delegated authorization doesn't works as expected for multiple path prefixes

openshift / oauth-proxy

A reverse proxy that provides authentication with OpenShift via OAuth and Kubernetes service accounts

MIT License

261 stars 137 forks source link

delegated authorization doesn't works as expected for multiple path prefixes #211

Closed morvencao closed 2 years ago

morvencao commented 3 years ago

Configured multiple path prefixes to the --openshift-delegate-urls parameter by following the doc here: https://github.com/openshift/oauth-proxy#delegate-authentication-and-authorization-to-openshift-for-infrastructure

--openshift-delegate-urls={"/":{"resource":"projects","verb":"list"},"/foo":{"group":"test","resource":"myproxy","verb":"*"}}

Then I found that requests for /foo are bypass to upstream even if the bear token in the request header doesn't have permission of {"group":"test","resource":"myproxy","verb":"*"}

The doc say when there are multiple path prefixes, the longest path prefix is checked.

The value of the flag is a JSON map of path prefixes to v1beta1.ResourceAttributes, and the longest path prefix is checked. If no path matches the request, authentication and authorization are skipped.

Definitely, it is not the case ax expected, I found it always match / path, so any token with {"resource":"projects","verb":"list"} can pass the authZ check.

openshift-bot commented 3 years ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

openshift-bot commented 3 years ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale

openshift-bot commented 2 years ago

Rotten issues close after 30d of inactivity.

Reopen the issue by commenting /reopen. Mark the issue as fresh by commenting /remove-lifecycle rotten. Exclude this issue from closing again by commenting /lifecycle frozen.

/close

openshift-ci[bot] commented 2 years ago

@openshift-bot: Closing this issue.

In response to [this](https://github.com/openshift/oauth-proxy/issues/211#issuecomment-927949066): >Rotten issues close after 30d of inactivity. > >Reopen the issue by commenting `/reopen`. >Mark the issue as fresh by commenting `/remove-lifecycle rotten`. >Exclude this issue from closing again by commenting `/lifecycle frozen`. > >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.