[keycloak-dev] Issue with Path normalization and decoding
Francesco Ciocchetti
fciocchetti at mintel.com
Tue Jul 16 11:37:43 EDT 2019
Hi
I have been trying to use *keycloak-gatekeeper* to secure a Jenkins service
, the main reason for me to use the gatekeeper rather than the jenkins oidc
plugin is the filtering on groups that the gatekeeper support.
Jenkins does perform a reverse proxy test as in :
*https://localhost:6001/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%3A%2F%2Flocalhost%3A6001%2Fmanage/
<https://localhost:6001/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%3A%2F%2Flocalhost%3A6001%2Fmanage/>*
which include the encoded location at the end :
*https%3A%2F%2Flocalhost%3A6001%2Fmanage/*
I hit an issue with func entrypointMiddleware
<https://github.com/keycloak/keycloak-gatekeeper/blob/master/middleware.go#L41>
since
:
1. the normalize flags will remove any "doubleSlash"
2. the rawPath in the request is overwritten with the path here
<https://github.com/keycloak/keycloak-gatekeeper/blob/master/middleware.go#L65>
loosing
the actual encoded url
Is there some "security" reason to get rid of the *RawPath ? *
when the rawPath and Path match then the encoded rawpath will be used ( see
https://golang.org/pkg/net/url/#URL )
I am currently running a patched version from my fork (
https://github.com/keycloak/keycloak-gatekeeper/compare/master...primeroz:jenkins-rp-support
)
But this is more of a POC than anything else since i am not sure the
implication of those changes and if is a good idea at all to do this.
What do you guys think ?
Francesco Ciocchetti
Site Reliability Engineer
Mintel Group Ltd.
--
Mintel Group Ltd | 11 Pilgrim Street | London | EC4V 6RN
Registered in
England: Number 1475918. | VAT Number: GB 232 9342 72
Contact details for
our other offices can be found at http://www.mintel.com/office-locations
<http://www.mintel.com/office-locations>.
This email and any attachments
may include content that is confidential, privileged
or otherwise
protected under applicable law. Unauthorised disclosure, copying,
distribution
or use of the contents is prohibited and may be unlawful. If
you have received this email in error,
including without appropriate
authorisation, then please reply to the sender about the error
and delete
this email and any attachments.
More information about the keycloak-dev
mailing list