Commit b8c5446d authored by ale's avatar ale

Return Forbidden not Unauthorized on access errors

And upgrade dependencies.
parent dd831517
Pipeline #1468 passed with stages
in 1 minute and 7 seconds
......@@ -47,7 +47,7 @@ func (s *keyStoreServer) handleGet(w http.ResponseWriter, r *http.Request) {
// Return an appropriate error code.
switch err {
case errUnauthorized, errBadUser:
http.Error(w, err.Error(), http.StatusUnauthorized)
http.Error(w, err.Error(), http.StatusForbidden)
case errNoKeys:
http.NotFound(w, r)
default:
......
......@@ -115,8 +115,9 @@ func Serve(h http.Handler, config *ServerConfig, addr string) error {
signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
// Notify systemd that we are ready to serve.
daemon.SdNotify(false, "READY=1")
// Notify systemd that we are ready to serve. This call is
// allowed to fail (in case there is no systemd).
daemon.SdNotify(false, "READY=1") // nolint
err = srv.Serve(l)
if err != http.ErrServerClosed {
......@@ -132,7 +133,7 @@ func defaultHandler(h http.Handler) http.Handler {
// Add an endpoint for HTTP health checking probes.
root.Handle("/health", http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
io.WriteString(w, "OK")
io.WriteString(w, "OK") // nolint
}))
// Add an endpoint to serve Prometheus metrics.
......
......@@ -2,6 +2,8 @@ package serverutil
import (
"crypto/tls"
"fmt"
"log"
"net/http"
"regexp"
......@@ -119,6 +121,13 @@ func (c *TLSServerConfig) TLSAuthWrapper(h http.Handler) (http.Handler, error) {
h.ServeHTTP(w, r)
return
}
http.Error(w, "Unauthorized", http.StatusUnauthorized)
// Log the failed access, useful for debugging.
var tlsmsg string
if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
tlsmsg = fmt.Sprintf(" TLS client '%s' at", r.TLS.PeerCertificates[0].Subject.CommonName)
}
log.Printf("unauthorized access to %s from %s%s", r.URL.Path, tlsmsg, r.RemoteAddr)
http.Error(w, "Forbidden", http.StatusForbidden)
}), nil
}
......@@ -115,13 +115,17 @@ parameters:
* `cur_nonce`: nonce for *cur_tkt*
* `new_svc`: destination SSO service
* `new_nonce`: nonce for the new SSO ticket
* `new_groups` (optional): a comma-separated list of groups that the
destination service might check membership for
Note that annoyingly *cur_svc* and *cur_nonce* are redundant, as they
are already contained within *cur_tkt*, but the SSO ticket API won't
allow us to decode the ticket without verifying it at the same time.
The new ticket will not be valid any longer than the original one, or
the configured TTL for the new service, whichever comes first.
Group membership in the original ticket is passed along unchanged to
the new ticket.
# Implementation notes
......
......@@ -270,3 +270,21 @@ func (v *ssoValidator) Validate(encoded, nonce, service string, allowedGroups []
return t, nil
}
// InspectTicket reads a ticket without validating it (beyond syntax),
// returning user and service. The results are untrusted.
func InspectTicket(encoded string) (string, string, error) {
decoded, err := base64.RawURLEncoding.DecodeString(encoded)
if err != nil {
return "", "", err
}
if len(decoded) < signatureLen {
return "", "", ErrMessageTooShort
}
serialized := decoded[signatureLen:]
t, err := deserializeTicket(string(serialized))
if err != nil {
return "", "", err
}
return t.User, t.Service, nil
}
......@@ -51,9 +51,13 @@ func (b *backOffContext) Context() context.Context {
func (b *backOffContext) NextBackOff() time.Duration {
select {
case <-b.Context().Done():
case <-b.ctx.Done():
return Stop
default:
return b.BackOff.NextBackOff()
}
next := b.BackOff.NextBackOff()
if deadline, ok := b.ctx.Deadline(); ok && deadline.Sub(time.Now()) < next {
return Stop
}
return next
}
......@@ -63,7 +63,6 @@ type ExponentialBackOff struct {
currentInterval time.Duration
startTime time.Time
random *rand.Rand
}
// Clock is an interface that returns current time for BackOff.
......@@ -89,7 +88,6 @@ func NewExponentialBackOff() *ExponentialBackOff {
MaxInterval: DefaultMaxInterval,
MaxElapsedTime: DefaultMaxElapsedTime,
Clock: SystemClock,
random: rand.New(rand.NewSource(time.Now().UnixNano())),
}
b.Reset()
return b
......@@ -118,10 +116,7 @@ func (b *ExponentialBackOff) NextBackOff() time.Duration {
return Stop
}
defer b.incrementCurrentInterval()
if b.random == nil {
b.random = rand.New(rand.NewSource(time.Now().UnixNano()))
}
return getRandomValueFromInterval(b.RandomizationFactor, b.random.Float64(), b.currentInterval)
return getRandomValueFromInterval(b.RandomizationFactor, rand.Float64(), b.currentInterval)
}
// GetElapsedTime returns the elapsed time since an ExponentialBackOff instance
......
