Add allowed_email_domains on auth_request endpoint

[armandpicard]

Description

Add the allowed_email_domains on the auth_request endpoint to restrict access per ingress.

Motivation and Context

Some users may want to have one oauth2 proxy with multiple allowed email domains but restrict access to some ressource to only one or multiple of these emails domains

How Has This Been Tested?

Unit Tests and test on Kubernees with an Nginx ingress.

Checklist:

• My change requires a change to the documentation or CHANGELOG.
• I have updated the documentation/CHANGELOG accordingly.
• I have created a feature (non-master) branch for my PR.

[NickMeves]

We can remove this nolint & TODO above now that you are adding more functionality 👍

[w3st3ry]

Removed

[NickMeves]

This and extractAllowedGroups are nearly identical -- maybe we should generalize it and use the querystring param as an extra argument (appears to be the only difference)?

[w3st3ry]

Refactored

[NickMeves]

Throughout the rest of the codebase, there's support for broad subdomains (.example.com would allow foo.example.com and bar.example.com). I think that support should be extended here too.

[NickMeves]

I believe there's common helper methods for this logic since it is an error-prone implementation that leads to security vulnerabilities; hopefully we can use those here?

[w3st3ry]

It support now broad subdomains starting with . and *. and sharing the same code base through an util.

[w3st3ry]

Agree but I didn't find out something relevant as a trusted common helper method. Do you have something in mind?

[NickMeves]

Thanks for the PR! I think this will be a worthwhile addition.

I've left some notes on areas to align it more with the rest of the codebase.

This needs a CHANGELOG entry as well.

[w3st3ry]

Hi @NickMeves, WDYT about the change? Should I add something else?

[NickMeves]

What's the reasoning for moving away from Loop + Set (with O(NlogN) time complexity) to double looping to find matches (O(N^2) time complexity?

I know in small cases (< 10), double looping is fine and potentially faster. But since we don't know how large our worst case users will be using this feature -- we leaned toward O(NlogN) Loop + Set in the initial implementation.

[NickMeves]

I recommend switching the extractAllowedEntities implementation to return a map[string]struct{} instead of []string and doing a set membership check in your checker methods.

[w3st3ry]

Yes you right, I fixed it with the recommended implementation.

[NickMeves]

This is a great refactor! Thanks!

Let's slide it to a more specific utils area though.

Can we move this to here: https://github.com/oauth2-proxy/oauth2-proxy/blob/master/pkg/validation/utils.go

Since this is all validation related?

[w3st3ry]

Yes sure, done.

[JoelSpeed]

@NickMeves For the group authentication, didn't we have some requirement about having to have the allowed_group be defined on the config first to be allowed to be added in the query params?

[JoelSpeed]

I was a bit confused about what we were trying to achieve here, can we add a comment that explains what the inputs and outputs are at a minimum

[w3st3ry]

I added a comment based on @NickMeves recommendations.
See #1286 (comment)

[JoelSpeed]

Splitted is a bit jarring to me, what about

Suggested change

	emailSplited := strings.Split(s.Email, "@")
	splitEmail := strings.Split(s.Email, "@")

[w3st3ry]

Fixed

[JoelSpeed]

Are we sure about this? I don't think redirects are allowed without a scheme prefixing them currently, this could lead to open redirects which I really would like to avoid

[w3st3ry]

Thanks, forget to commit the fix.
Done.

[JoelSpeed]

Please add a doc string for this function

[w3st3ry]

added

[JoelSpeed]

I actually don't think this is the right place to put this function, the validation package is all about configuration validation rather than runtime validation like this. Can we move it to pkg/utils until we find a better home please

[JoelSpeed]

I think this could be simpler

Suggested change

	func isHostnameBelongsToAllowedHost(hostname, allowedHost string) bool {
	func isHostnameAllowed(hostname, allowedHost string) bool {

[w3st3ry]

fixed

[NickMeves]

@NickMeves For the group authentication, didn't we have some requirement about having to have the allowed_group be defined on the config first to be allowed to be added in the query params?

@JoelSpeed I don't recall this being a requirement -- The architecture I built this for was a central Authentication Proxy (BeyondCorp style) where all the consuming applications (nginx, k8s ingress) could specificy any groups they cared about for AuthZ

[w3st3ry]

@JoelSpeed @NickMeves I normally solved the required fixes/changes + solved conflicts by rebasing to master.

[JoelSpeed]

Few more comments, otherwise I think I'm happy for this to merge

[JoelSpeed]

This should be moved into the changes since v7.1.3 section and typically should just be the PR title, we can leave this here if you add the extra one to the changes since section

[JoelSpeed]

I actually don't think this is the right place to put this function, the validation package is all about configuration validation rather than runtime validation like this. Can we move it to pkg/utils until we find a better home please

[JoelSpeed]

We are trying to move away from this term when we touch code that uses it

Suggested change

	// if the whitelisted domain's port is '*', allow all ports
	// if the whitelisted domain contains a specific port, only allow that port
	// if the whitelisted domain doesn't contain a port at all, only allow empty redirect ports ie http and https
	// if the allowed domain's port is '*', allow all ports
	// if the allowed domain contains a specific port, only allow that port
	// if the allowed domain doesn't contain a port at all, only allow empty redirect ports ie http and https

[w3st3ry]

@JoelSpeed @NickMeves I pushed the latest requested changes + rebased to master/fixed conflicts.

[JoelSpeed]

Changes look great, I think there's a conflict in the changelog now though. We are planning to do a bug release in the next couple of weeks, if you don't mind holding until we've done that release, then rebasing this to fix the changelog, that would be appreciated. Then we can get you merged as soon as we are open for features

[github-actions]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

[JoelSpeed]

Apologies for letting this get stale, are you able to resolve the conflicts and we can get this merged?

[JoelSpeed]

Looks good, apologies for the delay, lets get this merged

[JoelSpeed]

@armandpicard GitHub seems to think there are conflicts on this branch, do you think you could try rebasing it?

[w3st3ry]

@JoelSpeed conflicts are now fixed + branch rebased.

[JoelSpeed]

Sorry, this should be moved up to the Changes since v7.2.1 section now, closer to line 9

[w3st3ry]

@JoelSpeed my bad, fixed!

[JoelSpeed]

LGTM, thanks