oauth2_proxy/main.go

package main

import (
	"flag"
	"fmt"
	"log"
	"os"
	"runtime"
	"strings"
	"time"

	"github.com/BurntSushi/toml"
	"github.com/mreiferson/go-options"
)

func main() {
	log.SetFlags(log.Ldate | log.Ltime | log.Lshortfile)
	flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError)

	emailDomains := StringArray{}
	whitelistDomains := StringArray{}
	upstreams := StringArray{}
	skipAuthRegex := StringArray{}
	googleGroups := StringArray{}

	config := flagSet.String("config", "", "path to config file")
	showVersion := flagSet.Bool("version", false, "print version string")

	flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")
	flagSet.String("https-address", ":443", "<addr>:<port> to listen on for HTTPS clients")
	flagSet.String("tls-cert", "", "path to certificate file")
	flagSet.String("tls-key", "", "path to private key file")
	flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
	flagSet.Bool("set-xauthrequest", false, "set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)")
	flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path")
	flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
	flagSet.Bool("pass-user-headers", true, "pass X-Forwarded-User and X-Forwarded-Email information to upstream")
	flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
	flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
	flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")
	flagSet.Bool("pass-authorization-header", false, "pass the Authorization Header to upstream")
	flagSet.Bool("set-authorization-header", false, "set Authorization response headers (useful in Nginx auth_request mode)")
	flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)")
	flagSet.Bool("skip-provider-button", false, "will skip sign-in-page to directly reach the next step: oauth/start")
	flagSet.Bool("skip-auth-preflight", false, "will skip authentication for OPTIONS requests")
	flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS")
	flagSet.Duration("flush-interval", time.Duration(1)*time.Second, "period between response flushing when streaming responses")

	flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
	flagSet.Var(&whitelistDomains, "whitelist-domain", "allowed domains for redirection after authentication. Prefix domain with a . to allow subdomains (eg .example.com)")
	flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
	flagSet.String("github-org", "", "restrict logins to members of this organisation")
	flagSet.String("github-team", "", "restrict logins to members of this team")
	flagSet.Var(&googleGroups, "google-group", "restrict logins to members of this google group (may be given multiple times).")
	flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls")
	flagSet.String("google-service-account-json", "", "the path to the service account json credentials")
	flagSet.String("client-id", "", "the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")
	flagSet.String("client-secret", "", "the OAuth Client Secret")
	flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
	flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption or \"htpasswd -B\" for bcrypt encryption")
	flagSet.Bool("display-htpasswd-form", true, "display username / password login form if an htpasswd file is provided")
	flagSet.String("custom-templates-dir", "", "path to custom html templates")
	flagSet.String("footer", "", "custom footer string. Use \"-\" to disable default footer.")
	flagSet.String("proxy-prefix", "/oauth2", "the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)")

	flagSet.String("cookie-name", "_oauth2_proxy", "the name of the cookie that the oauth_proxy creates")
	flagSet.String("cookie-secret", "", "the seed string for secure cookies (optionally base64 encoded)")
	flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
	flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
	flagSet.Duration("cookie-refresh", time.Duration(0), "refresh the cookie after this duration; 0 to disable")
	flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
	flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag")

	flagSet.Bool("request-logging", true, "Log requests to stdout")
	flagSet.String("request-logging-format", defaultRequestLoggingFormat, "Template for log lines")

	flagSet.String("provider", "google", "OAuth provider")
	flagSet.String("oidc-issuer-url", "", "OpenID Connect issuer URL (ie: https://accounts.google.com)")
	flagSet.Bool("skip-oidc-discovery", false, "Skip OIDC discovery and use manually supplied Endpoints")
	flagSet.String("oidc-jwks-url", "", "OpenID Connect JWKS URL (ie: https://www.googleapis.com/oauth2/v3/certs)")
	flagSet.String("login-url", "", "Authentication endpoint")
	flagSet.String("redeem-url", "", "Token redemption endpoint")
	flagSet.String("profile-url", "", "Profile access endpoint")
	flagSet.String("resource", "", "The resource that is protected (Azure AD only)")
	flagSet.String("validate-url", "", "Access token validation endpoint")
	flagSet.String("scope", "", "OAuth scope specification")
	flagSet.String("approval-prompt", "force", "OAuth approval_prompt")

