oauth2_proxy/options.go

package main

import (
	"fmt"
	"net/url"
	"regexp"
	"strings"
	"time"

	"github.com/bitly/google_auth_proxy/providers"
)

// Configuration Options that can be set by Command Line Flag, or Config File
type Options struct {
	HttpAddress  string `flag:"http-address" cfg:"http_address"`
	RedirectUrl  string `flag:"redirect-url" cfg:"redirect_url"`
	ClientID     string `flag:"client-id" cfg:"client_id" env:"GOOGLE_AUTH_PROXY_CLIENT_ID"`
	ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"GOOGLE_AUTH_PROXY_CLIENT_SECRET"`

	AuthenticatedEmailsFile string   `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
	GoogleAppsDomains       []string `flag:"google-apps-domain" cfg:"google_apps_domains"`
	HtpasswdFile            string   `flag:"htpasswd-file" cfg:"htpasswd_file"`
	DisplayHtpasswdForm     bool     `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
	CustomTemplatesDir      string   `flag:"custom-templates-dir" cfg:"custom_templates_dir"`

	CookieSecret    string        `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
	CookieDomain    string        `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
	CookieExpire    time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
	CookieRefresh   time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"GOOGLE_AUTH_PROXY_COOKIE_REFRESH"`
	CookieHttpsOnly bool          `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
	CookieSecure    bool          `flag:"cookie-secure" cfg:"cookie_secure"`
	CookieHttpOnly  bool          `flag:"cookie-httponly" cfg:"cookie_httponly"`

	Upstreams       []string `flag:"upstream" cfg:"upstreams"`
	SkipAuthRegex   []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
	PassBasicAuth   bool     `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
	PassAccessToken bool     `flag:"pass-access-token" cfg:"pass_access_token"`
	PassHostHeader  bool     `flag:"pass-host-header" cfg:"pass_host_header"`

	// These options allow for other providers besides Google, with
	// potential overrides.
	Provider    string `flag:"provider" cfg:"provider"`
	LoginUrl    string `flag:"login-url" cfg:"login_url"`
	RedeemUrl   string `flag:"redeem-url" cfg:"redeem_url"`
	ProfileUrl  string `flag:"profile-url" cfg:"profile_url"`
	ValidateUrl string `flag:"validate-url" cfg:"validate_url"`
	Scope       string `flag:"scope" cfg:"scope"`

	RequestLogging bool `flag:"request-logging" cfg:"request_logging"`

	// internal values that are set after config validation
	redirectUrl   *url.URL
	proxyUrls     []*url.URL
	CompiledRegex []*regexp.Regexp
	provider      providers.Provider
}

func NewOptions() *Options {
	return &Options{
		HttpAddress:         "127.0.0.1:4180",
		DisplayHtpasswdForm: true,
		CookieHttpsOnly:     true,
		CookieSecure:        true,
		CookieHttpOnly:      true,
		CookieExpire:        time.Duration(168) * time.Hour,
		CookieRefresh:       time.Duration(0),
		PassBasicAuth:       true,
		PassAccessToken:     false,
		PassHostHeader:      true,
		RequestLogging:      true,
	}
}

func parseUrl(to_parse string, urltype string, msgs []string) (*url.URL, []string) {
	parsed, err := url.Parse(to_parse)
	if err != nil {
		return nil, append(msgs, fmt.Sprintf(
			"error parsing %s-url=%q %s", urltype, to_parse, err))
	}
	return parsed, msgs
}

func (o *Options) Validate() error {
	msgs := make([]string, 0)
	if len(o.Upstreams) < 1 {
		msgs = append(msgs, "missing setting: upstream")
	}
	if o.CookieSecret == "" {
		msgs = append(msgs, "missing setting: cookie-secret")
	}
	if o.ClientID == "" {
		msgs = append(msgs, "missing setting: client-id")
	}
	if o.ClientSecret == "" {
		msgs = append(msgs, "missing setting: client-secret")
	}

	o.redirectUrl, msgs = parseUrl(o.RedirectUrl, "redirect", msgs)

