get(forward.XForwardedProto)`
			`switch {`
			`case xfp != "" && trustForwardHeader:`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardReq.Header.Set(forward.XForwardedProto, xfp)`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`case req.TLS != nil:`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardReq.Header.Set(forward.XForwardedProto, "https")`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`default:`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardReq.Header.Set(forward.XForwardedProto, "http")`
			`}`

			`if xfp := req.Header.Get(forward.XForwardedPort); xfp != "" && trustForwardHeader {`
			`forwardReq.Header.Set(forward.XForwardedPort, xfp)`
			`}`

refactor: applies linting. 2019-02-05 16:10:03 +00:00			`xfh := req.Header.Get(forward.XForwardedHost)`
			`switch {`
			`case xfh != "" && trustForwardHeader:`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardReq.Header.Set(forward.XForwardedHost, xfh)`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`case req.Host != "":`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardReq.Header.Set(forward.XForwardedHost, req.Host)`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`default:`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`forwardReq.Header.Del(forward.XForwardedHost)`
			`}`
Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`xfURI := req.Header.Get(xForwardedURI)`
			`switch {`
			`case xfURI != "" && trustForwardHeader:`
Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00			`forwardReq.Header.Set(xForwardedURI, xfURI)`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`case req.URL.RequestURI() != "":`
Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00			`forwardReq.Header.Set(xForwardedURI, req.URL.RequestURI())`
refactor: applies linting. 2019-02-05 16:10:03 +00:00			`default:`
Forward Authentication: add X-Forwarded-Uri 2017-12-09 23:58:21 +00:00			`forwardReq.Header.Del(xForwardedURI)`
			`}`
Manage Headers for the Authentication forwarding. 2017-09-18 15:48:07 +00:00			`}`