	flagSet.String("signature-key", "", "GAP-Signature request signature key (algorithm:secretkey)")

	flagSet.Parse(os.Args[1:])

	if *showVersion {
		fmt.Printf("oauth2_proxy %s (built with %s)\n", VERSION, runtime.Version())
		return
	}

	opts := NewOptions()

	cfg := make(EnvOptions)
	if *config != "" {
		_, err := toml.DecodeFile(*config, &cfg)
		if err != nil {
			log.Fatalf("ERROR: failed to load config file %s - %s", *config, err)
		}
	}
	cfg.LoadEnvForStruct(opts)
	options.Resolve(opts, flagSet, cfg)

	err := opts.Validate()
	if err != nil {
		log.Printf("%s", err)
		os.Exit(1)
	}
	validator := NewValidator(opts.EmailDomains, opts.AuthenticatedEmailsFile)
	oauthproxy := NewOAuthProxy(opts, validator)

	if len(opts.EmailDomains) != 0 && opts.AuthenticatedEmailsFile == "" {
		if len(opts.EmailDomains) > 1 {
			oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using one of the following domains: %v", strings.Join(opts.EmailDomains, ", "))
		} else if opts.EmailDomains[0] != "*" {
			oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using %v", opts.EmailDomains[0])
		}
	}

	if opts.HtpasswdFile != "" {
		log.Printf("using htpasswd file %s", opts.HtpasswdFile)
		oauthproxy.HtpasswdFile, err = NewHtpasswdFromFile(opts.HtpasswdFile)
		oauthproxy.DisplayHtpasswdForm = opts.DisplayHtpasswdForm
		if err != nil {
			log.Fatalf("FATAL: unable to open %s %s", opts.HtpasswdFile, err)
		}
	}

	s := &Server{
		Handler: LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging, opts.RequestLoggingFormat),
		Opts:    opts,
	}
	s.ListenAndServe()
}
initial code import 2012-12-11 01:59:23 +00:00			`package main`

			`import (`
			`"flag"`
testing 2012-12-17 18:38:33 +00:00			`"fmt"`
initial code import 2012-12-11 01:59:23 +00:00			`"log"`
update to new scopes 2014-08-07 20:16:39 +00:00			`"os"`
show Go version 2015-03-20 03:03:00 +00:00			`"runtime"`
initial code import 2012-12-11 01:59:23 +00:00			`"strings"`
always set httponly (there is no good reason not to); simplify httponly and expire flags 2014-11-08 18:26:55 +00:00			`"time"`
initial code import 2012-12-11 01:59:23 +00:00
Add config file support 2014-11-09 19:51:10 +00:00			`"github.com/BurntSushi/toml"`
			`"github.com/mreiferson/go-options"`
initial code import 2012-12-11 01:59:23 +00:00			`)`

			`func main() {`
Github provider 2015-05-21 03:23:48 +00:00			`log.SetFlags(log.Ldate \| log.Ltime \| log.Lshortfile)`
Project Rename -> oauth2_proxy 2015-05-21 06:50:21 +00:00			`flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError)`
Add config file support 2014-11-09 19:51:10 +00:00
disable email validation; rename email-domain argument This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers 2015-06-06 18:37:54 +00:00			`emailDomains := StringArray{}`
Add whitelist domains flag 2017-09-29 15:55:50 +00:00			`whitelistDomains := StringArray{}`
Add config file support 2014-11-09 19:51:10 +00:00			`upstreams := StringArray{}`
Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00			`skipAuthRegex := StringArray{}`
google: Support restricting access to a specific group(s) 2015-08-20 10:07:02 +00:00			`googleGroups := StringArray{}`
Add config file support 2014-11-09 19:51:10 +00:00
			`config := flagSet.String("config", "", "path to config file")`
			`showVersion := flagSet.Bool("version", false, "print version string")`

Added scheme parsing to http-address param Can now listen for HTTP clients on unix sockets (and any other Go-supported stream oriented network - see golang.org/pkg/net/#Listen). Default behaviour is unchanged, any http-address without a scheme is given the default of tcp. Amended the README so that the usage output is up to date. 2015-02-11 01:07:40 +00:00			`flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")`
support TLS directly 2015-06-08 01:51:47 +00:00			`flagSet.String("https-address", ":443", "<addr>:<port> to listen on for HTTPS clients")`
			`flagSet.String("tls-cert", "", "path to certificate file")`
			`flagSet.String("tls-key", "", "path to private key file")`
Add config file support 2014-11-09 19:51:10 +00:00			`flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")`
add --set-xauthrequest flag for use in Nginx auth_request mode This is enhancement of #173 to use "Auth Request" consistently in the command-line option, configuration file and response headers. It always sets the X-Auth-Request-User response header and if the email is available, sets X-Auth-Request-Email as well. 2016-10-20 12:19:59 +00:00			`flagSet.Bool("set-xauthrequest", false, "set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)")`
Add support for serving static files from a directory The path should be provided as a file:// url with the full operating system path. An alias to where the directory is available as can be specified by appending a fragment (ie. "#/static/") at the end of the URL. 2015-09-23 20:00:36 +00:00			`flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path")`
Add config file support 2014-11-09 19:51:10 +00:00			`flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")`
Allow to pass user headers only (issue #205) * This fixes https://github.com/bitly/oauth2_proxy/issues/205 * Add new boolean option -pass-user-headers to control whether X-Forwarded-User and X-Forwarded-Email headers will be set (as opposed to HTTP BASIC auth) * This is required e.g. for grafana [1] where X-Forwarded-User is needed but HTTP BASIC auth fails (password is not known and must not be known in this scenario) * Keep behaviour of PassBasicAuth unchanged for compatibility [1] http://docs.grafana.org/installation/configuration/#authproxy 2016-02-08 15:57:47 +00:00			`flagSet.Bool("pass-user-headers", true, "pass X-Forwarded-User and X-Forwarded-Email information to upstream")`
Add support for setting the basic auth password. For tools that don't like empty passwords, this change allows one to set a shared secret password for all users. 2015-07-24 09:17:43 +00:00			`flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")`
Pass the access token to the upstream client This is accomplished by encoding the access_token in the auth cookie and unpacking it as the X-Forwarded-Access-Token header for upstream requests. 2015-04-03 00:57:17 +00:00			`flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")`
add --proxy-host-header option 2015-03-17 19:15:15 +00:00			`flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")`
Add Authorization header flags 2018-01-27 10:14:19 +00:00			`flagSet.Bool("pass-authorization-header", false, "pass the Authorization Header to upstream")`
			`flagSet.Bool("set-authorization-header", false, "set Authorization response headers (useful in Nginx auth_request mode)")`
Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00			`flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)")`
adding option to skip provider button sign_in page 2015-11-11 00:42:35 +00:00			`flagSet.Bool("skip-provider-button", false, "will skip sign-in-page to directly reach the next step: oauth/start")`
#369: Optionally allow skipping authentication for preflight requests 2017-04-07 11:55:48 +00:00			`flagSet.Bool("skip-auth-preflight", false, "will skip authentication for OPTIONS requests")`
