2012-12-11 01:59:23 +00:00
package main
import (
"flag"
2012-12-17 18:38:33 +00:00
"fmt"
2012-12-11 01:59:23 +00:00
"log"
2014-08-07 20:16:39 +00:00
"os"
2015-03-20 03:03:00 +00:00
"runtime"
2012-12-11 01:59:23 +00:00
"strings"
2014-11-08 18:26:55 +00:00
"time"
2012-12-11 01:59:23 +00:00
2014-11-09 19:51:10 +00:00
"github.com/BurntSushi/toml"
"github.com/mreiferson/go-options"
2012-12-11 01:59:23 +00:00
)
func main ( ) {
2015-05-21 03:23:48 +00:00
log . SetFlags ( log . Ldate | log . Ltime | log . Lshortfile )
2015-05-21 06:50:21 +00:00
flagSet := flag . NewFlagSet ( "oauth2_proxy" , flag . ExitOnError )
2014-11-09 19:51:10 +00:00
2015-06-06 18:37:54 +00:00
emailDomains := StringArray { }
2017-09-29 15:55:50 +00:00
whitelistDomains := StringArray { }
2014-11-09 19:51:10 +00:00
upstreams := StringArray { }
2015-01-12 09:18:41 +00:00
skipAuthRegex := StringArray { }
2015-08-20 10:07:02 +00:00
googleGroups := StringArray { }
2014-11-09 19:51:10 +00:00
config := flagSet . String ( "config" , "" , "path to config file" )
showVersion := flagSet . Bool ( "version" , false , "print version string" )
2015-02-11 01:07:40 +00:00
flagSet . String ( "http-address" , "127.0.0.1:4180" , "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients" )
2015-06-08 01:51:47 +00:00
flagSet . String ( "https-address" , ":443" , "<addr>:<port> to listen on for HTTPS clients" )
flagSet . String ( "tls-cert" , "" , "path to certificate file" )
flagSet . String ( "tls-key" , "" , "path to private key file" )
2014-11-09 19:51:10 +00:00
flagSet . String ( "redirect-url" , "" , "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"" )
2016-10-20 12:19:59 +00:00
flagSet . Bool ( "set-xauthrequest" , false , "set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)" )
2015-09-23 20:00:36 +00:00
flagSet . Var ( & upstreams , "upstream" , "the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path" )
2014-11-09 19:51:10 +00:00
flagSet . Bool ( "pass-basic-auth" , true , "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream" )
2016-02-08 15:57:47 +00:00
flagSet . Bool ( "pass-user-headers" , true , "pass X-Forwarded-User and X-Forwarded-Email information to upstream" )
2015-07-24 09:17:43 +00:00
flagSet . String ( "basic-auth-password" , "" , "the password to set when passing the HTTP Basic Auth header" )
2015-04-03 00:57:17 +00:00
flagSet . Bool ( "pass-access-token" , false , "pass OAuth access_token to upstream via X-Forwarded-Access-Token header" )
2015-03-17 19:15:15 +00:00
flagSet . Bool ( "pass-host-header" , true , "pass the request Host Header to upstream" )
2015-01-12 09:18:41 +00:00
flagSet . Var ( & skipAuthRegex , "skip-auth-regex" , "bypass authentication for requests path's that match (may be given multiple times)" )
2015-11-11 00:42:35 +00:00
flagSet . Bool ( "skip-provider-button" , false , "will skip sign-in-page to directly reach the next step: oauth/start" )
2017-04-07 11:55:48 +00:00
flagSet . Bool ( "skip-auth-preflight" , false , "will skip authentication for OPTIONS requests" )
2017-03-29 14:57:07 +00:00
flagSet . Bool ( "ssl-insecure-skip-verify" , false , "skip validation of certificates presented when using HTTPS" )
2014-11-09 19:51:10 +00:00
2015-06-06 18:37:54 +00:00
flagSet . Var ( & emailDomains , "email-domain" , "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email" )
