Fix missing annotation for no-redirect, fix middleware name (#543)

* Ability to set no-redirects=true per path

* Ability to set no-redirects=true per path

* Fix missing annotation for no-redirect, fix middleware name

pkg/authorization/resource.go

@@ -34,7 +34,7 @@ type Resource struct {
 	// WhiteListed permits the prefix through
 	WhiteListed bool `json:"white-listed" yaml:"white-listed"`
 	// NoRedirect overrides global no-redirect setting
-	NoRedirect bool
+	NoRedirect bool `json:"no-redirect" yaml:"no-redirect"`
 	// RequireAnyRole indicates that ANY of the roles are required, the default is all
 	RequireAnyRole bool `json:"require-any-role" yaml:"require-any-role"`
 	// Headers required to access this url

pkg/keycloak/proxy/server.go

@@ -517,7 +517,7 @@ func (r *OauthProxy) CreateReverseProxy() error {
 		r.Config.DefaultAllowedQueryParams,
 	)
 
-	redToAuthMiddleware := gmiddleware.NewRedirectToAuthorizationMiddleware(
+	redToAuthMiddleware := gmiddleware.RedirectToAuthorizationMiddleware(
 		r.Log,
 		r.Cm,
 		r.Config.SkipTokenVerification,

pkg/proxy/middleware/oauth.go

@@ -328,107 +328,6 @@ func AuthenticationMiddleware(
 //
 //nolint:cyclop
 func RedirectToAuthorizationMiddleware(
-	logger *zap.Logger,
-	noRedirects bool,
-	cookManager *cookie.Manager,
-	skipTokenVerification bool,
-	noProxy bool,
-	baseURI string,
-	oAuthURI string,
-	allowedQueryParams map[string]string,
-	defaultAllowedQueryParams map[string]string,
-) func(http.Handler) http.Handler {
-	return func(next http.Handler) http.Handler {
-		return http.HandlerFunc(func(wrt http.ResponseWriter, req *http.Request) {
-			scope, assertOk := req.Context().Value(constant.ContextScopeName).(*models.RequestScope)
-			if !assertOk {
-				logger.Error(apperrors.ErrAssertionFailed.Error())
-				return
-			}
-
-			scope.Logger.Debug("redirecttoauthorization middleware")
-
-			if scope.AccessDenied {
-				if noRedirects {
-					wrt.WriteHeader(http.StatusUnauthorized)
-					return
-				}
-
-				// step: add a state referrer to the authorization page
-				uuid := cookManager.DropStateParameterCookie(req, wrt)
-				authQuery := "?state=" + uuid
-
-				if len(allowedQueryParams) > 0 {
-					query := ""
-					for key, val := range allowedQueryParams {
-						if param := req.URL.Query().Get(key); param != "" {
-							if val != "" {
-								if val != param {
-									wrt.WriteHeader(http.StatusForbidden)
-								}
-							}
-							query += fmt.Sprintf("&%s=%s", key, param)
-						} else {
-							if val, ok := defaultAllowedQueryParams[key]; ok {
-								query += fmt.Sprintf("&%s=%s", key, val)
-							}
-						}
-					}
-					authQuery += query
-				}
-
-				// step: if verification is switched off, we can't authorization
-				if skipTokenVerification {
-					logger.Error(
-						"refusing to redirection to authorization endpoint, " +
-							"skip token verification switched on",
-					)
-
-					wrt.WriteHeader(http.StatusForbidden)
-					return
-				}
-
-				url := utils.WithOAuthURI(baseURI, oAuthURI)(constant.AuthorizationURL + authQuery)
-
-				if noProxy && !noRedirects {
-					xForwardedHost := req.Header.Get(constant.HeaderXForwardedHost)
-					xProto := req.Header.Get(constant.HeaderXForwardedProto)
-
-					if xForwardedHost == "" || xProto == "" {
-						logger.Error(apperrors.ErrForwardAuthMissingHeaders.Error())
-
-						wrt.WriteHeader(http.StatusForbidden)
-						return
-					}
-
-					url = fmt.Sprintf(
-						"%s://%s%s",
-						xProto,
-						xForwardedHost,
-						url,
-					)
-				}
-
-				logger.Debug("redirecting to url", zap.String("url", url))
-
-				core.RedirectToURL(
-					logger,
-					url,
-					wrt,
-					req,
-					http.StatusSeeOther,
-				)
-			} else {
-				next.ServeHTTP(wrt, req)
-			}
-		})
-	}
-}
-
-// RedirectToAuthorizationMiddleware redirects the user to authorization handler
-//
-//nolint:cyclop
-func NewRedirectToAuthorizationMiddleware(
 	logger *zap.Logger,
 	cookManager *cookie.Manager,
 	skipTokenVerification bool,