fix: decision API copies X-Forwarded-Method to incoming requests which breaks traefik forward auth for HEAD requests

[jrester]

Currently oathkeeper cannot handle HEAD requests from traefik Forward Auth middleware, because oathkeeper copies the forwarded method into the incoming request. With this fix HEAD requests now also work.

Related issue(s)

Currently when using the oathkeeper decision API together with traefik forward auth, HEAD requests cannot be handled currectly and will result in a timeout on the traefik side. This is because oathkeeper replaces the method of the incoming request with the method in the X-Forwarded-Method header and because HEAD requests must not contain a body it will not be written by go (https://github.com/golang/go/blob/9123221ccf3c80c741ead5b6f2e960573b1676b9/src/net/http/server.go#L377). But as traefik sends a GET requests for forward auth it expects a body back (https://github.com/traefik/traefik/blob/e54ee89330a800d509da7b11b46a6ecbb331e791/pkg/middlewares/auth/forward.go#L129), therefore traefik times out, as no body is sent by oathkeeper.

Reproduce

Although not the simplest setup, this is how I noticed this bug:

1. setup oathkeeper with any rule you want (e.g. allow everything)
2. setup the docker registry (https://github.com/distribution/distribution)
3. setup traefik to point to the docker registry with a forward auth middleware to oathkeeper
4. do a docker push with a image of your choice to the docker registry
5. the push should retry multiple times and than fail with a 500 internal Server error
6. the traefik logs should indicate timeout issues

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

For a more in depth writeup of the problem: thomseddon/traefik-forward-auth#156

[CLAassistant]

All committers have signed the CLA.

[codecov]

Codecov Report

Merging #1046 (39854cf) into master (b5d4d88) will decrease coverage by 0.57%.
Report is 1 commits behind head on master.
The diff coverage is 100.00%.

❗ Current head 39854cf differs from pull request most recent head 004b778. Consider uploading reports for the commit 004b778 to get more accurate results

@@            Coverage Diff             @@
##           master    #1046      +/-   ##
==========================================
- Coverage   78.16%   77.60%   -0.57%     
==========================================
  Files          80       79       -1     
  Lines        3898     4014     +116     
==========================================
+ Hits         3047     3115      +68     
- Misses        576      618      +42     
- Partials      275      281       +6     

Files	Coverage Δ
api/decision.go	95.55% <100.00%> (ø)

... and 2 files with indirect coverage changes

[aeneasr]

Awesome, thank you for your contribution! This looks pretty good and I have some ideas how to improve it further :)

[aeneasr]

We need to clone the request using r.Clone(). If we don't, information is missing that is needed in the decisions function:

• context is missing
• body is missing
• tls information is missing

[jrester]

Good point, I updated it

[jrester]

@aeneasr are there any more changes required or can this be merged?

[8th-block]

This is still an issue it seems. Any updates?!