Enforce wildcard (louketo#338)

* Enforce Wildcard - some people haven't picked up on the break change to the urls .. i.e. uri=/* not uri=/ this PR forces people to update the configuration * - updating the CHANGELOG to reflect changes - updating the config_sample as well
moremagic · Mar 29, 2018 · 7e5633a · 7e5633a
1 parent 9bd9cb1
commit 7e5633a
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,15 +3,16 @@
 
 FEATURES:
 * Added a --enable-default-deny option to make denial by default [#PR320](https://github.com/gambol99/keycloak-proxy/pull/320)
+* Added a `enable-logout-redirect` which redirects the /oauth/logout to the provider [#PR327](https://github.com/gambol99/keycloak-proxy/pull/327)
+* Added environment variables alternatives for the forwarding username and password [#PR329]https://github.com/gambol99/keycloak-proxy/pull/329)
 * Added metrics latency metrics for the forwarding proxy and the certificate rotation [#PR325](https://github.com/gambol99/keycloak-proxy/pull/325)
 * Added spelling check to the tests [#PR322](https://github.com/gambol99/keycloak-proxy/pull/322)
 * Added the X-Auth-Audience to the upstream headers [#PR319](https://github.com/gambol99/keycloak-proxy/pull/319)
 * Added the ability to control the timeout on the initial openid configuration from .well-known/openid-configuration [#PR315](https://github.com/gambol99/keycloak-proxy/pull/315)
 * Added the feature to customize the oauth prefix (defaults to /oauth) [#PR326](https://github.com/gambol99/keycloak-proxy/pull/326)
-* Added a `enable-logout-redirect` which redirects the /oauth/logout to the provider [#PR327](https://github.com/gambol99/keycloak-proxy/pull/327)
 * Adding additional metrics covering provider request latency, token breakdown [#PR324](https://github.com/gambol99/keycloak-proxy/pull/324)
-* Added environment variables alternatives for the forwarding username and password [#PR329]https://github.com/gambol99/keycloak-proxy/pull/329)
 * Changed the upstream-keepalive to default to true [#PR321](https://github.com/gambol99/keycloak-proxy/pull/321)
+* Force configuration to use the wildcard [#PR338](https://github.com/gambol99/keycloak-proxy/pull/338)
 * Updated the docker base image alpine 3.7 [#PR313](https://github.com/gambol99/keycloak-proxy/pull/313)
 * Updated to Golang version 1.10 [#PR316](https://github.com/gambol99/keycloak-proxy/pull/316)
 

diff --git a/README.md b/README.md
@@ -57,7 +57,7 @@ GLOBAL OPTIONS:
    --scopes value                            list of scopes requested when authenticating the user
    --upstream-url value                      url for the upstream endpoint you wish to proxy [$PROXY_UPSTREAM_URL]
    --upstream-ca value                       the path to a file container a CA certificate to validate the upstream tls endpoint
-   --resources value                         list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2'
+   --resources value                         list of resources 'uri=/admin*|methods=GET,PUT|roles=role1,role2'
    --headers value                           custom headers to the upstream request, key=value
    --enable-default-deny                     enables a default denial on all requests, you have to explicitly say what is permitted (recommended) (default: false)
    --enable-encrypted-token                  enable encryption for the access tokens (default: false)
@@ -508,7 +508,7 @@ Or on the command line
 ```shell
   --resources "uri=/some_white_listed_url|white-listed=true"
   --resources "uri=/*"  # requires authentication on the rest
-  --resources "uri=/admin|roles=admin,superuser|methods=POST,DELETE
+  --resources "uri=/admin*|roles=admin,superuser|methods=POST,DELETE
 ```
 
 #### **Mutual TLS**

diff --git a/config_sample.yml b/config_sample.yml
@@ -57,7 +57,7 @@ add-claims:
 - name
 # a collection of resource i.e. urls that you wish to protect
 resources:
-- uri: /admin/test
+- uri: /admin/test*
   # the methods on this url that should be protected, if missing, we assuming all
   methods:
   - GET

diff --git a/doc.go b/doc.go
@@ -173,7 +173,7 @@ type Config struct {
 	// UpstreamCA is the path to a CA certificate in PEM format to validate the upstream certificate
 	UpstreamCA string `json:"upstream-ca" yaml:"upstream-ca" usage:"the path to a file container a CA certificate to validate the upstream tls endpoint"`
 	// Resources is a list of protected resources
-	Resources []*Resource `json:"resources" yaml:"resources" usage:"list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2'"`
+	Resources []*Resource `json:"resources" yaml:"resources" usage:"list of resources 'uri=/admin*|methods=GET,PUT|roles=role1,role2'"`
 	// Headers permits adding customs headers across the board
 	Headers map[string]string `json:"headers" yaml:"headers" usage:"custom headers to the upstream request, key=value"`
 

diff --git a/resource.go b/resource.go
@@ -80,6 +80,10 @@ func (r *Resource) valid() error {
 	if r.URL == "" {
 		return errors.New("resource does not have url")
 	}
+	if strings.HasSuffix(r.URL, "/") && !r.WhiteListed {
+		return fmt.Errorf("you need a wildcard on the url resource to cover all request i.e. --resources=uri=%s*", r.URL)
+	}
+
 	// step: add any of no methods
 	if len(r.Methods) <= 0 {
 		r.Methods = allHTTPMethods

diff --git a/resource_test.go b/resource_test.go
@@ -101,6 +101,12 @@ func TestIsValid(t *testing.T) {
 			Resource: &Resource{URL: "/test", Methods: []string{"GET"}},
 			Ok:       true,
 		},
+		{
+			Resource: &Resource{URL: "/", Methods: allHTTPMethods},
+		},
+		{
+			Resource: &Resource{URL: "/admin/", Methods: allHTTPMethods},
+		},
 		{
 			Resource: &Resource{},
 		},