Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: decision API copies X-Forwarded-Method to incoming requests which breaks traefik forward auth for HEAD requests #1046

Open
wants to merge 8 commits into
base: master
Choose a base branch
from

Conversation

jrester
Copy link

@jrester jrester commented Dec 29, 2022

Currently oathkeeper cannot handle HEAD requests from traefik Forward Auth middleware, because oathkeeper copies the forwarded method into the incoming request. With this fix HEAD requests now also work.

Related issue(s)

Currently when using the oathkeeper decision API together with traefik forward auth, HEAD requests cannot be handled currectly and will result in a timeout on the traefik side. This is because oathkeeper replaces the method of the incoming request with the method in the X-Forwarded-Method header and because HEAD requests must not contain a body it will not be written by go (https://github.com/golang/go/blob/9123221ccf3c80c741ead5b6f2e960573b1676b9/src/net/http/server.go#L377). But as traefik sends a GET requests for forward auth it expects a body back (https://github.com/traefik/traefik/blob/e54ee89330a800d509da7b11b46a6ecbb331e791/pkg/middlewares/auth/forward.go#L129), therefore traefik times out, as no body is sent by oathkeeper.

Reproduce

Although not the simplest setup, this is how I noticed this bug:

  1. setup oathkeeper with any rule you want (e.g. allow everything)
  2. setup the docker registry (https://github.com/distribution/distribution)
  3. setup traefik to point to the docker registry with a forward auth middleware to oathkeeper
  4. do a docker push with a image of your choice to the docker registry
  5. the push should retry multiple times and than fail with a 500 internal Server error
  6. the traefik logs should indicate timeout issues

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further Comments

For a more in depth writeup of the problem: thomseddon/traefik-forward-auth#156

@jrester jrester requested a review from aeneasr as a code owner December 29, 2022 11:48
@CLAassistant
Copy link

CLAassistant commented Dec 29, 2022

CLA assistant check
All committers have signed the CLA.

@codecov
Copy link

codecov bot commented Dec 29, 2022

Codecov Report

Merging #1046 (39854cf) into master (b5d4d88) will decrease coverage by 0.57%.
Report is 1 commits behind head on master.
The diff coverage is 100.00%.

❗ Current head 39854cf differs from pull request most recent head 004b778. Consider uploading reports for the commit 004b778 to get more accurate results

@@            Coverage Diff             @@
##           master    #1046      +/-   ##
==========================================
- Coverage   78.16%   77.60%   -0.57%     
==========================================
  Files          80       79       -1     
  Lines        3898     4014     +116     
==========================================
+ Hits         3047     3115      +68     
- Misses        576      618      +42     
- Partials      275      281       +6     
Files Coverage Δ
api/decision.go 95.55% <100.00%> (ø)

... and 2 files with indirect coverage changes

@jrester jrester changed the title Fix HEAD not being handled correctly in decision API fix: HEAD not being handled correctly in decision API Dec 29, 2022
@jrester jrester changed the title fix: HEAD not being handled correctly in decision API fix: decision API copies X-Forwarded-Method to incoming requests which breaks traefik forward auth for HEAD requests Dec 29, 2022
Copy link
Member

@aeneasr aeneasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Awesome, thank you for your contribution! This looks pretty good and I have some ideas how to improve it further :)

api/decision.go Outdated
// This is nevessary because the middleware would otherwise use e.g. the method from "X-Forwarded-Method" for the response
// although the original request had another method, which leads to problem with the HEAD method.
// For more information see: https://github.com/thomseddon/traefik-forward-auth/issues/156
forwardedReq := &http.Request{
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to clone the request using r.Clone(). If we don't, information is missing that is needed in the decisions function:

  • context is missing
  • body is missing
  • tls information is missing

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, I updated it

@jrester
Copy link
Author

jrester commented Nov 29, 2023

@aeneasr are there any more changes required or can this be merged?

@8th-block
Copy link

This is still an issue it seems. Any updates?!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants