oauth2_proxy/options.go

package main

import (
	"fmt"
	"net/url"
	"os"
	"regexp"
	"strings"
	"time"

	"github.com/bitly/oauth2_proxy/providers"
)

// Configuration Options that can be set by Command Line Flag, or Config File
type Options struct {
	ProxyPrefix  string `flag:"proxy-prefix" cfg:"proxy-prefix"`
	HttpAddress  string `flag:"http-address" cfg:"http_address"`
	HttpsAddress string `flag:"https-address" cfg:"https_address"`
	RedirectURL  string `flag:"redirect-url" cfg:"redirect_url"`
	ClientID     string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"`
	ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"`
	TLSCertFile  string `flag:"tls-cert" cfg:"tls_cert_file"`
	TLSKeyFile   string `flag:"tls-key" cfg:"tls_key_file"`

	AuthenticatedEmailsFile  string   `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
	EmailDomains             []string `flag:"email-domain" cfg:"email_domains"`
	GitHubOrg                string   `flag:"github-org" cfg:"github_org"`
	GitHubTeam               string   `flag:"github-team" cfg:"github_team"`
	GoogleGroups             []string `flag:"google-group" cfg:"google_group"`
	GoogleAdminEmail         string   `flag:"google-admin-email" cfg:"google_admin_email"`
	GoogleServiceAccountJSON string   `flag:"google-service-account-json" cfg:"google_service_account_json"`
	HtpasswdFile             string   `flag:"htpasswd-file" cfg:"htpasswd_file"`
	DisplayHtpasswdForm      bool     `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
	CustomTemplatesDir       string   `flag:"custom-templates-dir" cfg:"custom_templates_dir"`

	CookieName     string        `flag:"cookie-name" cfg:"cookie_name" env:"OAUTH2_PROXY_COOKIE_NAME"`
	CookieSecret   string        `flag:"cookie-secret" cfg:"cookie_secret" env:"OAUTH2_PROXY_COOKIE_SECRET"`
	CookieDomain   string        `flag:"cookie-domain" cfg:"cookie_domain" env:"OAUTH2_PROXY_COOKIE_DOMAIN"`
	CookieExpire   time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"OAUTH2_PROXY_COOKIE_EXPIRE"`
	CookieRefresh  time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"OAUTH2_PROXY_COOKIE_REFRESH"`
	CookieSecure   bool          `flag:"cookie-secure" cfg:"cookie_secure"`
	CookieHttpOnly bool          `flag:"cookie-httponly" cfg:"cookie_httponly"`

	Upstreams          []string `flag:"upstream" cfg:"upstreams"`
	SkipAuthRegex      []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
	PassBasicAuth      bool     `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
	BasicAuthPassword  string   `flag:"basic-auth-password" cfg:"basic_auth_password"`
	PassAccessToken    bool     `flag:"pass-access-token" cfg:"pass_access_token"`
	PassHostHeader     bool     `flag:"pass-host-header" cfg:"pass_host_header"`
	SkipProviderButton bool     `flag:"skip-provider-button" cfg:"skip_provider_button"`

	// These options allow for other providers besides Google, with
	// potential overrides.
	Provider       string `flag:"provider" cfg:"provider"`
	LoginURL       string `flag:"login-url" cfg:"login_url"`
	RedeemURL      string `flag:"redeem-url" cfg:"redeem_url"`
	ProfileURL     string `flag:"profile-url" cfg:"profile_url"`
	ValidateURL    string `flag:"validate-url" cfg:"validate_url"`
	Scope          string `flag:"scope" cfg:"scope"`
	ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt"`

