Patch to make username accessible from haproxy so it will be availlable to the logs

2022-04-26 17:26:47 +02:00 · 2022-04-26 17:26:47 +02:00 · 5c5bda119b
commit 5c5bda119b
parent 79b0cc0818
1 changed files with 58 additions and 0 deletions
--- a/files/patch-internalauthauthenticator_oidc.go
+++ b/files/patch-internalauthauthenticator_oidc.go
@ -0,0 +1,58 @@
+diff --git internal/auth/authenticator_oidc.go internal/auth/authenticator_oidc.go
+index 88de5a9..c271a9a 100644
+--- internal/auth/authenticator_oidc.go
+++ internal/auth/authenticator_oidc.go
+@@ -72,6 +72,12 @@ type OIDCAuthenticator struct {
+	options OIDCAuthenticatorOptions
+ }
+
+type Claims struct {
+	Email         string `json:"email"`
+	EmailVerified bool   `json:"email_verified"`
+	Name          string `json:"name"`
+}
+
+ // NewOIDCAuthenticator create an instance of an OIDC authenticator
+ func NewOIDCAuthenticator(options OIDCAuthenticatorOptions) *OIDCAuthenticator {
+	if len(options.SignatureSecret) < 16 {
+@@ -154,14 +160,20 @@ func (oa *OIDCAuthenticator) verifyIDToken(context context.Context, domain strin
+	return idToken, nil
+ }
+
+-func (oa *OIDCAuthenticator) checkCookie(cookieValue string, domain string) error {
+-	idToken, err := oa.encryptor.Decrypt(cookieValue)
+// Returns claims if check OK
+func (oa *OIDCAuthenticator) checkCookie(cookieValue string, domain string) (Claims, error) {
+	var claims Claims
+	idTokenstr, err := oa.encryptor.Decrypt(cookieValue)
+	if err != nil {
+-		return fmt.Errorf("unable to decrypt session cookie: %v", err)
+		return claims, fmt.Errorf("unable to decrypt session cookie: %v", err)
+	}
+
+	idToken, err := oa.verifyIDToken(context.Background(), domain, idTokenstr)
+		if err := idToken.Claims(&claims); err != nil {
+			return claims, fmt.Errorf("unable to get claims from ID Token: %v", err)
+	}
+
+-	_, err = oa.verifyIDToken(context.Background(), domain, idToken)
+-	return err
+	return claims, err
+ }
+
+ func extractOAuth2Args(msg *spoe.Message) (bool, string, string, string, error) {
+@@ -268,11 +280,12 @@ func (oa *OIDCAuthenticator) Authenticate(msg *spoe.Message) (bool, []spoe.Actio
+
+	// Verify the cookie to make sure the user is authenticated
+	if cookieValue != "" {
+-		err := oa.checkCookie(cookieValue, extractDomainFromHost(host))
+		claims, err := oa.checkCookie(cookieValue, extractDomainFromHost(host))
+		if err != nil {
+			return false, nil, err
+		} else {
+-			return true, nil, nil
+			logrus.Debugf("User %s is authenticated", claims.Name)
+			return true, []spoe.Action{SetAuthenticatedUsernameMessage(claims.Name)}, nil
+		}
+	}
+