2017-09-29 15:55:50 +00:00
flagSet . Var ( & whitelistDomains , "whitelist-domains" , "allowed domains for redirection after authentication" )
2015-11-09 08:28:34 +00:00
flagSet . String ( "azure-tenant" , "common" , "go to a tenant-specific or common (tenant-independent) endpoint." )
2015-05-21 03:23:48 +00:00
flagSet . String ( "github-org" , "" , "restrict logins to members of this organisation" )
flagSet . String ( "github-team" , "" , "restrict logins to members of this team" )
2015-08-20 10:07:02 +00:00
flagSet . Var ( & googleGroups , "google-group" , "restrict logins to members of this google group (may be given multiple times)." )
flagSet . String ( "google-admin-email" , "" , "the google admin to impersonate for api calls" )
flagSet . String ( "google-service-account-json" , "" , "the path to the service account json credentials" )
2015-05-21 06:50:21 +00:00
flagSet . String ( "client-id" , "" , "the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"" )
2014-11-09 19:51:10 +00:00
flagSet . String ( "client-secret" , "" , "the OAuth Client Secret" )
flagSet . String ( "authenticated-emails-file" , "" , "authenticate against emails via file (one per line)" )
2018-02-16 08:14:41 +00:00
flagSet . String ( "htpasswd-file" , "" , "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption or \"htpasswd -B\" for bcrypt encryption" )
2014-12-09 20:38:57 +00:00
flagSet . Bool ( "display-htpasswd-form" , true , "display username / password login form if an htpasswd file is provided" )
2015-03-17 22:06:06 +00:00
flagSet . String ( "custom-templates-dir" , "" , "path to custom html templates" )
2016-06-19 03:53:42 +00:00
flagSet . String ( "footer" , "" , "custom footer string. Use \"-\" to disable default footer." )
2015-05-29 22:47:40 +00:00
flagSet . String ( "proxy-prefix" , "/oauth2" , "the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)" )
2013-07-30 21:31:59 +00:00
2015-06-08 03:52:28 +00:00
flagSet . String ( "cookie-name" , "_oauth2_proxy" , "the name of the cookie that the oauth_proxy creates" )
2016-06-20 11:17:39 +00:00
flagSet . String ( "cookie-secret" , "" , "the seed string for secure cookies (optionally base64 encoded)" )
2014-11-10 02:07:02 +00:00
flagSet . String ( "cookie-domain" , "" , "an optional cookie domain to force cookies to (ie: .yourcompany.com)*" )
2014-11-09 19:51:10 +00:00
flagSet . Duration ( "cookie-expire" , time . Duration ( 168 ) * time . Hour , "expire timeframe for cookie" )
2015-06-23 18:01:05 +00:00
flagSet . Duration ( "cookie-refresh" , time . Duration ( 0 ) , "refresh the cookie after this duration; 0 to disable" )
2015-03-18 03:13:45 +00:00
flagSet . Bool ( "cookie-secure" , true , "set secure (HTTPS) cookie flag" )
flagSet . Bool ( "cookie-httponly" , true , "set HttpOnly cookie flag" )
2014-11-09 19:51:10 +00:00
2015-03-19 20:37:16 +00:00
flagSet . Bool ( "request-logging" , true , "Log requests to stdout" )
2017-07-14 11:08:34 +00:00
flagSet . String ( "request-logging-format" , defaultRequestLoggingFormat , "Template for log lines" )
2015-03-19 20:37:16 +00:00
2015-06-08 01:51:47 +00:00
flagSet . String ( "provider" , "google" , "OAuth provider" )
2017-05-09 18:20:35 +00:00
flagSet . String ( "oidc-issuer-url" , "" , "OpenID Connect issuer URL (ie: https://accounts.google.com)" )
