Skip to content

Implement OpenID token expressions evaluation#63

Open
ErmakovDmitriy wants to merge 34 commits intocriteo:masterfrom
ErmakovDmitriy:token-expressions
Open

Implement OpenID token expressions evaluation#63
ErmakovDmitriy wants to merge 34 commits intocriteo:masterfrom
ErmakovDmitriy:token-expressions

Conversation

@ErmakovDmitriy
Copy link
Contributor

@ErmakovDmitriy ErmakovDmitriy commented Aug 26, 2024

This PR implements an OpenID token expression evaluation.

The idea and the use-case is to be able to define different behavior in HAProxy based on OpenID token claims.

An example:

  • An OpenID token contains a field roles which is an array of admin, viewer, editor;
  • We want to allow access to /admin URL path only for people with admin role;

With this PR, it is possible to define in HAProxy:

acl host1.example.com hdr(host) -i host1.example.com
acl host1.example.com_admin_path path_beg -i /admin
acl host1.example.com-admin-allowed var(sess.auth.token_expression_in_roles_admin) -m bool

http-request send-spoe-group spoe-auth try-auth-all if host1.example.com
http-request set-var(req.oidc_token_expressions) str("in;roles;admin") if host1.example.com
http-request send-spoe-group spoe-auth try-auth-all if host1.example.com

use_backend haproxy-spoe-auth-error if host1.example.com oauth2_error
use_backend haproxy-spoe-auth-redirect if host1.example.com !oauth2_authenticated

http-request deny deny_status 403 if host1.example.com !host1.example.com-admin-allowed host1.example.com_admin_path oauth2_authenticated
use_backend host1.example.com-backend if host1.example.com host1.example.com-admin-allowed

mougams
mougams requested changes Jan 20, 2025
View reviewed changes
Copy link
Contributor

@mougams mougams left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the PR, a bit complex since this adds lots of things in the same PR - would have been nice if this could be split, but that's ok.

I've put few remarks, and the patch seems breaking.
Also, you might need to rebase, since I've merged some lib updates.

@ErmakovDmitriy
Copy link
Contributor Author

ErmakovDmitriy commented Feb 10, 2025

Hi mougams,

Thank you and sorry for such a complex PR.

I will try to fix what you requested and update this PR.

dependabot bot and others added 10 commits March 7, 2025 08:55
@dependabot
Bump github.com/tidwall/gjson from 1.17.3 to 1.18.0
6027311 
Bumps [github.com/tidwall/gjson](https://github.com/tidwall/gjson) from 1.17.3 to 1.18.0.
- [Commits](tidwall/gjson@v1.17.3...v1.18.0)

---
updated-dependencies:
- dependency-name: github.com/tidwall/gjson
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump golang.org/x/oauth2 from 0.22.0 to 0.25.0
b2be74c 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.22.0 to 0.25.0.
- [Commits](golang/oauth2@v0.22.0...v0.25.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/stretchr/testify from 1.9.0 to 1.10.0
8a5c422 
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](stretchr/testify@v1.9.0...v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@mougams
Bump go-ldap library to 3.4.9
cd0c2d1 
This implicitly bumps crypto lib which fixes a CVE.

https://github.com/go-ldap/ldap/releases/tag/v3.4.9
@dependabot
Bump github.com/coreos/go-oidc/v3 from 3.11.0 to 3.12.0
2596dfb 
Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.11.0 to 3.12.0.
- [Release notes](https://github.com/coreos/go-oidc/releases)
- [Commits](coreos/go-oidc@v3.11.0...v3.12.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-oidc/v3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/go-ldap/ldap/v3 from 3.4.9 to 3.4.10
4b676db 
Bumps [github.com/go-ldap/ldap/v3](https://github.com/go-ldap/ldap) from 3.4.9 to 3.4.10.
- [Release notes](https://github.com/go-ldap/ldap/releases)
- [Commits](go-ldap/ldap@v3.4.9...v3.4.10)

