pass and preserve a path parameter during the app authentication (#13832

) * pass and preserve a path parameter during the app access authentication process * added missing semicolons * more javascript formatting * removed incorrect path redirect. replace URL with URL.Path * added a test for HasName * added another test for default path * ensure path param is valid path * build url without string concat
gravitational · Jul 1, 2022 · 4280f81 · 4280f81
1 parent c0cd120
commit 4280f81
Show file tree

Hide file tree

Showing 5 changed files with 63 additions and 5 deletions.
diff --git a/lib/web/app/fragment.go b/lib/web/app/fragment.go
@@ -57,6 +57,7 @@ func (h *Handler) handleFragment(w http.ResponseWriter, r *http.Request, p httpr
 				clusterName: q.Get("cluster"),
 				publicAddr:  q.Get("addr"),
 				awsRole:     q.Get("awsrole"),
+				path:        q.Get("path"),
 				stateToken:  stateToken,
 			}
 			return h.redirectToLauncher(w, r, urlParams)

diff --git a/lib/web/app/handler.go b/lib/web/app/handler.go
@@ -337,7 +337,7 @@ func HasName(r *http.Request, proxyPublicAddrs []utils.NetAddr) (string, bool) {
 	u := url.URL{
 		Scheme: "https",
 		Host:   proxyPublicAddrs[0].String(),
-		Path:   fmt.Sprintf("/web/launch/%v", raddr.Host()),
+		Path:   fmt.Sprintf("/web/launch/%v?path=%v", raddr.Host(), r.URL.Path),
 	}
 	return u.String(), true
 }

diff --git a/lib/web/app/handler_test.go b/lib/web/app/handler_test.go
@@ -103,6 +103,49 @@ func TestAuthPOST(t *testing.T) {
 	}
 }
 
+func TestHasName(t *testing.T) {
+	for _, test := range []struct {
+		desc        string
+		addrs       []string
+		reqHost     string
+		reqURL      string
+		expectedURL string
+		hasName     bool
+	}{
+		{
+			desc:        "NOK - invalid host",
+			addrs:       []string{"proxy.com"},
+			reqURL:      "badurl.com",
+			expectedURL: "",
+			hasName:     false,
+		},
+		{
+			desc:        "OK - adds path",
+			addrs:       []string{"proxy.com"},
+			reqURL:      "https://app1.proxy.com/foo",
+			expectedURL: "https://proxy.com/web/launch/app1.proxy.com%3Fpath=/foo",
+			hasName:     true,
+		},
+		{
+			desc:        "OK - adds root path",
+			addrs:       []string{"proxy.com"},
+			reqURL:      "https://app1.proxy.com/",
+			expectedURL: "https://proxy.com/web/launch/app1.proxy.com%3Fpath=/",
+			hasName:     true,
+		},
+	} {
+		t.Run(test.desc, func(t *testing.T) {
+			req, err := http.NewRequest(http.MethodGet, test.reqURL, nil)
+			require.NoError(t, err)
+
+			addrs := utils.MustParseAddrList(test.addrs...)
+			u, ok := HasName(req, addrs)
+			require.Equal(t, test.expectedURL, u)
+			require.Equal(t, test.hasName, ok)
+		})
+	}
+}
+
 func TestMatchApplicationServers(t *testing.T) {
 	clusterName := "test-cluster"
 	publicAddr := "app.example.com"

diff --git a/lib/web/app/middleware.go b/lib/web/app/middleware.go
@@ -90,6 +90,9 @@ func (h *Handler) redirectToLauncher(w http.ResponseWriter, r *http.Request, p l
 	if p.awsRole != "" {
 		urlQuery.Add("awsrole", p.awsRole)
 	}
+	if p.path != "" {
+		urlQuery.Add("path", p.path)
+	}
 
 	u := url.URL{
 		Scheme:   "https",
@@ -106,6 +109,7 @@ type launcherURLParams struct {
 	publicAddr  string
 	stateToken  string
 	awsRole     string
+	path        string
 }
 
 // makeRouterHandler creates a httprouter.Handle.

diff --git a/lib/web/app/redirect.go b/lib/web/app/redirect.go
@@ -51,16 +51,20 @@ const js = `
     <title>Teleport Redirection Service</title>
     <script nonce="%v">
       (function() {
+        var url = new URL(window.location);
+        var params = new URLSearchParams(url.search);
         var searchParts = window.location.search.split('=');
-        if (searchParts.length !== 2 || searchParts[0] !== '?state') {
+        var stateValue = params.get("state");
+        var path = params.get("path");
+        if (!stateValue) {
           return;
         }
         var hashParts = window.location.hash.split('=');
         if (hashParts.length !== 2 || hashParts[0] !== '#value') {
           return;
         }
         const data = {
-          state_value: searchParts[1],
+          state_value: stateValue,
           cookie_value: hashParts[1],
         };
         fetch('/x-teleport-auth', {
@@ -73,8 +77,14 @@ const js = `
           body: JSON.stringify(data),
         }).then(response => {
           if (response.ok) {
-            // redirect to the root and remove current URL from history (back button)
-            window.location.replace('/');
+            try {
+              var redirectUrl = new URL(path, url.origin)
+              window.location.replace(redirectUrl.toString());
+            } catch (error) {
+                // in case of malformed url, return to origin
+                window.location.replace(url.origin)
+            }
+            // redirect to the target path and remove current URL from history (back button)
           }
         });
       })();