m.lettere
/
pep-example
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

use request_uri in _backend endpoint in order to overcome double /. Support both dash and underscores in allow-basic-auth

This commit is contained in:
dcore94 2024-03-06 13:36:32 +01:00
parent a59347c340
commit ba9b62a86a
2 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
pepexample/default.conf
View File

@ -39,8 +39,7 @@ server {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-NginX-Proxy true;
proxy_cache_bypass $http_upgrade;
proxy_redirect off;
proxy_pass http://service/;
proxy_pass http://service$request_uri;
}

17
pepexample/pep.js
View File

@ -21,7 +21,7 @@ function enforce(r) {
backend : (defaultExport.backend ? defaultExport.backend : "/_backend")
}
log(context, "Inside NJS enforce for " + r.method + " @ " + r.headersIn.host + "/" + r.uri)
log(context, "Inside NJS enforce for " + r.method + " @ " + r.headersIn.host + r.uri)
context = computeProtection(context)
@ -32,6 +32,7 @@ function enforce(r) {
var wkf = {
build : (context)=>{
//An example workflow for direct proxying to backend with no PIP and no Headers to export
var actions = [
"export_pep_credentials",
"parse_authentication",
@ -42,14 +43,16 @@ var wkf = {
// "export_backend_headers",
"pass"
]
// An example workflow (with no PIP and no extra headers) that intercepts the response in order to complete an accounting record which is started at the receipt of the original request
/*var actions = [
"export_pep_credentials",
"parse_authentication",
"check_authentication",
"export_authn_token",
"pip",
//"pip",
"pdp",
"export_backend_headers",
//"export_backend_headers",
"start_accounting",
"pass_and_wait",
"close_accounting",
@ -125,7 +128,7 @@ function parseAuthentication(context){
if(arr.length != 2) throw new Error("Unknown authentication scheme");
var type = arr[0].toLowerCase()
if(type === "basic" && context.authz.host && context.authz.host["allow-basic-auth"]){
if(type === "basic" && context.authz.host && (context.authz.host["allow-basic-auth"] || context.authz.host["allow_basic_auth"])){
var unamepass = Buffer.from(arr[1], 'base64').toString().split(":")
if(unamepass.length != 2) return null;
context.authn = { type : type, raw : arr[1], user : unamepass[0], password : unamepass[1]}
@ -237,9 +240,9 @@ function umaCall(context){
// Call backend and return reply to client directly
async function pass(context){
log(context, "Inside pass and wait");
log(context, "Inside pass: ");
const r = context.request
const reply = await r.subrequest((context.backend + r.variables.uri), { method : r.method, args : r.variables.args, headers : r.headersIn})
const reply = await r.subrequest(context.backend, { method : r.method, args : r.variables.args, headers : r.headersIn})
debug(context, "[BACKEND] response status: " + reply.status)
context.backendresponse = reply
return respondToClient(context)
@ -249,7 +252,7 @@ async function pass(context){
async function pass_and_wait(context){
log(context, "Inside pass and wait");
const r = context.request
const reply = await r.subrequest((context.backend + r.variables.uri), { method : r.method, args : r.variables.args, headers : r.headersIn})
const reply = await r.subrequest(context.backend, { method : r.method, args : r.variables.args, headers : r.headersIn})
debug(context, "[BACKEND] response status: " + reply.status)
context.backendresponse = reply
return context