---
updated-dependencies:
- dependency-name: github.com/go-ldap/ldap/v3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5
650aac4 
Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.2 to 4.0.5.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](go-jose/go-jose@v4.0.2...v4.0.5)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@mougams
Bump go version to 1.23 + libraries to latest
2a8d29b
Keep function parameter types
62df1f4
Document breaking changes
8316827
mougams
mougams approved these changes Apr 25, 2025
View reviewed changes
Copy link
Contributor

@mougams mougams left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please rebase, and we should be good. Thx

dependabot bot and others added 6 commits August 20, 2025 14:04
@dependabot
Bump github.com/go-ldap/ldap/v3 from 3.4.10 to 3.4.11
1a38d92 
Bumps [github.com/go-ldap/ldap/v3](https://github.com/go-ldap/ldap) from 3.4.10 to 3.4.11.
- [Release notes](https://github.com/go-ldap/ldap/releases)
- [Commits](go-ldap/ldap@v3.4.10...v3.4.11)

---
updated-dependencies:
- dependency-name: github.com/go-ldap/ldap/v3
  dependency-version: 3.4.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/coreos/go-oidc/v3 from 3.12.0 to 3.14.1
955d40f 
Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.12.0 to 3.14.1.
- [Release notes](https://github.com/coreos/go-oidc/releases)
- [Commits](coreos/go-oidc@v3.12.0...v3.14.1)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-oidc/v3
  dependency-version: 3.14.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump golang.org/x/oauth2 from 0.27.0 to 0.29.0
e179c98 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.27.0 to 0.29.0.
- [Commits](golang/oauth2@v0.27.0...v0.29.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-version: 0.29.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/spf13/viper from 1.19.0 to 1.20.1
f1333ac 
Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.19.0 to 1.20.1.
- [Release notes](https://github.com/spf13/viper/releases)
- [Commits](spf13/viper@v1.19.0...v1.20.1)

---
updated-dependencies:
- dependency-name: github.com/spf13/viper
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/negasus/haproxy-spoe-go from 1.0.5 to 1.0.6
46cc86a 
Bumps [github.com/negasus/haproxy-spoe-go](https://github.com/negasus/haproxy-spoe-go) from 1.0.5 to 1.0.6.
- [Release notes](https://github.com/negasus/haproxy-spoe-go/releases)
- [Changelog](https://github.com/negasus/haproxy-spoe-go/blob/master/changelog.md)
- [Commits](negasus/haproxy-spoe-go@v1.0.5...v1.0.6)

---
updated-dependencies:
- dependency-name: github.com/negasus/haproxy-spoe-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@ErmakovDmitriy
Merge branch 'master' into token-expressions
841a663
@mougams
Copy link
Contributor

mougams commented Aug 21, 2025

Hi @ErmakovDmitriy, thanks for the rebase and update. It looks like some tests are failing.
Could you please fix those ? Thx

@ErmakovDmitriy
Copy link
Contributor Author

ErmakovDmitriy commented Sep 8, 2025

I will debug, thank you for running the test.

dependabot bot and others added 7 commits September 27, 2025 16:32
@dependabot
Bump golang.org/x/oauth2 from 0.22.0 to 0.25.0
fdfedc5 
Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.22.0 to 0.25.0.
- [Commits](golang/oauth2@v0.22.0...v0.25.0)

---
updated-dependencies:
- dependency-name: golang.org/x/oauth2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/stretchr/testify from 1.9.0 to 1.10.0
54aac75 
Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.9.0 to 1.10.0.
- [Release notes](https://github.com/stretchr/testify/releases)
- [Commits](stretchr/testify@v1.9.0...v1.10.0)

---
updated-dependencies:
- dependency-name: github.com/stretchr/testify
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@mougams
Bump go-ldap library to 3.4.9
25d0375 
This implicitly bumps crypto lib which fixes a CVE.

