Skip to content

Commit 0919e58

Browse files
authored
Merge pull request #8 from searchspring/add-whitelist
add whitelist for redirect urls
2 parents 01cd5d2 + 1ac68b6 commit 0919e58

5 files changed

Lines changed: 55 additions & 1 deletion

File tree

Makefile

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -42,6 +42,7 @@ docker-run:
4242
-e GITHUB_REDIRECT_URL="${GITHUB_REDIRECT_URL}" \
4343
-e GITHUB_CLIENT_ID="${GITHUB_CLIENT_ID}" \
4444
-e GITHUB_CLIENT_SECRET="${GITHUB_CLIENT_SECRET}" \
45+
-e ALLOWLIST_REDIRECT_URLS="${ALLOWLIST_REDIRECT_URLS}" \
4546
-p 3000:3000 \
4647
github-token-exchange:latest
4748
.PHONY: docker-run

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ Create a `.env` file and add the values:
1313
GITHUB_CLIENT_SECRET=*** find the secret in 1password ***
1414
GITHUB_CLIENT_ID=e02c8965ff92aa84b6ee
1515
GITHUB_REDIRECT_URL=http://localhost:3000
16+
ALLOWLIST_REDIRECT_URLS=http://localhost,https://localhost,https://searchspring.github.io/snapp-explorer
1617
```
1718

1819
Run the docker build
@@ -43,4 +44,5 @@ make run
4344
GITHUB_CLIENT_SECRET=*** find the secret in 1password ***
4445
GITHUB_CLIENT_ID=5df635731e7fa3513c1d
4546
GITHUB_REDIRECT_URL=https://token.kube.searchspring.io
47+
ALLOWLIST_REDIRECT_URLS=http://localhost,https://localhost,https://searchspring.github.io/snapp-explorer
4648
```

kubernetes/github-token-exchange/base/configmap.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,4 +6,5 @@ metadata:
66
data:
77
GITHUB_CLIENT_ID: 5df635731e7fa3513c1d
88
GITHUB_REDIRECT_URL: https://token.kube.searchspring.io
9+
ALLOWLIST_REDIRECT_URLS: "http://localhost,https://localhost,https://searchspring.github.io/snapp-explorer"
910
PORT: "3000"

main.go

Lines changed: 26 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ import (
55
"log"
66
"net/http"
77
"os"
8+
"regexp"
9+
"strings"
810

911
"github.com/prometheus/client_golang/prometheus"
1012
"github.com/prometheus/client_golang/prometheus/promauto"
@@ -44,6 +46,9 @@ func checks() {
4446
if os.Getenv("GITHUB_CLIENT_SECRET") == "" {
4547
panic("must set GITHUB_CLIENT_SECRET variable")
4648
}
49+
if os.Getenv("ALLOWLIST_REDIRECT_URLS") == "" {
50+
panic("must set ALLOWLIST_REDIRECT_URLS variable")
51+
}
4752
}
4853

4954
func handler(w http.ResponseWriter, r *http.Request) {
@@ -62,17 +67,37 @@ func handler(w http.ResponseWriter, r *http.Request) {
6267
clientID := os.Getenv("GITHUB_CLIENT_ID")
6368
clientSecret := os.Getenv("GITHUB_CLIENT_SECRET")
6469
redirectURL := os.Getenv("GITHUB_REDIRECT_URL")
70+
allowlistString := os.Getenv("ALLOWLIST_REDIRECT_URLS")
6571

6672
user, err := githubDAO.GetUser(clientID, clientSecret, code, redirectURL)
6773
if err != nil {
6874
http.Error(w, err.Error(), http.StatusForbidden)
6975
opsFailed.Inc()
7076
return
7177
}
78+
79+
allowlist := strings.Split(allowlistString, ",")
80+
url := "http://localhost:3827"
81+
requestedRedirectURL := r.URL.Query().Get("redirect")
82+
83+
if (len(requestedRedirectURL) > 0) {
84+
// check if in allowlist
85+
for _, entry := range allowlist {
86+
entry = strings.TrimSpace(entry)
87+
if(len(entry) > 0) {
88+
match, _ := regexp.MatchString("^" + entry, requestedRedirectURL)
89+
if(match) {
90+
url = requestedRedirectURL
91+
break
92+
}
93+
}
94+
}
95+
}
96+
7297
html := `
7398
<script>
7499
let user = ` + string(user) + `
75-
window.location.href = 'http://localhost:3827/?user=' + encodeURIComponent(JSON.stringify(user))
100+
window.location.href = '` + string(url) + `' + '?user=' + encodeURIComponent(JSON.stringify(user))
76101
</script>
77102
`
78103
_, err = w.Write([]byte(html))

main_test.go

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -72,6 +72,7 @@ func TestChecks(t *testing.T) {
7272
os.Setenv("GITHUB_CLIENT_SECRET", "")
7373
os.Setenv("GITHUB_CLIENT_ID", "")
7474
os.Setenv("GITHUB_REDIRECT_URL", "")
75+
os.Setenv("ALLOWLIST_REDIRECT_URLS", "")
7576
testFail(t)
7677

7778
os.Setenv("PORT", "8888")
@@ -80,6 +81,30 @@ func TestChecks(t *testing.T) {
8081
testFail(t)
8182
os.Setenv("GITHUB_CLIENT_ID", "aoeu")
8283
testFail(t)
84+
os.Setenv("ALLOWLIST_REDIRECT_URLS", "http://localhost,https://localhost,https://searchspring.github.io/snapp-explorer")
85+
testFail(t)
86+
os.Setenv("ALLOWLIST_REDIRECT_URLS", "http://localhost,https://localhost , https://searchspring.github.io/snapp-explorer, ")
87+
testFail(t)
88+
}
89+
90+
func TestAllowlistPass(t *testing.T) {
91+
githubDAO = &mockDAO{Override: simple}
92+
res := httptest.NewRecorder()
93+
handler(res, httptest.NewRequest("GET", "http://localhost:1231/?code=blah&redirect=https://searchspring.github.io/snapp-explorer", nil))
94+
body, err := ioutil.ReadAll(res.Body)
95+
require.Nil(t, err)
96+
require.True(t, strings.Contains(string(body), "https://searchspring.github.io/snapp-explorer"))
97+
require.False(t, strings.Contains(string(body), "http://localhost:3827"))
98+
}
99+
100+
func TestAllowlistFail(t *testing.T) {
101+
githubDAO = &mockDAO{Override: simple}
102+
res := httptest.NewRecorder()
103+
handler(res, httptest.NewRequest("GET", "http://localhost:1231/?code=blah&redirect=https://dne.searchspring.io", nil))
104+
body, err := ioutil.ReadAll(res.Body)
105+
require.Nil(t, err)
106+
require.True(t, strings.Contains(string(body), "http://localhost:3827"))
107+
require.False(t, strings.Contains(string(body), "https://dne.searchspring.io"))
83108
}
84109

85110
func testFail(t *testing.T) {

0 commit comments

Comments
 (0)