Merge pull request #202 from bunkerity/authentik-pr200-fixes

fix(authentik): harden identity-header handling, docs, and tests

Author: TheophileDiot

.github/workflows/tests.yml

@@ -46,6 +46,9 @@ jobs:
         env:
           VIRUSTOTAL_API_KEY: ${{ secrets.VIRUSTOTAL_API_KEY }}
 
+      - name: Run Authentik tests
+        run: ./.tests/authentik.sh
+
       - name: Build and push APIs
         if: env.BW_TAG == '1.6.1'
         run: ./.tests/build-push.sh "${{ env.BW_TAG }}"

.tests/authentik.sh

@@ -0,0 +1,121 @@
+#!/bin/bash
+
+# shellcheck disable=SC1091
+. .tests/utils.sh
+
+echo "ℹ️ Starting Authentik tests ..."
+
+# Create working directory
+if [ -d /tmp/bunkerweb-plugins ] ; then
+	do_and_check_cmd sudo rm -rf /tmp/bunkerweb-plugins
+fi
+do_and_check_cmd mkdir -p /tmp/bunkerweb-plugins/authentik/bw-data/plugins
+do_and_check_cmd cp -r ./authentik /tmp/bunkerweb-plugins/authentik/bw-data/plugins
+do_and_check_cmd sudo chown -R 101:101 /tmp/bunkerweb-plugins/authentik/bw-data
+
+# Copy compose + mock outpost config
+do_and_check_cmd cp .tests/authentik/docker-compose.yml /tmp/bunkerweb-plugins/authentik
+do_and_check_cmd cp .tests/authentik/mock-outpost.conf /tmp/bunkerweb-plugins/authentik
+
+# Edit compose to use the locally built :tests images
+do_and_check_cmd sed -i "s@bunkerity/bunkerweb:.*\$@bunkerweb:tests@g" /tmp/bunkerweb-plugins/authentik/docker-compose.yml
+do_and_check_cmd sed -i "s@bunkerity/bunkerweb-scheduler:.*\$@bunkerweb-scheduler:tests@g" /tmp/bunkerweb-plugins/authentik/docker-compose.yml
+
+# Do the tests
+cd /tmp/bunkerweb-plugins/authentik || exit 1
+echo "ℹ️ Running compose ..."
+do_and_check_cmd docker compose up --build -d
+
+# Wait until the plugin is LIVE: while BunkerWeb is still applying config it serves a
+# 200 "Generating..." page and the plugin is inactive. An unauthenticated request only
+# becomes a 302 (gated) once config is applied -> use that as the readiness signal.
+echo "ℹ️ Waiting for BW (plugin live) ..."
+success="ko"
+retry=0
+while [ $retry -lt 120 ] ; do
+	code="$(curl -s -o /dev/null -w "%{http_code}" -H "Host: app.example.com" http://localhost 2>/dev/null)"
+	if [ "$code" = "302" ] ; then
+		success="ok"
+		break
+	fi
+	retry=$((retry + 1))
+	sleep 2
+done
+if [ "$success" = "ko" ] ; then
+	docker compose logs
+	docker compose down -v
+	echo "❌ Error: BunkerWeb / authentik plugin never became active"
+	exit 1
+fi
+
+fail=0
+
+# T1: unauthenticated -> 302 to the outpost sign-in
+echo "ℹ️ T1: unauthenticated request is redirected to the outpost ..."
+loc="$(curl -s -D - -o /dev/null -H "Host: app.example.com" http://localhost | tr -d '\r' | awk -F': ' 'tolower($1)=="location"{print $2}')"
+if echo "$loc" | grep -q "/outpost.goauthentik.io/start?rd=" ; then
+	echo "✔️ T1 ok ($loc)"
+else
+	echo "❌ T1 failed (Location: $loc)" ; fail=1
+fi
+
+# T2: authenticated -> 200 and identity header forwarded upstream (PASS=yes)
+echo "ℹ️ T2: authenticated request reaches upstream with identity header ..."
+body="$(curl -s -H "Host: app.example.com" -b "mock_session=valid" http://localhost)"
+if echo "$body" | grep -qi '"x-authentik-username": *"alice"' ; then
+	echo "✔️ T2 ok"
+else
+	echo "❌ T2 failed" ; fail=1
+fi
+
+# T3: spoofed X-authentik-* are stripped (security); only Authentik's values survive
+echo "ℹ️ T3: spoofed identity headers are stripped ..."
+body="$(curl -s -H "Host: app.example.com" -b "mock_session=valid" -H "X-authentik-username: hacker" -H "X-authentik-uid: 0" http://localhost)"
+if echo "$body" | grep -qi '"x-authentik-username": *"alice"' \
+	&& ! echo "$body" | grep -qi '"x-authentik-username": *"hacker"' \
+	&& ! echo "$body" | grep -qi '"x-authentik-uid"' ; then
+	echo "✔️ T3 ok (spoof stripped)"
+else
+	echo "❌ T3 failed (spoof not stripped)" ; fail=1
+fi
+
+# T4: PASS=no site strips spoofed identity headers and forwards none
+echo "ℹ️ T4: PASS=no site forwards no identity header ..."
+body="$(curl -s -H "Host: noheaders.example.com" -b "mock_session=valid" -H "X-authentik-username: hacker" http://localhost)"
+if ! echo "$body" | grep -qi "x-authentik-username" ; then
+	echo "✔️ T4 ok"
+else
+	echo "❌ T4 failed (identity header reached upstream)" ; fail=1
+fi
+
+# T5: outpost path is proxied (not gated)
+echo "ℹ️ T5: outpost path is proxied to the outpost ..."
+body="$(curl -s -H "Host: app.example.com" http://localhost/outpost.goauthentik.io/start)"
+if echo "$body" | grep -q "MOCK AUTHENTIK OUTPOST" ; then
+	echo "✔️ T5 ok"
+else
+	echo "❌ T5 failed" ; fail=1
+fi
+
+# T6: trailing-slash AUTHENTIK_URL still proxies the outpost (rstrip fix)
+echo "ℹ️ T6: trailing-slash AUTHENTIK_URL still proxies ..."
+body="$(curl -s -H "Host: noheaders.example.com" http://localhost/outpost.goauthentik.io/start)"
+if echo "$body" | grep -q "MOCK AUTHENTIK OUTPOST" ; then
+	echo "✔️ T6 ok"
+else
+	echo "❌ T6 failed (trailing-slash URL broke the outpost proxy)" ; fail=1
+fi
+
+if [ "$fail" -ne 0 ] ; then
+	docker compose logs
+	docker compose down -v
+	echo "❌ Authentik tests failed"
+	exit 1
+fi
+
+if [ "$1" = "verbose" ] ; then
+	docker compose logs
+fi
+
+docker compose down -v
+echo "✔️ Authentik tests succeeded"