option for skipping OAuth provider SSL verification 2017-03-29 14:57:07 +00:00			`flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS")`
Implemented flushing interval (#23) * Implemented flushing interval When proxying streaming responses, it would not flush the response writer buffer until some seemingly random point (maybe the number of bytes?). This makes it flush every 1 second by default, but with a configurable interval. * flushing CHANGELOG * gofmt and goimports 2019-01-31 14:02:15 +00:00			`flagSet.Duration("flush-interval", time.Duration(1)*time.Second, "period between response flushing when streaming responses")`
Add config file support 2014-11-09 19:51:10 +00:00
disable email validation; rename email-domain argument This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers 2015-06-06 18:37:54 +00:00			`flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")`
Add note on subdomain behaviour 2018-06-20 11:05:17 +00:00			`flagSet.Var(&whitelistDomains, "whitelist-domain", "allowed domains for redirection after authentication. Prefix domain with a . to allow subdomains (eg .example.com)")`
Add Azure Provider 2015-11-09 08:28:34 +00:00			`flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")`
Github provider 2015-05-21 03:23:48 +00:00			`flagSet.String("github-org", "", "restrict logins to members of this organisation")`
			`flagSet.String("github-team", "", "restrict logins to members of this team")`
google: Support restricting access to a specific group(s) 2015-08-20 10:07:02 +00:00			`flagSet.Var(&googleGroups, "google-group", "restrict logins to members of this google group (may be given multiple times).")`
			`flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls")`
			`flagSet.String("google-service-account-json", "", "the path to the service account json credentials")`
Project Rename -> oauth2_proxy 2015-05-21 06:50:21 +00:00			`flagSet.String("client-id", "", "the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")`
Add config file support 2014-11-09 19:51:10 +00:00			`flagSet.String("client-secret", "", "the OAuth Client Secret")`
			`flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")`
Support bcrypt passwords in htpasswd 2018-02-16 08:14:41 +00:00			`flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption or \"htpasswd -B\" for bcrypt encryption")`
Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 20:38:57 +00:00			`flagSet.Bool("display-htpasswd-form", true, "display username / password login form if an htpasswd file is provided")`
support (optional) custom templates 2015-03-17 22:06:06 +00:00			`flagSet.String("custom-templates-dir", "", "path to custom html templates")`
Custom footer text (optional) Closes #256 and #166 2016-06-19 03:53:42 +00:00			`flagSet.String("footer", "", "custom footer string. Use \"-\" to disable default footer.")`
Enable specific oauth2proxy path; change cookie name to _oauth2proxy 2015-05-29 22:47:40 +00:00			`flagSet.String("proxy-prefix", "/oauth2", "the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)")`
secrets as environment variables. closes #5 2013-07-30 21:31:59 +00:00
v2.0 & cleanup changes * bump version to 2.0 * remove --cookie-https-only option * add windows build to dist.sh * rename --cookie-key to --cookie-name 2015-06-08 03:52:28 +00:00			`flagSet.String("cookie-name", "_oauth2_proxy", "the name of the cookie that the oauth_proxy creates")`
base64 cookie support 2016-06-20 11:17:39 +00:00			`flagSet.String("cookie-secret", "", "the seed string for secure cookies (optionally base64 encoded)")`
better environment parsing 2014-11-10 02:07:02 +00:00			`flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")`
Add config file support 2014-11-09 19:51:10 +00:00			`flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")`
Readme: doc updates 2015-06-23 18:01:05 +00:00			`flagSet.Duration("cookie-refresh", time.Duration(0), "refresh the cookie after this duration; 0 to disable")`