	RequestLogging bool `flag:"request-logging" cfg:"request_logging"`

	// internal values that are set after config validation
	redirectURL   *url.URL
	proxyURLs     []*url.URL
	CompiledRegex []*regexp.Regexp
	provider      providers.Provider
}

func NewOptions() *Options {
	return &Options{
		ProxyPrefix:         "/oauth2",
		HttpAddress:         "127.0.0.1:4180",
		HttpsAddress:        ":443",
		DisplayHtpasswdForm: true,
		CookieName:          "_oauth2_proxy",
		CookieSecure:        true,
		CookieHttpOnly:      true,
		CookieExpire:        time.Duration(168) * time.Hour,
		CookieRefresh:       time.Duration(0),
		PassBasicAuth:       true,
		PassAccessToken:     false,
		PassHostHeader:      true,
		SkipProviderButton:  false,
		ApprovalPrompt:      "force",
		RequestLogging:      true,
	}
}

func parseURL(to_parse string, urltype string, msgs []string) (*url.URL, []string) {
	parsed, err := url.Parse(to_parse)
	if err != nil {
		return nil, append(msgs, fmt.Sprintf(
			"error parsing %s-url=%q %s", urltype, to_parse, err))
	}
	return parsed, msgs
}

func (o *Options) Validate() error {
	msgs := make([]string, 0)
	if len(o.Upstreams) < 1 {
		msgs = append(msgs, "missing setting: upstream")
	}
	if o.CookieSecret == "" {
		msgs = append(msgs, "missing setting: cookie-secret")
	}
	if o.ClientID == "" {
		msgs = append(msgs, "missing setting: client-id")
	}
	if o.ClientSecret == "" {
		msgs = append(msgs, "missing setting: client-secret")
	}
	if o.AuthenticatedEmailsFile == "" && len(o.EmailDomains) == 0 && o.HtpasswdFile == "" {
		msgs = append(msgs, "missing setting for email validation: email-domain or authenticated-emails-file required.\n      use email-domain=* to authorize all email addresses")
	}

	o.redirectURL, msgs = parseURL(o.RedirectURL, "redirect", msgs)

	for _, u := range o.Upstreams {
		upstreamURL, err := url.Parse(u)
		if err != nil {
			msgs = append(msgs, fmt.Sprintf(
				"error parsing upstream=%q %s",
				upstreamURL, err))
		}
		if upstreamURL.Path == "" {
			upstreamURL.Path = "/"
		}
		o.proxyURLs = append(o.proxyURLs, upstreamURL)
	}

	for _, u := range o.SkipAuthRegex {
		CompiledRegex, err := regexp.Compile(u)
		if err != nil {
			msgs = append(msgs, fmt.Sprintf(
				"error compiling regex=%q %s", u, err))
		}
		o.CompiledRegex = append(o.CompiledRegex, CompiledRegex)
	}
	msgs = parseProviderInfo(o, msgs)

	if o.PassAccessToken || (o.CookieRefresh != time.Duration(0)) {
		valid_cookie_secret_size := false
		for _, i := range []int{16, 24, 32} {
			if len(o.CookieSecret) == i {
				valid_cookie_secret_size = true
			}
		}
		if valid_cookie_secret_size == false {
			msgs = append(msgs, fmt.Sprintf(
				"cookie_secret must be 16, 24, or 32 bytes "+
					"to create an AES cipher when "+
					"pass_access_token == true or "+
					"cookie_refresh != 0, but is %d bytes",
				len(o.CookieSecret)))
		}
	}

	if o.CookieRefresh >= o.CookieExpire {
		msgs = append(msgs, fmt.Sprintf(
			"cookie_refresh (%s) must be less than "+
				"cookie_expire (%s)",
			o.CookieRefresh.String(),
			o.CookieExpire.String()))
	}

	if len(o.GoogleGroups) > 0 || o.GoogleAdminEmail != "" || o.GoogleServiceAccountJSON != "" {
		if len(o.GoogleGroups) < 1 {
			msgs = append(msgs, "missing setting: google-group")
		}
		if o.GoogleAdminEmail == "" {
			msgs = append(msgs, "missing setting: google-admin-email")
		}
		if o.GoogleServiceAccountJSON == "" {
			msgs = append(msgs, "missing setting: google-service-account-json")
		}
	}

	if len(msgs) != 0 {
		return fmt.Errorf("Invalid configuration:\n  %s",
			strings.Join(msgs, "\n  "))
	}
	return nil
}

