Skip to content

Commit 137000f

Browse files
Tenerprobakowski
andauthored
Switch to forked httprouter and enable UseRawPath option (#11068) (#12080)
* Use forked httprouter with RawPath fix: gravitational/httprouter * Enable UseRawPath everywhere. * Test: allow MFA devices with `/` in names to be deleted Co-authored-by: Przemko Robakowski <przemko.robakowski@goteleport.com>
1 parent bd3d969 commit 137000f

8 files changed

Lines changed: 58 additions & 3 deletions

File tree

go.mod

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -276,6 +276,7 @@ replace (
276276
github.com/go-redis/redis/v8 => github.com/gravitational/redis/v8 v8.11.5-0.20220211010318-7af711b76a91
277277
github.com/gogo/protobuf => github.com/gravitational/protobuf v1.3.2-0.20201123192827-2b9fcfaffcbf
278278
github.com/gravitational/teleport/api => ./api
279+
github.com/julienschmidt/httprouter => github.com/gravitational/httprouter v1.3.1-0.20220408074523-c876c5e705a5
279280
github.com/siddontang/go-mysql v1.1.0 => github.com/gravitational/go-mysql v1.1.1-teleport.2
280281
github.com/sirupsen/logrus => github.com/gravitational/logrus v1.4.4-0.20210817004754-047e20245621
281282
github.com/vulcand/predicate => github.com/gravitational/predicate v1.2.1

go.sum

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -500,6 +500,8 @@ github.com/gravitational/go-mysql v1.1.1-teleport.2 h1:XZ36BZ7BgslA5ZCyCHjpc1wil
500500
github.com/gravitational/go-mysql v1.1.1-teleport.2/go.mod h1:re0JQZ1Cy5dVlIDGq0YksfDIla/GRZlxqOoC0XPSSGE=
501501
github.com/gravitational/go-oidc v0.0.6 h1:DCllahGYxDAvxWsq8UILgO+/i1EheQRxcNzS+D+wP5I=
502502
github.com/gravitational/go-oidc v0.0.6/go.mod h1:SevmOUNdOB0aD9BAIgjptZ6oHkKxMZZgA70nwPfgU/w=
503+
github.com/gravitational/httprouter v1.3.1-0.20220408074523-c876c5e705a5 h1:qg8FcGwRACSHortU1UxCSo9nF0t34rPWjk9Nef3j2Ic=
504+
github.com/gravitational/httprouter v1.3.1-0.20220408074523-c876c5e705a5/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
503505
github.com/gravitational/kingpin v2.1.11-0.20190130013101-742f2714c145+incompatible h1:CfyZl3nyo9K5lLqOmqvl9/IElY1UCnOWKZiQxJ8HKdA=
504506
github.com/gravitational/kingpin v2.1.11-0.20190130013101-742f2714c145+incompatible/go.mod h1:LWxG30M3FcrjhOn3T4zz7JmBoQJ45MWZmOXgy9Ganoc=
505507
github.com/gravitational/license v0.0.0-20210218173955-6d8fb49b117a h1:PN5vAN1ZA0zqdpM6wNdx6+bkdlQ5fImd75oaIHSbOhY=
@@ -665,9 +667,6 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
665667
github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
666668
github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
667669
github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
668-
github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w=
669-
github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U=
670-
github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
671670
github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0 h1:iQTw/8FWTuc7uiaSepXwyf3o52HaUYcV+Tu66S3F5GA=
672671
github.com/kardianos/osext v0.0.0-20190222173326-2bc1f35cddc0/go.mod h1:1NbS8ALrpOvjt0rHPNLyCIeMtbizbir8U//inJ+zuB8=
673672
github.com/karrick/godirwalk v1.8.0/go.mod h1:H5KPZjojv4lE+QYImBI8xVtrBRgYrIVsaRPx4tDPEn4=

lib/auth/apiserver.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -91,6 +91,7 @@ func NewAPIServer(config *APIConfig) (http.Handler, error) {
9191
Clock: clockwork.NewRealClock(),
9292
}
9393
srv.Router = *httprouter.New()
94+
srv.Router.UseRawPath = true
9495

9596
// Kubernetes extensions
9697
srv.POST("/:version/kube/csr", srv.withAuth(srv.processKubeCSR))

lib/httplib/httplib_test.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -62,6 +62,7 @@ type testHandler struct {
6262
func newTestHandler() *testHandler {
6363
h := &testHandler{}
6464
h.Router = *httprouter.New()
65+
h.Router.UseRawPath = true
6566
h.POST("/v1/sessions/:id/stream", MakeHandler(h.postSessionChunkOriginal))
6667
h.POST("/v1/namespaces/:namespace/sessions/:id/stream", MakeHandler(h.postSessionChunkNamespace))
6768
return h

lib/kube/proxy/forwarder.go

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -245,6 +245,8 @@ func NewForwarder(cfg ForwarderConfig) (*Forwarder, error) {
245245
},
246246
}
247247

