From c2d0ca6905bb2079dfad5b1bf0b575c6097a9e9f Mon Sep 17 00:00:00 2001
From: Marco Pracucci <marco@pracucci.com>
Date: Fri, 22 Apr 2022 09:58:17 +0200
Subject: [PATCH] Do not allow to set OAuth2 proxy_url

Signed-off-by: Marco Pracucci <marco@pracucci.com>
---
 pkg/alertmanager/api.go      |  3 +++
 pkg/alertmanager/api_test.go | 39 ++++++++++++++++++++++++++++++++++++
 2 files changed, 42 insertions(+)

diff --git a/pkg/alertmanager/api.go b/pkg/alertmanager/api.go
index 510344b30f..95cc98a254 100644
--- a/pkg/alertmanager/api.go
+++ b/pkg/alertmanager/api.go
@@ -428,6 +428,9 @@ func validateReceiverHTTPConfig(cfg commoncfg.HTTPClientConfig) error {
 	if cfg.OAuth2 != nil && cfg.OAuth2.ClientSecretFile != "" {
 		return errOAuth2SecretFileNotAllowed
 	}
+	if cfg.OAuth2 != nil && cfg.OAuth2.ProxyURL.URL != nil {
+		return errProxyURLNotAllowed
+	}
 	return validateReceiverTLSConfig(cfg.TLSConfig)
 }
 
diff --git a/pkg/alertmanager/api_test.go b/pkg/alertmanager/api_test.go
index ab5e054588..44a3704e4c 100644
--- a/pkg/alertmanager/api_test.go
+++ b/pkg/alertmanager/api_test.go
@@ -306,6 +306,25 @@ alertmanager_config: |
 `,
 			err: errors.Wrap(errOAuth2SecretFileNotAllowed, "error validating Alertmanager config"),
 		},
+		{
+			name: "Should return error if global OAuth2 proxy_url is set",
+			cfg: `
+alertmanager_config: |
+  global:
+    http_config:
+      oauth2:
+        client_id: test
+        client_secret: xxx
+        token_url: http://example.com
+        proxy_url: http://example.com
+
+  route:
+    receiver: 'default-receiver'
+  receivers:
+    - name: default-receiver
+`,
+			err: errors.Wrap(errProxyURLNotAllowed, "error validating Alertmanager config"),
+		},
 		{
 			name: "Should return error if global OAuth2 TLS key_file is set",
 			cfg: `
@@ -395,6 +414,26 @@ alertmanager_config: |
 `,
 			err: errors.Wrap(errOAuth2SecretFileNotAllowed, "error validating Alertmanager config"),
 		},
+		{
+			name: "Should return error if receiver's OAuth2 proxy_url is set",
+			cfg: `
+alertmanager_config: |
+  receivers:
+    - name: default-receiver
+      webhook_configs:
+        - url: http://localhost
+          http_config:
+            oauth2:
+              client_id: test
+              token_url: http://example.com
+              client_secret: xxx
+              proxy_url: http://localhost
+
+  route:
+    receiver: 'default-receiver'
+`,
+			err: errors.Wrap(errProxyURLNotAllowed, "error validating Alertmanager config"),
+		},
 		{
 			name: "Should return error if receiver's HTTP proxy_url is set",
 			cfg: `