	for _, u := range o.Upstreams {
		upstreamUrl, err := url.Parse(u)
		if err != nil {
			msgs = append(msgs, fmt.Sprintf(
				"error parsing upstream=%q %s",
				upstreamUrl, err))
		}
		if upstreamUrl.Path == "" {
			upstreamUrl.Path = "/"
		}
		o.proxyUrls = append(o.proxyUrls, upstreamUrl)
	}

	for _, u := range o.SkipAuthRegex {
		CompiledRegex, err := regexp.Compile(u)
		if err != nil {
			msgs = append(msgs, fmt.Sprintf(
				"error compiling regex=%q %s", u, err))
		}
		o.CompiledRegex = append(o.CompiledRegex, CompiledRegex)
	}
	msgs = parseProviderInfo(o, msgs)

	if o.PassAccessToken || (o.CookieRefresh != time.Duration(0)) {
		valid_cookie_secret_size := false
		for _, i := range []int{16, 24, 32} {
			if len(o.CookieSecret) == i {
				valid_cookie_secret_size = true
			}
		}
		if valid_cookie_secret_size == false {
			msgs = append(msgs, fmt.Sprintf(
				"cookie_secret must be 16, 24, or 32 bytes "+
					"to create an AES cipher when "+
					"pass_access_token == true or "+
					"cookie_refresh != 0, but is %d bytes",
				len(o.CookieSecret)))
		}
	}

	if o.CookieRefresh >= o.CookieExpire {
		msgs = append(msgs, fmt.Sprintf(
			"cookie_refresh (%s) must be less than "+
				"cookie_expire (%s)",
			o.CookieRefresh.String(),
			o.CookieExpire.String()))
	}

	if len(msgs) != 0 {
		return fmt.Errorf("Invalid configuration:\n  %s",
			strings.Join(msgs, "\n  "))
	}
	return nil
}

func parseProviderInfo(o *Options, msgs []string) []string {
	p := &providers.ProviderData{Scope: o.Scope}
	p.LoginUrl, msgs = parseUrl(o.LoginUrl, "login", msgs)
	p.RedeemUrl, msgs = parseUrl(o.RedeemUrl, "redeem", msgs)
	p.ProfileUrl, msgs = parseUrl(o.ProfileUrl, "profile", msgs)
	p.ValidateUrl, msgs = parseUrl(o.ValidateUrl, "validate", msgs)
	o.provider = providers.New(o.Provider, p)
	return msgs
}
Add config file support 2014-11-09 19:51:10 +00:00			`package main`

			`import (`
			`"fmt"`
			`"net/url"`
Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00			`"regexp"`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`"strings"`
Run gofmt over source. 2015-01-19 16:10:37 +00:00			`"time"`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00
			`"github.com/bitly/google_auth_proxy/providers"`
Add config file support 2014-11-09 19:51:10 +00:00			`)`

			`// Configuration Options that can be set by Command Line Flag, or Config File`
			`type Options struct {`
add --proxy-host-header option 2015-03-17 19:15:15 +00:00			HttpAddress string `flag:"http-address" cfg:"http_address"`
			RedirectUrl string `flag:"redirect-url" cfg:"redirect_url"`
			ClientID string `flag:"client-id" cfg:"client_id" env:"GOOGLE_AUTH_PROXY_CLIENT_ID"`
			ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"GOOGLE_AUTH_PROXY_CLIENT_SECRET"`

			AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
			GoogleAppsDomains []string `flag:"google-apps-domain" cfg:"google_apps_domains"`
			HtpasswdFile string `flag:"htpasswd-file" cfg:"htpasswd_file"`
			DisplayHtpasswdForm bool `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
support (optional) custom templates 2015-03-17 22:06:06 +00:00			CustomTemplatesDir string `flag:"custom-templates-dir" cfg:"custom_templates_dir"`
add --proxy-host-header option 2015-03-17 19:15:15 +00:00
			CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
			CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
			CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
Implement cookie auto-refresh The intention is to refresh the cookie whenever the user accesses an authenticated service with less than `cookie-refresh` time to go before the cookie expires. 2015-05-08 14:00:57 +00:00			CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"GOOGLE_AUTH_PROXY_COOKIE_REFRESH"`
rename cookie secure flag 2015-03-18 03:13:45 +00:00			CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
			CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
add --proxy-host-header option 2015-03-17 19:15:15 +00:00			CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`

