search

louketo / louketo-proxy

A OpenID / Proxy service
Apache License 2.0
950 stars 343 forks source link

Unable to deny access to only some files in subfolders #654

Open escoand opened 4 years ago

escoand commented 4 years ago

Title

Unable to deny access to only some files in subfolders

Summary

It's no completely clear how to set multiple resources parameter correctly when using wildcards. My current configuration is this:

/usr/local/bin/keycloak-gatekeeper \
    --listen "0.0.0.0:$PORT" \
    --upstream-url "http://127.0.0.1:81" \
    --client-id "$OIDC_CLIENT_ID" \
    --client-secret "$OIDC_CLIENT_SECRET" \
    --discovery-url "$OIDC_DISCOVERY_URL" \
    --enable-default-deny=true \
    --sign-in-page="/www/login.html" \
    --forbidden-page="/www/forbidden.html" \
    --resources "uri=/|white-listed=true" \
    --resources "uri=/css/*|white-listed=true" \
    --resources "uri=/favicon.ico|white-listed=true" \
    --resources "uri=/health|white-listed=true" \
    --resources "uri=/img/*|white-listed=true" \
    --resources "uri=/index.html|white-listed=true" \
    --resources "uri=/js/*|white-listed=true" \
    --resources "uri=/ws|white-listed=true" \
    --resources "uri=/*/|white-listed=true" \
    --resources "uri=/*/index.html|white-listed=true" \
    --resources "uri=/*/menu.html|white-listed=true" \
    --resources "uri=/*/*.css|white-listed=true" \
    --resources "uri=/*/*|roles=role1,rol2|require-any-role=true"

Environment

Version of everything that it's running in your environment:

Expected Results

I would like to white list access to index.html, menu.html and *.css in subfolders, but deny on any other file. But I found no way to do so. Don't know if this is a bug or just not possible currently.

Actual Results

Every file in a subfolder (except /css/, /img/ and /js/) is denied.

Steps to reproduce

Additional Information

jangaraj commented 4 years ago

I would like to white list access to index.html, menu.html and *.css in subfolders

But you are whitelisting a bunch of resources. Why?

    --resources "uri=/|white-listed=true" \
    --resources "uri=/css/*|white-listed=true" \
    --resources "uri=/favicon.ico|white-listed=true" \
    --resources "uri=/health|white-listed=true" \
    --resources "uri=/img/*|white-listed=true" \
    --resources "uri=/index.html|white-listed=true" \
    --resources "uri=/js/*|white-listed=true" \
    --resources "uri=/ws|white-listed=true" \
    --resources "uri=/*/|white-listed=true" \
    --resources "uri=/*/index.html|white-listed=true" \
    --resources "uri=/*/menu.html|white-listed=true" \
    --resources "uri=/*/*.css|white-listed=true" \

Why not only?:

--resources "uri=/index.html|white-listed=true" \
--resources "uri=/menu.html|white-listed=true" \
--resources "uri=/*/*.css|white-listed=true" \

You will get deny response only, when role is defined per resource defined AND that roles is not in the user access token. So I would try to define "deny" wild resource and that explicitly whitelist selected resources.

--resources "uri=/*|roles=role-which-doesnt-exist" \
--resources "uri=/index.html|white-listed=true" \
--resources "uri=/menu.html|white-listed=true" \
--resources "uri=/*/*.css|white-listed=true" \

It may need more tweaking.

escoand commented 4 years ago

I would like to white list access to index.html, menu.html and *.css in subfolders

But you are whitelisting a bunch of resources. Why?

I meant index.html in subfolders, menu.html in subfolders and *.css in subfolders. This files should be accessible without login, but not the other files in subfolders.

You will get deny response only, when role is defined per resource defined AND that roles is not in the user access token. So I would try to define "deny" wild resource and that explicitly whitelist selected resources.

Obviously my question was a bit misleading. With "deny" I meant "redirects to login".

escoand commented 4 years ago

I think the stripped down question is: in which order are these resources evaluated and does is stop after the first match?

    --resources "uri=/*/index.html|white-listed=true" \
    --resources "uri=/*/menu.html|white-listed=true" \
    --resources "uri=/*/*|roles=role1,rol2|require-any-role=true"
escoand commented 4 years ago

Maybe the problem is related with #661 and this is the only problem.

crubier commented 4 years ago

@escoand indeed, in my experience as explained in #661, --resources "uri=/*/menu.html|white-listed=true" is equivalent to --resources "uri=/*|white-listed=true", which does explain this issue too.