func parseProviderInfo(o *Options, msgs []string) []string {
	p := &providers.ProviderData{
		Scope:          o.Scope,
		ClientID:       o.ClientID,
		ClientSecret:   o.ClientSecret,
		ApprovalPrompt: o.ApprovalPrompt,
	}
	p.LoginURL, msgs = parseURL(o.LoginURL, "login", msgs)
	p.RedeemURL, msgs = parseURL(o.RedeemURL, "redeem", msgs)
	p.ProfileURL, msgs = parseURL(o.ProfileURL, "profile", msgs)
	p.ValidateURL, msgs = parseURL(o.ValidateURL, "validate", msgs)

	o.provider = providers.New(o.Provider, p)
	switch p := o.provider.(type) {
	case *providers.GitHubProvider:
		p.SetOrgTeam(o.GitHubOrg, o.GitHubTeam)
	case *providers.GoogleProvider:
		if o.GoogleServiceAccountJSON != "" {
			file, err := os.Open(o.GoogleServiceAccountJSON)
			if err != nil {
				msgs = append(msgs, "invalid Google credentials file: "+o.GoogleServiceAccountJSON)
			} else {
				p.SetGroupRestriction(o.GoogleGroups, o.GoogleAdminEmail, file)
			}
		}
	}
	return msgs
}
Add config file support 2014-11-09 19:51:10 +00:00			`package main`

			`import (`
			`"fmt"`
			`"net/url"`
google: Support restricting access to a specific group(s) 2015-08-20 10:07:02 +00:00			`"os"`
Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00			`"regexp"`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`"strings"`
Run gofmt over source. 2015-01-19 16:10:37 +00:00			`"time"`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00
Project Rename -> oauth2_proxy 2015-05-21 06:50:21 +00:00			`"github.com/bitly/oauth2_proxy/providers"`
Add config file support 2014-11-09 19:51:10 +00:00			`)`

			`// Configuration Options that can be set by Command Line Flag, or Config File`
			`type Options struct {`
Enable specific oauth2proxy path; change cookie name to _oauth2proxy 2015-05-29 22:47:40 +00:00			ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy-prefix"`
add --proxy-host-header option 2015-03-17 19:15:15 +00:00			HttpAddress string `flag:"http-address" cfg:"http_address"`
support TLS directly 2015-06-08 01:51:47 +00:00			HttpsAddress string `flag:"https-address" cfg:"https_address"`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			RedirectURL string `flag:"redirect-url" cfg:"redirect_url"`
Project Rename -> oauth2_proxy 2015-05-21 06:50:21 +00:00			ClientID string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"`
			ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"`
support TLS directly 2015-06-08 01:51:47 +00:00			TLSCertFile string `flag:"tls-cert" cfg:"tls_cert_file"`
			TLSKeyFile string `flag:"tls-key" cfg:"tls_key_file"`
add --proxy-host-header option 2015-03-17 19:15:15 +00:00
google: Support restricting access to a specific group(s) 2015-08-20 10:07:02 +00:00			AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
			EmailDomains []string `flag:"email-domain" cfg:"email_domains"`
			GitHubOrg string `flag:"github-org" cfg:"github_org"`
			GitHubTeam string `flag:"github-team" cfg:"github_team"`
			GoogleGroups []string `flag:"google-group" cfg:"google_group"`
			GoogleAdminEmail string `flag:"google-admin-email" cfg:"google_admin_email"`
			GoogleServiceAccountJSON string `flag:"google-service-account-json" cfg:"google_service_account_json"`
			HtpasswdFile string `flag:"htpasswd-file" cfg:"htpasswd_file"`
			DisplayHtpasswdForm bool `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
			CustomTemplatesDir string `flag:"custom-templates-dir" cfg:"custom_templates_dir"`
add --proxy-host-header option 2015-03-17 19:15:15 +00:00
v2.0 & cleanup changes * bump version to 2.0 * remove --cookie-https-only option * add windows build to dist.sh * rename --cookie-key to --cookie-name 2015-06-08 03:52:28 +00:00			CookieName string `flag:"cookie-name" cfg:"cookie_name" env:"OAUTH2_PROXY_COOKIE_NAME"`
			CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"OAUTH2_PROXY_COOKIE_SECRET"`
			CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"OAUTH2_PROXY_COOKIE_DOMAIN"`
			CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"OAUTH2_PROXY_COOKIE_EXPIRE"`
			CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"OAUTH2_PROXY_COOKIE_REFRESH"`
			CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
			CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
add --proxy-host-header option 2015-03-17 19:15:15 +00:00
adding option to skip provider button sign_in page 2015-11-11 00:42:35 +00:00			Upstreams []string `flag:"upstream" cfg:"upstreams"`
			SkipAuthRegex []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
			PassBasicAuth bool `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
			BasicAuthPassword string `flag:"basic-auth-password" cfg:"basic_auth_password"`
			PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token"`
			PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header"`
			SkipProviderButton bool `flag:"skip-provider-button" cfg:"skip_provider_button"`
Add config file support 2014-11-09 19:51:10 +00:00
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00			`// These options allow for other providers besides Google, with`
			`// potential overrides.`
Add a flag to set the value of "approval_prompt". By setting this to "force", certain providers, like Google, will interject an additional prompt on every new session. With other values, like "auto", this prompt is not forced upon the user. 2015-07-25 23:27:49 +00:00			Provider string `flag:"provider" cfg:"provider"`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			LoginURL string `flag:"login-url" cfg:"login_url"`
			RedeemURL string `flag:"redeem-url" cfg:"redeem_url"`
			ProfileURL string `flag:"profile-url" cfg:"profile_url"`
			ValidateURL string `flag:"validate-url" cfg:"validate_url"`
Add a flag to set the value of "approval_prompt". By setting this to "force", certain providers, like Google, will interject an additional prompt on every new session. With other values, like "auto", this prompt is not forced upon the user. 2015-07-25 23:27:49 +00:00			Scope string `flag:"scope" cfg:"scope"`
			ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt"`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00
improve request logging (closer to Apache Common Log) 2015-03-19 20:37:16 +00:00			RequestLogging bool `flag:"request-logging" cfg:"request_logging"`