248+
fwd.router.UseRawPath = true
249+
248250
fwd.router.POST("/api/:ver/namespaces/:podNamespace/pods/:podName/exec", fwd.withAuth(fwd.exec))
249251
fwd.router.GET("/api/:ver/namespaces/:podNamespace/pods/:podName/exec", fwd.withAuth(fwd.exec))
250252

lib/web/apiserver.go

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -229,6 +229,9 @@ func NewHandler(cfg Config, opts ...HandlerOption) (*APIHandler, error) {
229229
ClusterFeatures: cfg.ClusterFeatures,
230230
}
231231

232+
// for properly handling url-encoded parameter values.
233+
h.UseRawPath = true
234+
232235
for _, o := range opts {
233236
if err := o(h); err != nil {
234237
return nil, trace.Wrap(err)

lib/web/apiserver_test.go

Lines changed: 47 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2584,6 +2584,53 @@ func TestAddMFADevice(t *testing.T) {
25842584
}
25852585
}
25862586

2587+
func TestDeleteMFA(t *testing.T) {
2588+
t.Parallel()
2589+
ctx := context.Background()
2590+
env := newWebPack(t, 1)
2591+
proxy := env.proxies[0]
2592+
pack := proxy.authPack(t, "foo@example.com")
2593+
2594+
//setting up client manually because we need sanitizer off
2595+
jar, err := cookiejar.New(nil)
2596+
require.NoError(t, err)
2597+
opts := []roundtrip.ClientParam{roundtrip.BearerAuth(pack.session.Token), roundtrip.CookieJar(jar), roundtrip.HTTPClient(client.NewInsecureWebClient())}
2598+
rclt, err := roundtrip.NewClient(proxy.webURL.String(), teleport.WebAPIVersion, opts...)
2599+
require.NoError(t, err)
2600+
clt := client.WebClient{Client: rclt}
2601+
jar.SetCookies(&proxy.webURL, pack.cookies)
2602+
2603+
totpCode, err := totp.GenerateCode(pack.otpSecret, env.clock.Now().Add(30*time.Second))
2604+
require.NoError(t, err)
2605+
2606+
// Obtain a privilege token.
2607+
endpoint := pack.clt.Endpoint("webapi", "users", "privilege", "token")
2608+
re, err := pack.clt.PostJSON(ctx, endpoint, &privilegeTokenRequest{
2609+
SecondFactorToken: totpCode,
2610+
})
2611+
require.NoError(t, err)
2612+
2613+
var privilegeToken string
2614+
require.NoError(t, json.Unmarshal(re.Bytes(), &privilegeToken))
2615+
2616+
names := []string{"x", "??", "%123/", "///", "my/device", "?/%&*1"}
2617+
for _, devName := range names {
2618+
devName := devName
2619+
t.Run(devName, func(t *testing.T) {
2620+
t.Parallel()
2621+
otpSecret := base32.StdEncoding.EncodeToString([]byte(devName))
2622+
dev, err := services.NewTOTPDevice(devName, otpSecret, env.clock.Now())
2623+
require.NoError(t, err)
2624+
err = env.server.Auth().UpsertMFADevice(ctx, pack.user, dev)
2625+
require.NoError(t, err)
2626+
2627+
enc := url.PathEscape(devName)
2628+
_, err = clt.Delete(ctx, pack.clt.Endpoint("webapi", "mfa", "token", privilegeToken, "devices", enc))
2629+
require.NoError(t, err)
2630+
})
2631+
}
2632+
}
2633+
25872634
func TestGetMFADevicesWithAuth(t *testing.T) {
25882635
t.Parallel()
25892636
env := newWebPack(t, 1)

lib/web/app/handler.go

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -122,6 +122,7 @@ func NewHandler(ctx context.Context, c *HandlerConfig) (*Handler, error) {
122122

123123
// Create the application routes.
124124
h.router = httprouter.New()
125+
h.router.UseRawPath = true
125126
h.router.GET("/x-teleport-auth", makeRouterHandler(h.handleFragment))
126127
h.router.POST("/x-teleport-auth", makeRouterHandler(h.handleFragment))
127128
h.router.GET("/teleport-logout", h.withRouterAuth(h.handleLogout))

0 commit comments

Comments
 (0)