bugfix: #3265 missing forward proxy configuration for oidc authentica…

…tor (#3268) Fix for #3265 --------- Co-authored-by: Mike Cohen <[email protected]>
Velocidex · Feb 2, 2024 · 60a6187 · 60a6187
1 parent 4a705e2
commit 60a6187
Show file tree

Hide file tree

Showing 4 changed files with 48 additions and 5 deletions.
diff --git a/api/authenticators/http.go b/api/authenticators/http.go
@@ -0,0 +1,24 @@
+package authenticators
+
+import (
+	"net/http"
+
+	oidc "github.com/coreos/go-oidc/v3/oidc"
+	context "golang.org/x/net/context"
+	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
+	"www.velocidex.com/golang/velociraptor/vql/networking"
+)
+
+// Update the HTTP client in the context honoring proxy and TLS
+// settings in the config file. This is needed to pass to
+// oidc.NewProvider
+func ClientContext(ctx context.Context,
+	config_obj *config_proto.Config) (context.Context, error) {
+	transport, err := networking.GetHttpTransport(config_obj.Client, "")
+	if err != nil {
+		return nil, err
+	}
+
+	client := &http.Client{Transport: transport}
+	return oidc.ClientContext(ctx, client), nil
+}
diff --git a/api/authenticators/oidc.go b/api/authenticators/oidc.go
@@ -64,8 +64,11 @@ func (self *OidcAuthenticator) CallbackURL() string {
 }
 
 func (self *OidcAuthenticator) AddHandlers(mux *http.ServeMux) error {
-	provider, err := oidc.NewProvider(
-		context.Background(), self.authenticator.OidcIssuer)
+	ctx, err := ClientContext(context.Background(), self.config_obj)
+	if err != nil {
+		return err
+	}
+	provider, err := oidc.NewProvider(ctx, self.authenticator.OidcIssuer)
 	if err != nil {
 		logging.GetLogger(self.config_obj, &logging.GUIComponent).
 			Errorf("can not get information from OIDC provider, "+
@@ -148,7 +151,16 @@ func (self *OidcAuthenticator) oauthOidcCallback(
 
 		oidcOauthConfig := self.getGenOauthConfig(
 			provider.Endpoint(), self.CallbackHandler())
-		oauthToken, err := oidcOauthConfig.Exchange(r.Context(), r.FormValue("code"))
+
+		ctx, err := ClientContext(r.Context(), self.config_obj)
+		if err != nil {
+			logging.GetLogger(self.config_obj, &logging.GUIComponent).
+				Error("invalid client context of OIDC")
+			http.Redirect(w, r, utils.Homepage(self.config_obj),
+				http.StatusTemporaryRedirect)
+			return
+		}
+		oauthToken, err := oidcOauthConfig.Exchange(ctx, r.FormValue("code"))
 		if err != nil {
 			logging.GetLogger(self.config_obj, &logging.GUIComponent).
 				Error("can not get oauthToken from OIDC provider: %v", err)
@@ -157,7 +169,7 @@ func (self *OidcAuthenticator) oauthOidcCallback(
 			return
 		}
 		userInfo, err := provider.UserInfo(
-			r.Context(), oauth2.StaticTokenSource(oauthToken))
+			ctx, oauth2.StaticTokenSource(oauthToken))
 		if err != nil {
 			logging.GetLogger(self.config_obj, &logging.GUIComponent).
 				Error("can not get UserInfo from OIDC provider: %v", err)

diff --git a/services/notebook/worker.go b/services/notebook/worker.go
@@ -420,7 +420,9 @@ func (self *NotebookWorker) RegisterWorker(
 
 		case job, ok := <-job_chan:
 			if !ok {
-				job.Done("", errors.New("Cancellation"))
+				if job.Done != nil {
+					job.Done("", errors.New("Cancellation"))
+				}
 				return nil
 			}
 

diff --git a/vql/networking/transport.go b/vql/networking/transport.go
@@ -7,9 +7,14 @@ import (
 	"time"
 
 	"www.velocidex.com/golang/velociraptor/config/proto"
+	config_proto "www.velocidex.com/golang/velociraptor/config/proto"
 )
 
 func GetHttpTransport(config_obj *proto.ClientConfig, extra_roots string) (*http.Transport, error) {
+	if config_obj == nil {
+		config_obj = &config_proto.ClientConfig{}
+	}
+
 	timeout := config_obj.ConnectionTimeout
 	if timeout == 0 {
 		timeout = 300 // 5 Min default