fix(server): Fix issue with auto oauth redirect URL in callback and h…

…andle proxies (#6175) handle proxies Signed-off-by: Stefan Sedich <[email protected]>
argoproj · Jun 22, 2021 · 0e94283 · 0e94283
1 parent 0cc5a24
commit 0e94283
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 16 deletions.
diff --git a/go.mod b/go.mod
@@ -31,6 +31,7 @@ require (
  github.com/go-swagger/go-swagger v0.25.0
  github.com/gogo/protobuf v1.3.2
  github.com/golang/protobuf v1.4.3
+ github.com/gorilla/handlers v1.4.2
  github.com/gorilla/websocket v1.4.2
  github.com/grpc-ecosystem/go-grpc-middleware v1.1.0
  github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0

diff --git a/server/apiserver/argoserver.go b/server/apiserver/argoserver.go
@@ -7,6 +7,7 @@ import (
  "net/http"
  "time"
 
+ "github.com/gorilla/handlers"
  grpc_middleware "github.com/grpc-ecosystem/go-grpc-middleware"
  grpc_logrus "github.com/grpc-ecosystem/go-grpc-middleware/logging/logrus"
  grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus"
@@ -307,8 +308,8 @@ func (as *argoServer) newHTTPServer(ctx context.Context, port int, artifactServe
  mux.HandleFunc("/input-artifacts/", artifactServer.GetInputArtifact)
  mux.HandleFunc("/artifacts-by-uid/", artifactServer.GetOutputArtifactByUID)
  mux.HandleFunc("/input-artifacts-by-uid/", artifactServer.GetInputArtifactByUID)
- mux.HandleFunc("/oauth2/redirect", as.oAuth2Service.HandleRedirect)
- mux.HandleFunc("/oauth2/callback", as.oAuth2Service.HandleCallback)
+ mux.Handle("/oauth2/redirect", handlers.ProxyHeaders(http.HandlerFunc(as.oAuth2Service.HandleRedirect)))
+ mux.Handle("/oauth2/callback", handlers.ProxyHeaders(http.HandlerFunc(as.oAuth2Service.HandleCallback)))
  mux.Handle("/metrics", promhttp.Handler())
  // we only enable HTST if we are secure mode, otherwise you would never be able access the UI
  mux.HandleFunc("/", static.NewFilesServer(as.baseHRef, as.tlsConfig != nil && as.hsts, as.xframeOptions, as.accessControlAllowOrigin).ServerFiles)

diff --git a/server/auth/sso/sso.go b/server/auth/sso/sso.go
@@ -190,7 +190,6 @@ func newSso(
 func (s *sso) HandleRedirect(w http.ResponseWriter, r *http.Request) {
  redirectUrl := r.URL.Query().Get("redirect")
  state := pkgrand.RandString(10)
- opts := []oauth2.AuthCodeOption{}
  http.SetCookie(w, &http.Cookie{
  Name: state,
  Value: redirectUrl,
@@ -200,18 +199,8 @@ func (s *sso) HandleRedirect(w http.ResponseWriter, r *http.Request) {
  Secure: s.secure,
  })
 
- if s.config.RedirectURL == "" {
- proto := "http"
-
- if s.secure {
- proto = "https"
- }
-
- oauthRedirectUri := fmt.Sprintf("%s:https://%s%soauth2/callback", proto, r.Host, s.baseHRef)
- opts = append(opts, oauth2.SetAuthURLParam("redirect_uri", oauthRedirectUri))
- }
-
- http.Redirect(w, r, s.config.AuthCodeURL(state, opts...), http.StatusFound)
+ redirectOption := oauth2.SetAuthURLParam("redirect_uri", s.getRedirectUrl(r))
+ http.Redirect(w, r, s.config.AuthCodeURL(state, redirectOption), http.StatusFound)
 }
 
 func (s *sso) HandleCallback(w http.ResponseWriter, r *http.Request) {
@@ -224,7 +213,8 @@ func (s *sso) HandleCallback(w http.ResponseWriter, r *http.Request) {
  _, _ = w.Write([]byte(fmt.Sprintf("invalid state: %v", err)))
  return
  }
- oauth2Token, err := s.config.Exchange(ctx, r.URL.Query().Get("code"))
+ redirectOption := oauth2.SetAuthURLParam("redirect_uri", s.getRedirectUrl(r))
+ oauth2Token, err := s.config.Exchange(ctx, r.URL.Query().Get("code"), redirectOption)
  if err != nil {
  w.WriteHeader(401)
  _, _ = w.Write([]byte(fmt.Sprintf("failed to exchange token: %v", err)))
@@ -295,3 +285,19 @@ func (s *sso) Authorize(authorization string) (*types.Claims, error) {
  }
  return c, nil
 }
+
+func (s *sso) getRedirectUrl(r *http.Request) string {
+ if s.config.RedirectURL != "" {
+ return s.config.RedirectURL
+ }
+
+ proto := "http"
+
+ if r.URL.Scheme != "" {
+ proto = r.URL.Scheme
+ } else if s.secure {
+ proto = "https"
+ }
+
+ return fmt.Sprintf("%s:https://%s%soauth2/callback", proto, r.Host, s.baseHRef)
+}