AUTH-3513: Checks header for app info in case response is a 403/401 from the edge

This commit is contained in:
Michael Borkenstein 2021-04-20 12:04:00 -05:00
parent eed7d7bbc9
commit aca0c93461
1 changed files with 13 additions and 8 deletions

View File

@ -25,6 +25,7 @@ const (
keyName = "token" keyName = "token"
tokenCookie = "CF_Authorization" tokenCookie = "CF_Authorization"
appDomainHeader = "CF-Access-Domain" appDomainHeader = "CF-Access-Domain"
appAUDHeader = "CF-Access-Aud"
AccessLoginWorkerPath = "/cdn-cgi/access/login" AccessLoginWorkerPath = "/cdn-cgi/access/login"
) )
@ -270,15 +271,20 @@ func GetAppInfo(reqURL *url.URL) (*AppInfo, error) {
return nil, errors.Wrap(err, "failed to get app info") return nil, errors.Wrap(err, "failed to get app info")
} }
resp.Body.Close() resp.Body.Close()
location := resp.Request.URL
if !strings.Contains(location.Path, AccessLoginWorkerPath) {
return nil, fmt.Errorf("failed to get Access app info for %s", reqURL.String())
}
aud := resp.Request.URL.Query().Get("kid") var aud string
location := resp.Request.URL
if strings.Contains(location.Path, AccessLoginWorkerPath) {
aud = resp.Request.URL.Query().Get("kid")
if aud == "" { if aud == "" {
return nil, errors.New("Empty app aud") return nil, errors.New("Empty app aud")
} }
} else if audHeader := resp.Header.Get(appAUDHeader); audHeader != "" {
// 403/401 from the edge will have aud in a header
aud = audHeader
} else {
return nil, fmt.Errorf("failed to get Access app info for %s", reqURL.String())
}
domain := resp.Header.Get(appDomainHeader) domain := resp.Header.Get(appDomainHeader)
if domain == "" { if domain == "" {
@ -286,7 +292,6 @@ func GetAppInfo(reqURL *url.URL) (*AppInfo, error) {
} }
return &AppInfo{location.Hostname(), aud, domain}, nil return &AppInfo{location.Hostname(), aud, domain}, nil
} }
// exchangeOrgToken attaches an org token to a request to the appURL and returns an app token. This uses the Access SSO // exchangeOrgToken attaches an org token to a request to the appURL and returns an app token. This uses the Access SSO