Pass the access token to the upstream client This is accomplished by encoding the access_token in the auth cookie and unpacking it as the X-Forwarded-Access-Token header for upstream requests. 2015-04-03 00:57:17 +00:00			Upstreams []string `flag:"upstream" cfg:"upstreams"`
			SkipAuthRegex []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
			PassBasicAuth bool `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
			PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token"`
			PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header"`
Add config file support 2014-11-09 19:51:10 +00:00
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00			`// These options allow for other providers besides Google, with`
			`// potential overrides.`
Introduce `validate-url` flag/config 2015-05-08 21:13:35 +00:00			Provider string `flag:"provider" cfg:"provider"`
			LoginUrl string `flag:"login-url" cfg:"login_url"`
			RedeemUrl string `flag:"redeem-url" cfg:"redeem_url"`
			ProfileUrl string `flag:"profile-url" cfg:"profile_url"`
			ValidateUrl string `flag:"validate-url" cfg:"validate_url"`
			Scope string `flag:"scope" cfg:"scope"`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00
improve request logging (closer to Apache Common Log) 2015-03-19 20:37:16 +00:00			RequestLogging bool `flag:"request-logging" cfg:"request_logging"`

Add config file support 2014-11-09 19:51:10 +00:00			`// internal values that are set after config validation`
Run gofmt over source. 2015-01-19 16:10:37 +00:00			`redirectUrl *url.URL`
			`proxyUrls []*url.URL`
Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00			`CompiledRegex []*regexp.Regexp`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00			`provider providers.Provider`
Add config file support 2014-11-09 19:51:10 +00:00			`}`

			`func NewOptions() *Options {`
options bug fixes; set https cookies on by default 2014-11-10 03:21:46 +00:00			`return &Options{`
Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 20:38:57 +00:00			`HttpAddress: "127.0.0.1:4180",`
			`DisplayHtpasswdForm: true,`
			`CookieHttpsOnly: true,`
rename cookie secure flag 2015-03-18 03:13:45 +00:00			`CookieSecure: true,`
Add flag to enable/disable cookie's HttpOnly flag. 2015-01-19 15:52:18 +00:00			`CookieHttpOnly: true,`
Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 20:38:57 +00:00			`CookieExpire: time.Duration(168) * time.Hour,`
Implement cookie auto-refresh The intention is to refresh the cookie whenever the user accesses an authenticated service with less than `cookie-refresh` time to go before the cookie expires. 2015-05-08 14:00:57 +00:00			`CookieRefresh: time.Duration(0),`
add --proxy-host-header option 2015-03-17 19:15:15 +00:00			`PassBasicAuth: true,`
Pass the access token to the upstream client This is accomplished by encoding the access_token in the auth cookie and unpacking it as the X-Forwarded-Access-Token header for upstream requests. 2015-04-03 00:57:17 +00:00			`PassAccessToken: false,`
add --proxy-host-header option 2015-03-17 19:15:15 +00:00			`PassHostHeader: true,`
improve request logging (closer to Apache Common Log) 2015-03-19 20:37:16 +00:00			`RequestLogging: true,`
options bug fixes; set https cookies on by default 2014-11-10 03:21:46 +00:00			`}`
Add config file support 2014-11-09 19:51:10 +00:00			`}`

Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00			`func parseUrl(to_parse string, urltype string, msgs []string) (*url.URL, []string) {`
			`parsed, err := url.Parse(to_parse)`
			`if err != nil {`
			`return nil, append(msgs, fmt.Sprintf(`
			`"error parsing %s-url=%q %s", urltype, to_parse, err))`
			`}`
			`return parsed, msgs`
			`}`

Add config file support 2014-11-09 19:51:10 +00:00			`func (o *Options) Validate() error {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs := make([]string, 0)`
Add config file support 2014-11-09 19:51:10 +00:00			`if len(o.Upstreams) < 1 {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs = append(msgs, "missing setting: upstream")`
Add config file support 2014-11-09 19:51:10 +00:00			`}`
			`if o.CookieSecret == "" {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs = append(msgs, "missing setting: cookie-secret")`
Add config file support 2014-11-09 19:51:10 +00:00			`}`
			`if o.ClientID == "" {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs = append(msgs, "missing setting: client-id")`
Add config file support 2014-11-09 19:51:10 +00:00			`}`
			`if o.ClientSecret == "" {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs = append(msgs, "missing setting: client-secret")`
Add config file support 2014-11-09 19:51:10 +00:00			`}`

Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00			`o.redirectUrl, msgs = parseUrl(o.RedirectUrl, "redirect", msgs)`
Add config file support 2014-11-09 19:51:10 +00:00
			`for _, u := range o.Upstreams {`
			`upstreamUrl, err := url.Parse(u)`
			`if err != nil {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs = append(msgs, fmt.Sprintf(`
			`"error parsing upstream=%q %s",`
			`upstreamUrl, err))`
Add config file support 2014-11-09 19:51:10 +00:00			`}`
			`if upstreamUrl.Path == "" {`
			`upstreamUrl.Path = "/"`
			`}`
			`o.proxyUrls = append(o.proxyUrls, upstreamUrl)`
			`}`

Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00			`for _, u := range o.SkipAuthRegex {`
			`CompiledRegex, err := regexp.Compile(u)`
			`if err != nil {`
Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`msgs = append(msgs, fmt.Sprintf(`
			`"error compiling regex=%q %s", u, err))`
Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00			`}`
			`o.CompiledRegex = append(o.CompiledRegex, CompiledRegex)`
			`}`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00			`msgs = parseProviderInfo(o, msgs)`
Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00
Check cookie_secret size when cookie_refresh set 2015-05-09 21:31:13 +00:00			`if o.PassAccessToken \|\| (o.CookieRefresh != time.Duration(0)) {`
Refactor pass_access_token+cookie_secret check Moves the check from NewOauthProxy() to Options.Validate() and adds a test. 2015-04-05 13:43:40 +00:00			`valid_cookie_secret_size := false`
			`for _, i := range []int{16, 24, 32} {`
			`if len(o.CookieSecret) == i {`
			`valid_cookie_secret_size = true`
			`}`
			`}`
			`if valid_cookie_secret_size == false {`
			`msgs = append(msgs, fmt.Sprintf(`
			`"cookie_secret must be 16, 24, or 32 bytes "+`
			`"to create an AES cipher when "+`
Check cookie_secret size when cookie_refresh set 2015-05-09 21:31:13 +00:00			`"pass_access_token == true or "+`
			`"cookie_refresh != 0, but is %d bytes",`
Refactor pass_access_token+cookie_secret check Moves the check from NewOauthProxy() to Options.Validate() and adds a test. 2015-04-05 13:43:40 +00:00			`len(o.CookieSecret)))`
			`}`
			`}`

Enforce that cookie_refresh < cookie_expire 2015-05-09 21:16:19 +00:00			`if o.CookieRefresh >= o.CookieExpire {`
			`msgs = append(msgs, fmt.Sprintf(`
			`"cookie_refresh (%s) must be less than "+`
			`"cookie_expire (%s)",`
			`o.CookieRefresh.String(),`
			`o.CookieExpire.String()))`
			`}`

Catch more options errors at once; add test 2015-03-15 16:23:13 +00:00			`if len(msgs) != 0 {`
			`return fmt.Errorf("Invalid configuration:\n %s",`
			`strings.Join(msgs, "\n "))`
			`}`
Add config file support 2014-11-09 19:51:10 +00:00			`return nil`
			`}`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00
			`func parseProviderInfo(o *Options, msgs []string) []string {`
			`p := &providers.ProviderData{Scope: o.Scope}`
			`p.LoginUrl, msgs = parseUrl(o.LoginUrl, "login", msgs)`
			`p.RedeemUrl, msgs = parseUrl(o.RedeemUrl, "redeem", msgs)`
			`p.ProfileUrl, msgs = parseUrl(o.ProfileUrl, "profile", msgs)`
Introduce `validate-url` flag/config 2015-05-08 21:13:35 +00:00			`p.ValidateUrl, msgs = parseUrl(o.ValidateUrl, "validate", msgs)`
Integrate Provider into Options and OauthProxy 2015-03-30 19:48:30 +00:00			`o.provider = providers.New(o.Provider, p)`
			`return msgs`
			`}`