Default Denial (#320)

- adding a defauly denial, the plan being to make this default from now on

CHANGELOG.md

@@ -2,11 +2,12 @@
 #### **2.1.2 (Unreleased)**
 
 FEATURES:
-* Updated the docker base image alpine 3.7 [#PR313](https://github.com/gambol99/keycloak-proxy/pull/313)
-* Added the ability to control the timeout on the initial openid configuration from .well-known/openid-configuration [#PR315](https://github.com/gambol99/keycloak-proxy/pull/315)
-* Updated to Golang version 1.10 [#PR316](https://github.com/gambol99/keycloak-proxy/pull/316)
+* Added a --enable-default-deny option to make denial by default [#PR320](https://github.com/gambol99/keycloak-proxy/pull/320)
 * Added the X-Auth-Audience to the upstream headers [#PR319](https://github.com/gambol99/keycloak-proxy/pull/319)
+* Added the ability to control the timeout on the initial openid configuration from .well-known/openid-configuration [#PR315](https://github.com/gambol99/keycloak-proxy/pull/315)
 * Changed the upstream-keepalive to default to true [#PR321](https://github.com/gambol99/keycloak-proxy/pull/321)
+* Updated the docker base image alpine 3.7 [#PR313](https://github.com/gambol99/keycloak-proxy/pull/313)
+* Updated to Golang version 1.10 [#PR316](https://github.com/gambol99/keycloak-proxy/pull/316)
 
 #### **2.1.1**
 

doc.go

@@ -139,6 +139,8 @@ type Config struct {
 	// Headers permits adding customs headers across the board
 	Headers map[string]string `json:"headers" yaml:"headers" usage:"custom headers to the upstream request, key=value"`
 
+	// EnableDefaultDeny indicates we should deny by default all requests
+	EnableDefaultDeny bool `json:"enable-default-deny" yaml:"enable-default-deny" usage:"enables a default denial on all requests, you have to explicity say what is permitted (recommended)"`
 	// EnableEncryptedToken indicates the access token should be encoded
 	EnableEncryptedToken bool `json:"enable-encrypted-token" yaml:"enable-encrypted-token" usage:"enable encryption for the access tokens"`
 	// EnableLogging indicates if we should log all the requests

server.go

@@ -211,13 +211,27 @@ func (r *oauthProxy) createReverseProxy() error {
 		return err
 	}
 	// step: provision in the protected resources
+	enableDefaultDeny := r.config.EnableDefaultDeny
 	for _, x := range r.config.Resources {
 		if x.URL[len(x.URL)-1:] == "/" {
 			r.log.Warn("the resource url is not a prefix",
 				zap.String("resource", x.URL),
 				zap.String("change", x.URL),
 				zap.String("ammended", strings.TrimRight(x.URL, "/")))
 		}
+		if x.URL == "/*" && r.config.EnableDefaultDeny {
+			switch x.WhiteListed {
+			case true:
+				return errors.New("you've asked for a default denial but whitelisted everything")
+			default:
+				enableDefaultDeny = false
+			}
+		}
+	}
+
+	if enableDefaultDeny {
+		r.log.Info("adding a default denial into the protected resources")
+		r.config.Resources = append(r.config.Resources, &Resource{URL: "/*", Methods: allHTTPMethods})
 	}
 
 	for _, x := range r.config.Resources {

server_test.go

@@ -165,6 +165,31 @@ func TestAudienceHeader(t *testing.T) {
 	newFakeProxy(c).RunTests(t, requests)
 }
 
+func TestDefaultDenial(t *testing.T) {
+	config := newFakeKeycloakConfig()
+	config.EnableDefaultDeny = true
+	config.Resources = []*Resource{
+		{
+			URL:         "/public/*",
+			Methods:     allHTTPMethods,
+			WhiteListed: true,
+		},
+	}
+	requests := []fakeRequest{
+		{
+			URI:           "/public/allowed",
+			ExpectedProxy: true,
+			ExpectedCode:  http.StatusOK,
+		},
+		{
+			URI:          "/not_permited",
+			Redirects:    false,
+			ExpectedCode: http.StatusUnauthorized,
+		},
+	}
+	newFakeProxy(config).RunTests(t, requests)
+}
+
 func TestAuthorizationTemplate(t *testing.T) {
 	cfg := newFakeKeycloakConfig()
 	cfg.SignInPage = "templates/sign_in.html.tmpl"