rename cookie secure flag 2015-03-18 03:13:45 +00:00			`flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")`
			`flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag")`
Add config file support 2014-11-09 19:51:10 +00:00
improve request logging (closer to Apache Common Log) 2015-03-19 20:37:16 +00:00			`flagSet.Bool("request-logging", true, "Log requests to stdout")`
Make request logging format configurable 2017-07-14 11:08:34 +00:00			`flagSet.String("request-logging-format", defaultRequestLoggingFormat, "Template for log lines")`
improve request logging (closer to Apache Common Log) 2015-03-19 20:37:16 +00:00
support TLS directly 2015-06-08 01:51:47 +00:00			`flagSet.String("provider", "google", "OAuth provider")`
: add an OpenID Connect provider See the README for usage with Dex or any other OIDC provider. To test run a backend: python3 -m http.server Run dex and modify the example config with the proxy callback: go get github.com/coreos/dex/cmd/dex cd $GOPATH/src/github.com/coreos/dex sed -i.bak \ 's\|http://127.0.0.1:5555/callback\|http://127.0.0.1:5555/oauth2/callback\|g' \ examples/config-dev.yaml make ./bin/dex serve examples/config-dev.yaml Then run the oauth2_proxy oauth2_proxy \ --oidc-issuer-url http://127.0.0.1:5556/dex \ --upstream http://localhost:8000 \ --client-id example-app \ --client-secret ZXhhbXBsZS1hcHAtc2VjcmV0 \ --cookie-secret foo \ --email-domain '' \ --http-address http://127.0.0.1:5555 \ --redirect-url http://127.0.0.1:5555/oauth2/callback \ --cookie-secure=false Login with the username/password "admin@example.com:password" 2017-05-09 18:20:35 +00:00			`flagSet.String("oidc-issuer-url", "", "OpenID Connect issuer URL (ie: https://accounts.google.com)")`
Add -skip-oidc-discovery option (#41) * added karrieretutor go-oidc fork for using an AAD B2C Policy * added karrieretutor go-oidc fork for using an AAD B2C Policy * added --skip-oidc-discovery option * added --skip-oidc-discovery option * add simple test for skip-oidc-discovery option * revert Dockerfile to pusher upstream * revert Dockerfile to pusher upstream * remove karrieretutor b2c option leftover * remove karrieretutor b2c option leftover * Fix typo (missing letters) Co-Authored-By: marratj <marrat@marrat.de> * Fix typo (missing letters) Co-Authored-By: marratj <marrat@marrat.de> * replace fake http client with NewProvider() from go-oidc * remove OIDC UserInfo URL option (not required) * add info about -skip-oidc-discovery to README * add note to changelog * Update outdated comment 2019-03-04 13:54:22 +00:00			`flagSet.Bool("skip-oidc-discovery", false, "Skip OIDC discovery and use manually supplied Endpoints")`
			`flagSet.String("oidc-jwks-url", "", "OpenID Connect JWKS URL (ie: https://www.googleapis.com/oauth2/v3/certs)")`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00			`flagSet.String("login-url", "", "Authentication endpoint")`
			`flagSet.String("redeem-url", "", "Token redemption endpoint")`
			`flagSet.String("profile-url", "", "Profile access endpoint")`
Add Azure Provider 2015-11-09 08:28:34 +00:00			`flagSet.String("resource", "", "The resource that is protected (Azure AD only)")`
Introduce `validate-url` flag/config 2015-05-08 21:13:35 +00:00			`flagSet.String("validate-url", "", "Access token validation endpoint")`
*: rename Oauth to OAuth Be consistent with Go capitalization styling and use a single way of spelling this across the tree. 2015-11-08 23:57:01 +00:00			`flagSet.String("scope", "", "OAuth scope specification")`
			`flagSet.String("approval-prompt", "force", "OAuth approval_prompt")`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00
Sign Upstream requests with HMAC. closes #147 2015-11-16 03:08:30 +00:00			`flagSet.String("signature-key", "", "GAP-Signature request signature key (algorithm:secretkey)")`