https://github.com/go-ldap/ldap/releases/tag/v3.4.9
@dependabot
Bump github.com/coreos/go-oidc/v3 from 3.11.0 to 3.12.0
bb93af3 
Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.11.0 to 3.12.0.
- [Release notes](https://github.com/coreos/go-oidc/releases)
- [Commits](coreos/go-oidc@v3.11.0...v3.12.0)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-oidc/v3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/go-ldap/ldap/v3 from 3.4.9 to 3.4.10
9d4f1dd 
Bumps [github.com/go-ldap/ldap/v3](https://github.com/go-ldap/ldap) from 3.4.9 to 3.4.10.
- [Release notes](https://github.com/go-ldap/ldap/releases)
- [Commits](go-ldap/ldap@v3.4.9...v3.4.10)

---
updated-dependencies:
- dependency-name: github.com/go-ldap/ldap/v3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/go-jose/go-jose/v4 from 4.0.2 to 4.0.5
6155a19 
Bumps [github.com/go-jose/go-jose/v4](https://github.com/go-jose/go-jose) from 4.0.2 to 4.0.5.
- [Release notes](https://github.com/go-jose/go-jose/releases)
- [Changelog](https://github.com/go-jose/go-jose/blob/main/CHANGELOG.md)
- [Commits](go-jose/go-jose@v4.0.2...v4.0.5)

---
updated-dependencies:
- dependency-name: github.com/go-jose/go-jose/v4
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>
@mougams
Bump go version to 1.23 + libraries to latest
3eaf820
dependabot bot and others added 8 commits September 27, 2025 16:32
@dependabot
Bump github.com/go-ldap/ldap/v3 from 3.4.10 to 3.4.11
f9fb8be 
Bumps [github.com/go-ldap/ldap/v3](https://github.com/go-ldap/ldap) from 3.4.10 to 3.4.11.
- [Release notes](https://github.com/go-ldap/ldap/releases)
- [Commits](go-ldap/ldap@v3.4.10...v3.4.11)

---
updated-dependencies:
- dependency-name: github.com/go-ldap/ldap/v3
  dependency-version: 3.4.11
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/coreos/go-oidc/v3 from 3.12.0 to 3.14.1
3e84b0e 
Bumps [github.com/coreos/go-oidc/v3](https://github.com/coreos/go-oidc) from 3.12.0 to 3.14.1.
- [Release notes](https://github.com/coreos/go-oidc/releases)
- [Commits](coreos/go-oidc@v3.12.0...v3.14.1)

---
updated-dependencies:
- dependency-name: github.com/coreos/go-oidc/v3
  dependency-version: 3.14.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/spf13/viper from 1.19.0 to 1.20.1
f3dcac2 
Bumps [github.com/spf13/viper](https://github.com/spf13/viper) from 1.19.0 to 1.20.1.
- [Release notes](https://github.com/spf13/viper/releases)
- [Commits](spf13/viper@v1.19.0...v1.20.1)

---
updated-dependencies:
- dependency-name: github.com/spf13/viper
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot
Bump github.com/negasus/haproxy-spoe-go from 1.0.5 to 1.0.6
5b1e11e 
Bumps [github.com/negasus/haproxy-spoe-go](https://github.com/negasus/haproxy-spoe-go) from 1.0.5 to 1.0.6.
- [Release notes](https://github.com/negasus/haproxy-spoe-go/releases)
- [Changelog](https://github.com/negasus/haproxy-spoe-go/blob/master/changelog.md)
- [Commits](negasus/haproxy-spoe-go@v1.0.5...v1.0.6)

---
updated-dependencies:
- dependency-name: github.com/negasus/haproxy-spoe-go
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
Fix nil pointer dereference if OpenID Connect client secret is not de…
2854269 
…fined
Update go delve
75b6ecb
Cleanup go.mod
4aad381
Return correct Unauthorized if OpenID connect module cannot match a c…
e7913ba 
…lient request with its configured domains
@ErmakovDmitriy
Copy link
Contributor Author

ErmakovDmitriy commented Sep 27, 2025

I think that the issue was with a nil pointer dereference (2854269).

It looks like a pipeline in my fork passes the tests: https://github.com/ErmakovDmitriy/haproxy-spoe-auth/actions/runs/18061087756/job/51397418895
although the "cleanup" part does not finish for some reason. It might be something with my repository or Github actions configuration (I am not very familiar with them).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mougams mougams mougams approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ErmakovDmitriy @mougams