Add config file support 2014-11-09 19:51:10 +00:00			`// internal values that are set after config validation`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`redirectURL *url.URL`
			`proxyURLs []*url.URL`
Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00			`CompiledRegex []*regexp.Regexp`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00			`provider providers.Provider`
Add config file support 2014-11-09 19:51:10 +00:00			`}`

			`func NewOptions() *Options {`
options bug fixes; set https cookies on by default 2014-11-10 03:21:46 +00:00			`return &Options{`
Enable specific oauth2proxy path; change cookie name to _oauth2proxy 2015-05-29 22:47:40 +00:00			`ProxyPrefix: "/oauth2",`
Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 20:38:57 +00:00			`HttpAddress: "127.0.0.1:4180",`
support TLS directly 2015-06-08 01:51:47 +00:00			`HttpsAddress: ":443",`
Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 20:38:57 +00:00			`DisplayHtpasswdForm: true,`
v2.0 & cleanup changes * bump version to 2.0 * remove --cookie-https-only option * add windows build to dist.sh * rename --cookie-key to --cookie-name 2015-06-08 03:52:28 +00:00			`CookieName: "_oauth2_proxy",`
rename cookie secure flag 2015-03-18 03:13:45 +00:00			`CookieSecure: true,`
Add flag to enable/disable cookie's HttpOnly flag. 2015-01-19 15:52:18 +00:00			`CookieHttpOnly: true,`
Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 20:38:57 +00:00			`CookieExpire: time.Duration(168) * time.Hour,`
Implement cookie auto-refresh The intention is to refresh the cookie whenever the user accesses an authenticated service with less than `cookie-refresh` time to go before the cookie expires. 2015-05-08 14:00:57 +00:00			`CookieRefresh: time.Duration(0),`
add --proxy-host-header option 2015-03-17 19:15:15 +00:00			`PassBasicAuth: true,`
Pass the access token to the upstream client This is accomplished by encoding the access_token in the auth cookie and unpacking it as the X-Forwarded-Access-Token header for upstream requests. 2015-04-03 00:57:17 +00:00			`PassAccessToken: false,`
add --proxy-host-header option 2015-03-17 19:15:15 +00:00			`PassHostHeader: true,`
adding option to skip provider button sign_in page 2015-11-11 00:42:35 +00:00			`SkipProviderButton: false,`
Add a flag to set the value of "approval_prompt". By setting this to "force", certain providers, like Google, will interject an additional prompt on every new session. With other values, like "auto", this prompt is not forced upon the user. 2015-07-25 23:27:49 +00:00			`ApprovalPrompt: "force",`
improve request logging (closer to Apache Common Log) 2015-03-19 20:37:16 +00:00			`RequestLogging: true,`
options bug fixes; set https cookies on by default 2014-11-10 03:21:46 +00:00			`}`
Add config file support 2014-11-09 19:51:10 +00:00			`}`