.tests/authentik/docker-compose.yml

@@ -0,0 +1,85 @@
+version: "3"
+
+services:
+  bunkerweb:
+    image: bunkerity/bunkerweb:1.6.0
+    ports:
+      - 80:8080/tcp
+      - 443:8443/tcp
+      - 443:8443/udp
+    environment:
+      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
+    networks:
+      - bw-universe
+      - bw-services
+
+  bw-scheduler:
+    image: bunkerity/bunkerweb-scheduler:1.6.0
+    depends_on:
+      - bunkerweb
+    volumes:
+      - ./bw-data/plugins:/data/plugins
+    environment:
+      - BUNKERWEB_INSTANCES=bunkerweb
+      - MULTISITE=yes
+      - SERVER_NAME=app.example.com noheaders.example.com
+      - API_WHITELIST_IP=127.0.0.0/8 10.20.30.0/24
+      - LOG_LEVEL=info
+      - USE_BAD_BEHAVIOR=no
+      - USE_LIMIT_REQ=no
+      - USE_BUNKERNET=no
+      - USE_BLACKLIST=no
+      - USE_GREYLIST=no
+      - USE_WHITELIST=no
+      - USE_MODSECURITY=no
+      - USE_ANTIBOT=no
+      - SERVE_FILES=no
+      - DISABLE_DEFAULT_SERVER=yes
+      - AUTO_LETS_ENCRYPT=no
+      - USE_LETS_ENCRYPT=no
+      - REDIRECT_HTTP_TO_HTTPS=no
+      - AUTO_REDIRECT_HTTP_TO_HTTPS=no
+      # app.example.com : identity forwarding ON
+      - app.example.com_USE_REVERSE_PROXY=yes
+      - app.example.com_REVERSE_PROXY_HOST=http://echo:8080
+      - app.example.com_REVERSE_PROXY_URL=/
+      - app.example.com_USE_AUTHENTIK=yes
+      - app.example.com_AUTHENTIK_URL=http://mock-outpost:9000
+      - app.example.com_AUTHENTIK_SSL_VERIFY=no
+      - app.example.com_AUTHENTIK_PASS_IDENTITY_HEADERS=yes
+      # noheaders.example.com : forwarding OFF + TRAILING SLASH url (rstrip test)
+      - noheaders.example.com_USE_REVERSE_PROXY=yes
+      - noheaders.example.com_REVERSE_PROXY_HOST=http://echo:8080
+      - noheaders.example.com_REVERSE_PROXY_URL=/
+      - noheaders.example.com_USE_AUTHENTIK=yes
+      - noheaders.example.com_AUTHENTIK_URL=http://mock-outpost:9000/
+      - noheaders.example.com_AUTHENTIK_SSL_VERIFY=no
+      - noheaders.example.com_AUTHENTIK_PASS_IDENTITY_HEADERS=no
+    networks:
+      - bw-universe
+
+  # Mock authentik outpost: 200 + X-authentik-* when cookie mock_session=valid, else 401.
+  mock-outpost:
+    image: nginx:alpine
+    volumes:
+      - ./mock-outpost.conf:/etc/nginx/conf.d/default.conf:ro
+    networks:
+      - bw-services
+
+  # Echo upstream: reflects request headers as JSON so assertions can inspect them.
+  echo:
+    image: mendhak/http-https-echo:31
+    environment:
+      - HTTP_PORT=8080
+    networks:
+      - bw-services
+
+networks:
+  bw-universe:
+    name: bw-universe
+    ipam:
+      driver: default
+      config:
+        - subnet: 10.20.30.0/24
+  bw-services:
+    name: bw-services

.tests/authentik/mock-outpost.conf

@@ -0,0 +1,33 @@
+map $http_cookie $mock_authed {
+    default 0;
+    "~*mock_session=valid" 1;
+}
+
+server {
+    listen 9000;
+    server_name _;
+
+    # Authentik forward-auth decision endpoint:
+    # 200 (+ identity headers) when the session cookie is present, else 401.
+    location = /outpost.goauthentik.io/auth/nginx {
+        default_type text/plain;
+        add_header X-authentik-username "alice";
+        add_header X-authentik-email "alice@example.com";
+        add_header X-authentik-groups "admins";
+        if ($mock_authed = 0) {
+            return 401 "unauthorized";
+        }
+        return 200 "ok";
+    }
+
+    # Browser-facing outpost endpoints (start, callback, sign_out, ...).
+    location /outpost.goauthentik.io {
+        default_type text/plain;
+        return 200 "MOCK AUTHENTIK OUTPOST PATH";
+    }
+
+    location / {
+        default_type text/plain;
+        return 404 "not found";
+    }
+}