[keycloak-dev] Issue with Path normalization and decoding

Francesco Ciocchetti fciocchetti at mintel.com
Tue Jul 16 11:37:43 EDT 2019 

Hi

I have been trying to use *keycloak-gatekeeper* to secure a Jenkins service
, the main reason for me to use the gatekeeper rather than the jenkins oidc
plugin is the filtering on groups that the gatekeeper support.

Jenkins does perform a reverse proxy test as in :

*https://localhost:6001/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%3A%2F%2Flocalhost%3A6001%2Fmanage/
<https://localhost:6001/administrativeMonitor/hudson.diagnosis.ReverseProxySetupMonitor/testForReverseProxySetup/https%3A%2F%2Flocalhost%3A6001%2Fmanage/>*

which include the encoded location at the end :
*https%3A%2F%2Flocalhost%3A6001%2Fmanage/*

I hit an issue with func entrypointMiddleware
<https://github.com/keycloak/keycloak-gatekeeper/blob/master/middleware.go#L41>
since
:
1. the normalize flags will remove any "doubleSlash"
2. the rawPath in the request is overwritten with the path here
<https://github.com/keycloak/keycloak-gatekeeper/blob/master/middleware.go#L65>
loosing
the actual encoded url

Is there some "security" reason to get rid of the *RawPath ? *
when the rawPath and Path match then the encoded rawpath will be used ( see
https://golang.org/pkg/net/url/#URL )

I am currently running a patched version from my fork (
https://github.com/keycloak/keycloak-gatekeeper/compare/master...primeroz:jenkins-rp-support
 )

But this is more of a POC than anything else since i am not sure the
implication of those changes and if is a good idea at all to do this.

What do you guys think ?


Francesco Ciocchetti
Site Reliability Engineer
Mintel Group Ltd.

-- 

Mintel Group Ltd | 11 Pilgrim Street | London | EC4V 6RN
Registered in 
England: Number 1475918. | VAT Number: GB 232 9342 72

Contact details for 
our other offices can be found at http://www.mintel.com/office-locations 
<http://www.mintel.com/office-locations>.

This email and any attachments 
may include content that is confidential, privileged 
or otherwise 
protected under applicable law. Unauthorised disclosure, copying, 
distribution 
or use of the contents is prohibited and may be unlawful. If 
you have received this email in error,
including without appropriate 
authorisation, then please reply to the sender about the error 
and delete 
this email and any attachments.

More information about the keycloak-dev mailing list