eriknelson · October 29, 2021 19:37
diff --git a/fix.diff b/fix.diff
 diff --git a/deploy/main.js b/deploy/main.js
 index 1473652..5867dcb 100644
 --- a/deploy/main.js
 +++ b/deploy/main.js
 @@ -6,6 +6,10 @@ const HttpsProxyAgent = require('https-proxy-agent');
 const { AuthorizationCode } = require('simple-oauth2');
 const { createProxyMiddleware } = require('http-proxy-middleware');
 const axios = require('axios');
 +const { URL } = require('url');
 +const ipRangeCheck = require('ip-range-check');
 +const isIp = require('is-ip');
 +const isCidr = require('is-cidr');
 
 let cachedOAuthMeta = null;
 
 @@ -123,10 +127,9 @@ app.get('/login/callback', async (req, res, next) => {
   };
   try {
     const clusterAuth = await getClusterAuth();
 -
     const proxyString = process.env['HTTPS_PROXY'] || process.env['HTTP_PROXY'];
     let httpOptions = {};
 -    if (proxyString) {
 +    if (proxyString && !tokenEndpointMatchesNoProxy(cachedOAuthMeta?.token_endpoint)) {
       httpOptions = {
         agent: new HttpsProxyAgent(proxyString),
       };
 @@ -186,3 +189,45 @@ const getClusterAuth = async () => {
     },
   });
 };
 +
 +const noProxyPatterns = (process.env.no_proxy || process.env.NO_PROXY || '')
 +  .split(',')
 +  .map((pattern) => pattern.trim())
 +  .filter((pattern) => !!pattern);
 +
 +function tokenEndpointMatchesNoProxy(url) {
 +  const { hostname } = parseUrl(url);
 +  if (!hostname) {
 +    return false;
 +  }
 +  const doesNoProxyMatch = noProxyPatterns.some((pattern) => {
 +    // Check if the no proxy pattern is a CIDR. If it is, and the host of the
 +    // token endpoint is an ip address, then we need to check to see if the
 +    // ip address lies within the pattern's CIDR rage
 +    const patternIsCidr = isCidr(pattern);
 +    const hostIsIp = isIp(host);
 +    const mustCheckRange = patternIsCidr && hostIsIp;
 +
 +    if mustCheckRange {
 +      return ipRangeCheck(host, pattern)
 +    }
 +
 +    // We aren't dealing with an IP range, so we can just check to see if the
 +    // hostname of the token endpoint is concretely specified in the NO_PROXY
 +    // pattern list. This should cover all three non-CIDR potential values:
 +    // * Domain names: "oauth-server.apps.mycorp.com"
 +    // * Domains: ".apps.mycorp.com"
 +    // * Concrete IP addresses: 192.168.1.2
 +    return hostname.endsWith(pattern)
 +  });
 +
 +  return doesNoProxyMatch;
 +}
 +
 +function parseUrl(value) {
 +  try {
 +    return new URL(value);
 +  } catch (err) {
 +    return new URL('');
 +  }
 +}
 diff --git a/package.json b/package.json
 index 3d28e2f..3b62086 100644
 --- a/package.json
 +++ b/package.json
 @@ -97,6 +97,9 @@
     "formik": "^2.1.4",
     "history": "^4.9.0",
     "http-proxy-middleware": "^2.0.0",
 +    "ip-range-check": "^0.2.0",
 +    "is-cidr": "^4.0.2",
 +    "is-ip": "^3.1.0",
     "jszip": "^3.6.0",
     "lodash": "^4.17.21",
     "process": "^0.11.10",
 @@ -117,6 +120,7 @@
     "simple-oauth2": "^4.1.0",
     "stream": "^0.0.2",
     "tree-crawl": "^1.0.5",
 +    "url": "^0.11.0",
     "uuid": "^3.3.2"
   }
 }
	diff --git a/deploy/main.js b/deploy/main.js
	index 1473652..5867dcb 100644
	--- a/deploy/main.js
	+++ b/deploy/main.js
	@@ -6,6 +6,10 @@ const HttpsProxyAgent = require('https-proxy-agent');
	const { AuthorizationCode } = require('simple-oauth2');
	const { createProxyMiddleware } = require('http-proxy-middleware');
	const axios = require('axios');
	+const { URL } = require('url');
	+const ipRangeCheck = require('ip-range-check');
	+const isIp = require('is-ip');
	+const isCidr = require('is-cidr');

	let cachedOAuthMeta = null;

	@@ -123,10 +127,9 @@ app.get('/login/callback', async (req, res, next) => {
	};
	try {
	const clusterAuth = await getClusterAuth();
	-
	const proxyString = process.env['HTTPS_PROXY'] \|\| process.env['HTTP_PROXY'];
	let httpOptions = {};
	- if (proxyString) {
	+ if (proxyString && !tokenEndpointMatchesNoProxy(cachedOAuthMeta?.token_endpoint)) {
	httpOptions = {
	agent: new HttpsProxyAgent(proxyString),
	};
	@@ -186,3 +189,45 @@ const getClusterAuth = async () => {
	},
	});
	};
	+
	+const noProxyPatterns = (process.env.no_proxy \|\| process.env.NO_PROXY \|\| '')
	+ .split(',')
	+ .map((pattern) => pattern.trim())
	+ .filter((pattern) => !!pattern);
	+
	+function tokenEndpointMatchesNoProxy(url) {
	+ const { hostname } = parseUrl(url);
	+ if (!hostname) {
	+ return false;
	+ }
	+ const doesNoProxyMatch = noProxyPatterns.some((pattern) => {
	+ // Check if the no proxy pattern is a CIDR. If it is, and the host of the
	+ // token endpoint is an ip address, then we need to check to see if the
	+ // ip address lies within the pattern's CIDR rage
	+ const patternIsCidr = isCidr(pattern);
	+ const hostIsIp = isIp(host);
	+ const mustCheckRange = patternIsCidr && hostIsIp;
	+
	+ if mustCheckRange {
	+ return ipRangeCheck(host, pattern)
	+ }
	+
	+ // We aren't dealing with an IP range, so we can just check to see if the
	+ // hostname of the token endpoint is concretely specified in the NO_PROXY
	+ // pattern list. This should cover all three non-CIDR potential values:
	+ // * Domain names: "oauth-server.apps.mycorp.com"
	+ // * Domains: ".apps.mycorp.com"
	+ // * Concrete IP addresses: 192.168.1.2
	+ return hostname.endsWith(pattern)
	+ });
	+
	+ return doesNoProxyMatch;
	+}
	+
	+function parseUrl(value) {
	+ try {
	+ return new URL(value);
	+ } catch (err) {
	+ return new URL('');
	+ }
	+}
	diff --git a/package.json b/package.json
	index 3d28e2f..3b62086 100644
	--- a/package.json
	+++ b/package.json
	@@ -97,6 +97,9 @@
	"formik": "^2.1.4",
	"history": "^4.9.0",
	"http-proxy-middleware": "^2.0.0",
	+ "ip-range-check": "^0.2.0",
	+ "is-cidr": "^4.0.2",
	+ "is-ip": "^3.1.0",
	"jszip": "^3.6.0",
	"lodash": "^4.17.21",
	"process": "^0.11.10",
	@@ -117,6 +120,7 @@
	"simple-oauth2": "^4.1.0",
	"stream": "^0.0.2",
	"tree-crawl": "^1.0.5",
	+ "url": "^0.11.0",
	"uuid": "^3.3.2"
	}
	}