......@@ -41,7 +41,7 @@ func RetryNotify(operation Operation, b BackOff, notify Notify) error {
return permanent.Err
}
if next = b.NextBackOff(); next == Stop {
if next = cb.NextBackOff(); next == Stop {
return err
}
......
......@@ -5,44 +5,44 @@
{
"checksumSHA1": "pLvPnUablirQucyALgrso9hLG4E=",
"path": "git.autistici.org/ai3/go-common",
"revision": "b5271f0caf05207e352c14bcf69e5c172e9e37cc",
"revisionTime": "2018-10-29T06:42:37Z"
"revision": "6916834dec86e761a3091c9628cbff9b6c389867",
"revisionTime": "2018-10-29T11:03:54Z"
},
{
"checksumSHA1": "Xd4ClmFykFMOg8b2ZFXimSS3Uj0=",
"path": "git.autistici.org/ai3/go-common/clientutil",
"revision": "b5271f0caf05207e352c14bcf69e5c172e9e37cc",
"revisionTime": "2018-10-29T06:42:37Z"
"revision": "6916834dec86e761a3091c9628cbff9b6c389867",
"revisionTime": "2018-10-29T11:03:54Z"
},
{
"checksumSHA1": "kQbBWZqrXc95wodlrOKEshQVaBo=",
"path": "git.autistici.org/ai3/go-common/ldap",
"revision": "b5271f0caf05207e352c14bcf69e5c172e9e37cc",
"revisionTime": "2018-10-29T06:42:37Z"
"revision": "6916834dec86e761a3091c9628cbff9b6c389867",
"revisionTime": "2018-10-29T11:03:54Z"
},
{
"checksumSHA1": "7VBLbwaK1m/jwsk8sLsh4iD9T/s=",
"checksumSHA1": "RyFydcBJvLBevfsriijLqHtZ0hs=",
"path": "git.autistici.org/ai3/go-common/serverutil",
"revision": "b5271f0caf05207e352c14bcf69e5c172e9e37cc",
"revisionTime": "2018-10-29T06:42:37Z"
"revision": "6916834dec86e761a3091c9628cbff9b6c389867",
"revisionTime": "2018-10-29T11:03:54Z"
},
{
"checksumSHA1": "Okvoje2tgehkMo1N9Q601JPgGoE=",
"path": "git.autistici.org/ai3/go-common/unix",
"revision": "b5271f0caf05207e352c14bcf69e5c172e9e37cc",
"revisionTime": "2018-10-29T06:42:37Z"
"revision": "6916834dec86e761a3091c9628cbff9b6c389867",
"revisionTime": "2018-10-29T11:03:54Z"
},
{
"checksumSHA1": "witSYnNsDhNaoA85UYilt17H+ng=",
"path": "git.autistici.org/ai3/go-common/userenckey",
"revision": "b5271f0caf05207e352c14bcf69e5c172e9e37cc",
"revisionTime": "2018-10-29T06:42:37Z"
"revision": "6916834dec86e761a3091c9628cbff9b6c389867",
"revisionTime": "2018-10-29T11:03:54Z"
},
{
"checksumSHA1": "SFxqNnYqTQDH4goNZ7v8KevTNzg=",
"checksumSHA1": "s3Ao3RV8QQQpqld7jNYqOwA7Sdo=",
"path": "git.autistici.org/id/go-sso",
"revision": "7b8eca6ac80bb75f798363830b91ca3a75b950d8",
"revisionTime": "2018-10-27T13:28:35Z"
"revision": "522bc582e4bc44826f52243be5d4e1c6a751e01b",
"revisionTime": "2018-11-03T07:08:42Z"
},
{
"checksumSHA1": "0rido7hYHQtfq3UJzVT5LClLAWc=",
......@@ -51,10 +51,10 @@
"revisionTime": "2018-03-21T16:47:47Z"
},
{
"checksumSHA1": "EAUmmJ4ccZbyuyf8Fnf+KU+DH3w=",
"checksumSHA1": "2nTxrtvUecg8v33ZkjIFiUxfUI8=",
"path": "github.com/cenkalti/backoff",
"revision": "b7325b0f3f1097c6546ea5e83c4a23267e58ad71",
"revisionTime": "2018-08-01T15:21:24Z"
"revision": "62661b46c4093e2c1f38d943e663db1a29873e80",
"revisionTime": "2018-10-03T08:08:54Z"
},
{
"checksumSHA1": "zg16zjZTQ9R89+UOLmEZxHgxDtM=",
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment