From a500e1ca6728f8250f39d5a4592473573314d2b3 Mon Sep 17 00:00:00 2001
From: Sheogorath <sheogorath@shivering-isles.com>
Date: Sun, 31 Dec 2023 04:56:09 +0100
Subject: [PATCH] fix(oauth2-proxy): Fix insecure configuration due to use of
 trusted-ip config

The usage of the trusted-ip config resulted in a security incident that
allowed access to any oauth2-proxy protected endpoint without requiring
authentication.

Thankfully all significant endpoints had been protected by additional
measures such as network restrictions and are therefore not affected.
Only the prometheus and alertmanager endpoints have been exposed to the
public internet, but are not exposing sensitive data beyond metrics.

A check of the relevant logs didn't provide any indication of
compromise.
---
 shared/applications/oauth2-proxy.yaml | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/shared/applications/oauth2-proxy.yaml b/shared/applications/oauth2-proxy.yaml
index 41e0fac3d..76d1578d8 100644
--- a/shared/applications/oauth2-proxy.yaml
+++ b/shared/applications/oauth2-proxy.yaml
@@ -11,8 +11,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-09-26T18:18:37Z"
-    mac: ENC[AES256_GCM,data:qLhxndVI8PBGTFh8ClHJLA/6EyHRghne/pP+QSQRHVap8ZtCrtyNmp7qyJ5nsdhmbEdr+NRS6UR/WgouOqlV1N5FRdvVi47KrOMhya1awwO5djeDeeMjJ/ZQrZ/CFi1eIw7a7NQTUNlmzAUCN3Pk3PatzqY7jIOv1didFGipilU=,iv:7yL69niajWw5HrcISDhr6ZrXc+TBrzrvbOBGppWU0PE=,tag:qC8lQRyzrLXUclJrYo8S9w==,type:str]
+    lastmodified: "2023-12-31T03:55:59Z"
+    mac: ENC[AES256_GCM,data:OFMMZUW51e+Ql/6l7R7tnmhf7Bzec1UnYP1QIzm189eJqTeAI79XZgrAisuBgQ8ulyP3dHHxeOwPdoj8VPCwLa4hcDqiNtOHbKGd5DD2Z9YILOc2GmXWwBy86nNSyY8EvV3hYBHXCIxcM+CYbMVJkiCAK0X6sOJQtr4xDUUhClY=,iv:cTVO7JItFLWhdoM+IbHC5oOH7QFoFZ/YxTZd54VEsrQ=,tag:DTpeq4ozgyDgQU+2GYyEjQ==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
@@ -96,8 +96,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-09-26T18:18:37Z"
-    mac: ENC[AES256_GCM,data:qLhxndVI8PBGTFh8ClHJLA/6EyHRghne/pP+QSQRHVap8ZtCrtyNmp7qyJ5nsdhmbEdr+NRS6UR/WgouOqlV1N5FRdvVi47KrOMhya1awwO5djeDeeMjJ/ZQrZ/CFi1eIw7a7NQTUNlmzAUCN3Pk3PatzqY7jIOv1didFGipilU=,iv:7yL69niajWw5HrcISDhr6ZrXc+TBrzrvbOBGppWU0PE=,tag:qC8lQRyzrLXUclJrYo8S9w==,type:str]
+    lastmodified: "2023-12-31T03:55:59Z"
+    mac: ENC[AES256_GCM,data:OFMMZUW51e+Ql/6l7R7tnmhf7Bzec1UnYP1QIzm189eJqTeAI79XZgrAisuBgQ8ulyP3dHHxeOwPdoj8VPCwLa4hcDqiNtOHbKGd5DD2Z9YILOc2GmXWwBy86nNSyY8EvV3hYBHXCIxcM+CYbMVJkiCAK0X6sOJQtr4xDUUhClY=,iv:cTVO7JItFLWhdoM+IbHC5oOH7QFoFZ/YxTZd54VEsrQ=,tag:DTpeq4ozgyDgQU+2GYyEjQ==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
@@ -178,8 +178,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-09-26T18:18:37Z"
-    mac: ENC[AES256_GCM,data:qLhxndVI8PBGTFh8ClHJLA/6EyHRghne/pP+QSQRHVap8ZtCrtyNmp7qyJ5nsdhmbEdr+NRS6UR/WgouOqlV1N5FRdvVi47KrOMhya1awwO5djeDeeMjJ/ZQrZ/CFi1eIw7a7NQTUNlmzAUCN3Pk3PatzqY7jIOv1didFGipilU=,iv:7yL69niajWw5HrcISDhr6ZrXc+TBrzrvbOBGppWU0PE=,tag:qC8lQRyzrLXUclJrYo8S9w==,type:str]
+    lastmodified: "2023-12-31T03:55:59Z"
+    mac: ENC[AES256_GCM,data:OFMMZUW51e+Ql/6l7R7tnmhf7Bzec1UnYP1QIzm189eJqTeAI79XZgrAisuBgQ8ulyP3dHHxeOwPdoj8VPCwLa4hcDqiNtOHbKGd5DD2Z9YILOc2GmXWwBy86nNSyY8EvV3hYBHXCIxcM+CYbMVJkiCAK0X6sOJQtr4xDUUhClY=,iv:cTVO7JItFLWhdoM+IbHC5oOH7QFoFZ/YxTZd54VEsrQ=,tag:DTpeq4ozgyDgQU+2GYyEjQ==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
@@ -244,8 +244,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-09-26T18:18:37Z"
-    mac: ENC[AES256_GCM,data:qLhxndVI8PBGTFh8ClHJLA/6EyHRghne/pP+QSQRHVap8ZtCrtyNmp7qyJ5nsdhmbEdr+NRS6UR/WgouOqlV1N5FRdvVi47KrOMhya1awwO5djeDeeMjJ/ZQrZ/CFi1eIw7a7NQTUNlmzAUCN3Pk3PatzqY7jIOv1didFGipilU=,iv:7yL69niajWw5HrcISDhr6ZrXc+TBrzrvbOBGppWU0PE=,tag:qC8lQRyzrLXUclJrYo8S9w==,type:str]
+    lastmodified: "2023-12-31T03:55:59Z"
+    mac: ENC[AES256_GCM,data:OFMMZUW51e+Ql/6l7R7tnmhf7Bzec1UnYP1QIzm189eJqTeAI79XZgrAisuBgQ8ulyP3dHHxeOwPdoj8VPCwLa4hcDqiNtOHbKGd5DD2Z9YILOc2GmXWwBy86nNSyY8EvV3hYBHXCIxcM+CYbMVJkiCAK0X6sOJQtr4xDUUhClY=,iv:cTVO7JItFLWhdoM+IbHC5oOH7QFoFZ/YxTZd54VEsrQ=,tag:DTpeq4ozgyDgQU+2GYyEjQ==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
@@ -296,15 +296,15 @@ kind: Secret
 metadata:
     name: oauth2-proxy-common-values
 stringData:
-    values.yaml: ENC[AES256_GCM,data:bpiiUkh5QWryqinH+4t2wyyHJsLl1UCSBnkxVOYeOVzdFCtFDWGEpQlYZdg53Z4mOaIWqvsXk5/9wRu6y5UkZUFOctGTsXItHr1XbiEJCbk+43jP/0Lob9PCb5dz+DptEEOTm/HNxnDfRiPNANkgNgHvXWTTlRt6Rkj3XpU1T2Sd2uzQV34Mr5kolyr7MdbmTGInXm+CyXohxqaf/+0/ASEhDi9+ZL/nsLo=,iv:O+Ca0/Va2KyepY9yI9iL22o7IZ0N6g85hN72KfEjFQM=,tag:zvimNMmOpCrvCWV7dl6w8Q==,type:str]
+    values.yaml: ENC[AES256_GCM,data:YQPyi2k7CkutNLIUKN2Si1NMDddYVrpIF0fqNVZK68IjBdkjK+M0o5anT7EsrbJykQARKQbqbaKYh9/SLcZdc3fAQjm+oyKg0bsjYOhnoR2N3leK06ncWOuUb3GrIUAK7RRwjAAr484jvFRi7pngYPnRPedB/YDorgLUNay2bZ9Z1/3Hlv8KIWuPH9J2VM7NVQ==,iv:s/yy0jtFC8fanO6LsPyMlT/8oqp7xm92UjlQ/kjXs4I=,tag:xWajyyp4yhHWbByNdOLvvA==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-09-26T18:18:37Z"
-    mac: ENC[AES256_GCM,data:qLhxndVI8PBGTFh8ClHJLA/6EyHRghne/pP+QSQRHVap8ZtCrtyNmp7qyJ5nsdhmbEdr+NRS6UR/WgouOqlV1N5FRdvVi47KrOMhya1awwO5djeDeeMjJ/ZQrZ/CFi1eIw7a7NQTUNlmzAUCN3Pk3PatzqY7jIOv1didFGipilU=,iv:7yL69niajWw5HrcISDhr6ZrXc+TBrzrvbOBGppWU0PE=,tag:qC8lQRyzrLXUclJrYo8S9w==,type:str]
+    lastmodified: "2023-12-31T03:55:59Z"
+    mac: ENC[AES256_GCM,data:OFMMZUW51e+Ql/6l7R7tnmhf7Bzec1UnYP1QIzm189eJqTeAI79XZgrAisuBgQ8ulyP3dHHxeOwPdoj8VPCwLa4hcDqiNtOHbKGd5DD2Z9YILOc2GmXWwBy86nNSyY8EvV3hYBHXCIxcM+CYbMVJkiCAK0X6sOJQtr4xDUUhClY=,iv:cTVO7JItFLWhdoM+IbHC5oOH7QFoFZ/YxTZd54VEsrQ=,tag:DTpeq4ozgyDgQU+2GYyEjQ==,type:str]
     pgp:
         - created_at: "2023-09-15T23:29:01Z"
           enc: |-
-- 
GitLab