*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`func parseURL(to_parse string, urltype string, msgs []string) (*url.URL, []string) {`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00			`parsed, err := url.Parse(to_parse)`
			`if err != nil {`
			`return nil, append(msgs, fmt.Sprintf(`
			`"error parsing %s-url=%q %s", urltype, to_parse, err))`
			`}`
			`return parsed, msgs`
			`}`

Add config file support 2014-11-09 19:51:10 +00:00			`func (o *Options) Validate() error {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs := make([]string, 0)`
Add config file support 2014-11-09 19:51:10 +00:00			`if len(o.Upstreams) < 1 {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs = append(msgs, "missing setting: upstream")`
Add config file support 2014-11-09 19:51:10 +00:00			`}`
			`if o.CookieSecret == "" {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs = append(msgs, "missing setting: cookie-secret")`
Add config file support 2014-11-09 19:51:10 +00:00			`}`
			`if o.ClientID == "" {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs = append(msgs, "missing setting: client-id")`
Add config file support 2014-11-09 19:51:10 +00:00			`}`
			`if o.ClientSecret == "" {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs = append(msgs, "missing setting: client-secret")`
Add config file support 2014-11-09 19:51:10 +00:00			`}`
clarify required email validation settings 2015-07-24 20:09:33 +00:00			`if o.AuthenticatedEmailsFile == "" && len(o.EmailDomains) == 0 && o.HtpasswdFile == "" {`
			`msgs = append(msgs, "missing setting for email validation: email-domain or authenticated-emails-file required.\n use email-domain=* to authorize all email addresses")`
			`}`
Add config file support 2014-11-09 19:51:10 +00:00
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`o.redirectURL, msgs = parseURL(o.RedirectURL, "redirect", msgs)`
Add config file support 2014-11-09 19:51:10 +00:00
			`for _, u := range o.Upstreams {`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`upstreamURL, err := url.Parse(u)`
Add config file support 2014-11-09 19:51:10 +00:00			`if err != nil {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs = append(msgs, fmt.Sprintf(`
			`"error parsing upstream=%q %s",`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`upstreamURL, err))`
Add config file support 2014-11-09 19:51:10 +00:00			`}`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`if upstreamURL.Path == "" {`
			`upstreamURL.Path = "/"`
Add config file support 2014-11-09 19:51:10 +00:00			`}`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`o.proxyURLs = append(o.proxyURLs, upstreamURL)`
Add config file support 2014-11-09 19:51:10 +00:00			`}`

Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00			`for _, u := range o.SkipAuthRegex {`
			`CompiledRegex, err := regexp.Compile(u)`
			`if err != nil {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs = append(msgs, fmt.Sprintf(`
			`"error compiling regex=%q %s", u, err))`
Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00			`}`
			`o.CompiledRegex = append(o.CompiledRegex, CompiledRegex)`
			`}`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00			`msgs = parseProviderInfo(o, msgs)`
Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00
Check cookie_secret size when cookie_refresh set 2015-05-09 21:31:13 +00:00			`if o.PassAccessToken \|\| (o.CookieRefresh != time.Duration(0)) {`
Refactor pass_access_token+cookie_secret check Moves the check from NewOauthProxy() to Options.Validate() and adds a test. 2015-04-05 13:43:40 +00:00			`valid_cookie_secret_size := false`
			`for _, i := range []int{16, 24, 32} {`
			`if len(o.CookieSecret) == i {`
			`valid_cookie_secret_size = true`
			`}`
			`}`
			`if valid_cookie_secret_size == false {`
			`msgs = append(msgs, fmt.Sprintf(`
			`"cookie_secret must be 16, 24, or 32 bytes "+`
			`"to create an AES cipher when "+`
Check cookie_secret size when cookie_refresh set 2015-05-09 21:31:13 +00:00			`"pass_access_token == true or "+`
			`"cookie_refresh != 0, but is %d bytes",`
Refactor pass_access_token+cookie_secret check Moves the check from NewOauthProxy() to Options.Validate() and adds a test. 2015-04-05 13:43:40 +00:00			`len(o.CookieSecret)))`
			`}`
			`}`