2015-03-30 19:48:30 +00:00
flagSet . String ( "login-url" , "" , "Authentication endpoint" )
flagSet . String ( "redeem-url" , "" , "Token redemption endpoint" )
flagSet . String ( "profile-url" , "" , "Profile access endpoint" )
2015-11-09 08:28:34 +00:00
flagSet . String ( "resource" , "" , "The resource that is protected (Azure AD only)" )
2015-05-08 21:13:35 +00:00
flagSet . String ( "validate-url" , "" , "Access token validation endpoint" )
2015-11-08 23:57:01 +00:00
flagSet . String ( "scope" , "" , "OAuth scope specification" )
flagSet . String ( "approval-prompt" , "force" , "OAuth approval_prompt" )
2015-03-30 19:48:30 +00:00
2015-11-16 03:08:30 +00:00
flagSet . String ( "signature-key" , "" , "GAP-Signature request signature key (algorithm:secretkey)" )
2014-11-09 19:51:10 +00:00
flagSet . Parse ( os . Args [ 1 : ] )
2014-11-10 02:07:02 +00:00
if * showVersion {
2015-05-21 06:50:21 +00:00
fmt . Printf ( "oauth2_proxy v%s (built with %s)\n" , VERSION , runtime . Version ( ) )
2014-11-10 02:07:02 +00:00
return
}
2014-11-09 19:51:10 +00:00
opts := NewOptions ( )
2014-11-15 04:06:07 +00:00
cfg := make ( EnvOptions )
2014-11-09 19:51:10 +00:00
if * config != "" {
_ , err := toml . DecodeFile ( * config , & cfg )
if err != nil {
log . Fatalf ( "ERROR: failed to load config file %s - %s" , * config , err )
}
}
2014-11-15 04:06:07 +00:00
cfg . LoadEnvForStruct ( opts )
2014-11-09 19:51:10 +00:00
options . Resolve ( opts , flagSet , cfg )
2012-12-11 01:59:23 +00:00
2014-11-09 19:51:10 +00:00
err := opts . Validate ( )
2012-12-11 01:59:23 +00:00
if err != nil {
2014-11-09 19:51:10 +00:00
log . Printf ( "%s" , err )
os . Exit ( 1 )
2012-12-11 01:59:23 +00:00
}
2015-06-06 18:37:54 +00:00
validator := NewValidator ( opts . EmailDomains , opts . AuthenticatedEmailsFile )
2015-11-08 23:57:01 +00:00
oauthproxy := NewOAuthProxy ( opts , validator )
2014-11-09 19:51:10 +00:00
2015-06-06 18:37:54 +00:00
if len ( opts . EmailDomains ) != 0 && opts . AuthenticatedEmailsFile == "" {
if len ( opts . EmailDomains ) > 1 {
oauthproxy . SignInMessage = fmt . Sprintf ( "Authenticate using one of the following domains: %v" , strings . Join ( opts . EmailDomains , ", " ) )
} else if opts . EmailDomains [ 0 ] != "*" {
oauthproxy . SignInMessage = fmt . Sprintf ( "Authenticate using %v" , opts . EmailDomains [ 0 ] )
2014-11-09 05:26:52 +00:00
}
2012-12-11 01:59:23 +00:00
}
2014-11-09 19:51:10 +00:00
if opts . HtpasswdFile != "" {
2014-11-10 02:07:02 +00:00
log . Printf ( "using htpasswd file %s" , opts . HtpasswdFile )
2014-11-09 19:51:10 +00:00
oauthproxy . HtpasswdFile , err = NewHtpasswdFromFile ( opts . HtpasswdFile )
2014-12-09 20:38:57 +00:00
oauthproxy . DisplayHtpasswdForm = opts . DisplayHtpasswdForm
2012-12-17 18:38:33 +00:00
if err != nil {
2014-11-09 19:51:10 +00:00
log . Fatalf ( "FATAL: unable to open %s %s" , opts . HtpasswdFile , err )
2012-12-17 18:38:33 +00:00
}
2012-12-11 01:59:23 +00:00
}
2014-11-09 19:51:10 +00:00
2015-06-08 01:51:47 +00:00
s := & Server {
2017-07-14 11:08:34 +00:00
Handler : LoggingHandler ( os . Stdout , oauthproxy , opts . RequestLogging , opts . RequestLoggingFormat ) ,
2015-06-08 01:51:47 +00:00
Opts : opts ,
2015-02-11 01:07:40 +00:00
}
2015-06-08 01:51:47 +00:00
s . ListenAndServe ( )
2012-12-11 01:59:23 +00:00
}