Add config file support 2014-11-09 19:51:10 +00:00			`flagSet.Parse(os.Args[1:])`

better environment parsing 2014-11-10 02:07:02 +00:00			`if *showVersion {`
Introduce Makefile 2019-01-04 10:58:30 +00:00			`fmt.Printf("oauth2_proxy %s (built with %s)\n", VERSION, runtime.Version())`
better environment parsing 2014-11-10 02:07:02 +00:00			`return`
			`}`

Add config file support 2014-11-09 19:51:10 +00:00			`opts := NewOptions()`

test/fix environment var parsing 2014-11-15 04:06:07 +00:00			`cfg := make(EnvOptions)`
Add config file support 2014-11-09 19:51:10 +00:00			`if *config != "" {`
			`_, err := toml.DecodeFile(*config, &cfg)`
			`if err != nil {`
			`log.Fatalf("ERROR: failed to load config file %s - %s", *config, err)`
			`}`
			`}`
test/fix environment var parsing 2014-11-15 04:06:07 +00:00			`cfg.LoadEnvForStruct(opts)`
Add config file support 2014-11-09 19:51:10 +00:00			`options.Resolve(opts, flagSet, cfg)`
initial code import 2012-12-11 01:59:23 +00:00
Add config file support 2014-11-09 19:51:10 +00:00			`err := opts.Validate()`
initial code import 2012-12-11 01:59:23 +00:00			`if err != nil {`
Add config file support 2014-11-09 19:51:10 +00:00			`log.Printf("%s", err)`
			`os.Exit(1)`
initial code import 2012-12-11 01:59:23 +00:00			`}`
disable email validation; rename email-domain argument This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers 2015-06-06 18:37:54 +00:00			`validator := NewValidator(opts.EmailDomains, opts.AuthenticatedEmailsFile)`
*: rename Oauth to OAuth Be consistent with Go capitalization styling and use a single way of spelling this across the tree. 2015-11-08 23:57:01 +00:00			`oauthproxy := NewOAuthProxy(opts, validator)`
Add config file support 2014-11-09 19:51:10 +00:00
disable email validation; rename email-domain argument This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers 2015-06-06 18:37:54 +00:00			`if len(opts.EmailDomains) != 0 && opts.AuthenticatedEmailsFile == "" {`
			`if len(opts.EmailDomains) > 1 {`
			`oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using one of the following domains: %v", strings.Join(opts.EmailDomains, ", "))`
			`} else if opts.EmailDomains[0] != "*" {`
			`oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using %v", opts.EmailDomains[0])`
pretty styling of sign in page 2014-11-09 05:26:52 +00:00			`}`
initial code import 2012-12-11 01:59:23 +00:00			`}`
Add config file support 2014-11-09 19:51:10 +00:00
			`if opts.HtpasswdFile != "" {`
better environment parsing 2014-11-10 02:07:02 +00:00			`log.Printf("using htpasswd file %s", opts.HtpasswdFile)`
Add config file support 2014-11-09 19:51:10 +00:00			`oauthproxy.HtpasswdFile, err = NewHtpasswdFromFile(opts.HtpasswdFile)`
Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 20:38:57 +00:00			`oauthproxy.DisplayHtpasswdForm = opts.DisplayHtpasswdForm`
testing 2012-12-17 18:38:33 +00:00			`if err != nil {`
Add config file support 2014-11-09 19:51:10 +00:00			`log.Fatalf("FATAL: unable to open %s %s", opts.HtpasswdFile, err)`
testing 2012-12-17 18:38:33 +00:00			`}`
initial code import 2012-12-11 01:59:23 +00:00			`}`
Add config file support 2014-11-09 19:51:10 +00:00
support TLS directly 2015-06-08 01:51:47 +00:00			`s := &Server{`
Make request logging format configurable 2017-07-14 11:08:34 +00:00			`Handler: LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging, opts.RequestLoggingFormat),`
support TLS directly 2015-06-08 01:51:47 +00:00			`Opts: opts,`
Added scheme parsing to http-address param Can now listen for HTTP clients on unix sockets (and any other Go-supported stream oriented network - see golang.org/pkg/net/#Listen). Default behaviour is unchanged, any http-address without a scheme is given the default of tcp. Amended the README so that the usage output is up to date. 2015-02-11 01:07:40 +00:00			`}`
support TLS directly 2015-06-08 01:51:47 +00:00			`s.ListenAndServe()`
initial code import 2012-12-11 01:59:23 +00:00			`}`