Enforce that cookie_refresh < cookie_expire 2015-05-09 21:16:19 +00:00			`if o.CookieRefresh >= o.CookieExpire {`
			`msgs = append(msgs, fmt.Sprintf(`
			`"cookie_refresh (%s) must be less than "+`
			`"cookie_expire (%s)",`
			`o.CookieRefresh.String(),`
			`o.CookieExpire.String()))`
			`}`

google: Support restricting access to a specific group(s) 2015-08-20 10:07:02 +00:00			`if len(o.GoogleGroups) > 0 \|\| o.GoogleAdminEmail != "" \|\| o.GoogleServiceAccountJSON != "" {`
			`if len(o.GoogleGroups) < 1 {`
			`msgs = append(msgs, "missing setting: google-group")`
			`}`
			`if o.GoogleAdminEmail == "" {`
			`msgs = append(msgs, "missing setting: google-admin-email")`
			`}`
			`if o.GoogleServiceAccountJSON == "" {`
			`msgs = append(msgs, "missing setting: google-service-account-json")`
			`}`
			`}`

Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`if len(msgs) != 0 {`
			`return fmt.Errorf("Invalid configuration:\n %s",`
			`strings.Join(msgs, "\n "))`
			`}`
Add config file support 2014-11-09 19:51:10 +00:00			`return nil`
			`}`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00
			`func parseProviderInfo(o *Options, msgs []string) []string {`
Add a flag to set the value of "approval_prompt". By setting this to "force", certain providers, like Google, will interject an additional prompt on every new session. With other values, like "auto", this prompt is not forced upon the user. 2015-07-25 23:27:49 +00:00			`p := &providers.ProviderData{`
			`Scope: o.Scope,`
			`ClientID: o.ClientID,`
			`ClientSecret: o.ClientSecret,`
			`ApprovalPrompt: o.ApprovalPrompt,`
			`}`
*: rename Url to URL everywhere Go coding style says that acronyms should be all lower or all upper. Fix Url to URL. 2015-11-08 23:47:44 +00:00			`p.LoginURL, msgs = parseURL(o.LoginURL, "login", msgs)`
			`p.RedeemURL, msgs = parseURL(o.RedeemURL, "redeem", msgs)`
			`p.ProfileURL, msgs = parseURL(o.ProfileURL, "profile", msgs)`
			`p.ValidateURL, msgs = parseURL(o.ValidateURL, "validate", msgs)`
Github provider 2015-05-21 03:23:48 +00:00
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00			`o.provider = providers.New(o.Provider, p)`
Github provider 2015-05-21 03:23:48 +00:00			`switch p := o.provider.(type) {`
			`case *providers.GitHubProvider:`
			`p.SetOrgTeam(o.GitHubOrg, o.GitHubTeam)`
google: Support restricting access to a specific group(s) 2015-08-20 10:07:02 +00:00			`case *providers.GoogleProvider:`
			`if o.GoogleServiceAccountJSON != "" {`
			`file, err := os.Open(o.GoogleServiceAccountJSON)`
			`if err != nil {`
			`msgs = append(msgs, "invalid Google credentials file: "+o.GoogleServiceAccountJSON)`
			`} else {`
			`p.SetGroupRestriction(o.GoogleGroups, o.GoogleAdminEmail, file)`
			`}`
			`}`
Github provider 2015-05-21 03:23:48 +00:00			`}`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00			`return msgs`
			`}`