oauth2_proxy/main.go

package main

import (
	"flag"
	"fmt"
	"log"
	"net"
	"net/http"
	"net/url"
	"os"
	"strings"
	"time"

	"github.com/BurntSushi/toml"
	"github.com/mreiferson/go-options"
)

func main() {
	flagSet := flag.NewFlagSet("google_auth_proxy", flag.ExitOnError)

	googleAppsDomains := StringArray{}
	upstreams := StringArray{}
	skipAuthRegex := StringArray{}

	config := flagSet.String("config", "", "path to config file")
	showVersion := flagSet.Bool("version", false, "print version string")

	flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")
	flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
	flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint. If multiple, routing is based on path")
	flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
	flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")
	flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)")

	flagSet.Var(&googleAppsDomains, "google-apps-domain", "authenticate against the given Google apps domain (may be given multiple times)")
	flagSet.String("client-id", "", "the Google OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")
	flagSet.String("client-secret", "", "the OAuth Client Secret")
	flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
	flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption")
	flagSet.Bool("display-htpasswd-form", true, "display username / password login form if an htpasswd file is provided")

	flagSet.String("cookie-secret", "", "the seed string for secure cookies")
	flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
	flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
	flagSet.Bool("cookie-https-only", true, "set HTTPS only cookie")
	flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie")

	flagSet.Parse(os.Args[1:])

	if *showVersion {
		fmt.Printf("google_auth_proxy v%s\n", VERSION)
		return
	}

	opts := NewOptions()

	cfg := make(EnvOptions)
	if *config != "" {
		_, err := toml.DecodeFile(*config, &cfg)
		if err != nil {
			log.Fatalf("ERROR: failed to load config file %s - %s", *config, err)
		}
	}
	cfg.LoadEnvForStruct(opts)
	options.Resolve(opts, flagSet, cfg)

	err := opts.Validate()
	if err != nil {
		log.Printf("%s", err)
		os.Exit(1)
	}

	validator := NewValidator(opts.GoogleAppsDomains, opts.AuthenticatedEmailsFile)
	oauthproxy := NewOauthProxy(opts, validator)

	if len(opts.GoogleAppsDomains) != 0 && opts.AuthenticatedEmailsFile == "" {
		if len(opts.GoogleAppsDomains) > 1 {
			oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using one of the following domains: %v", strings.Join(opts.GoogleAppsDomains, ", "))
		} else {
			oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using %v", opts.GoogleAppsDomains[0])
		}
	}

	if opts.HtpasswdFile != "" {
		log.Printf("using htpasswd file %s", opts.HtpasswdFile)
		oauthproxy.HtpasswdFile, err = NewHtpasswdFromFile(opts.HtpasswdFile)
		oauthproxy.DisplayHtpasswdForm = opts.DisplayHtpasswdForm
		if err != nil {
			log.Fatalf("FATAL: unable to open %s %s", opts.HtpasswdFile, err)
		}
	}

	u, err := url.Parse(opts.HttpAddress)
	if err != nil {
		log.Fatalf("FATAL: could not parse %#v: %v", opts.HttpAddress, err)
	}

	var networkType string
	switch u.Scheme {
	case "", "http":
		networkType = "tcp"
	default:
		networkType = u.Scheme
	}
	listenAddr := strings.TrimPrefix(u.String(), u.Scheme+"://")

	listener, err := net.Listen(networkType, listenAddr)
	if err != nil {
		log.Fatalf("FATAL: listen (%s, %s) failed - %s", networkType, listenAddr, err)
	}
	log.Printf("listening on %s", listenAddr)

	server := &http.Server{Handler: oauthproxy}
	err = server.Serve(listener)
	if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {
		log.Printf("ERROR: http.Serve() - %s", err)
	}

	log.Printf("HTTP: closing %s", listener.Addr())
}
initial code import 2012-12-11 01:59:23 +00:00			`package main`

			`import (`
			`"flag"`
testing 2012-12-17 18:38:33 +00:00			`"fmt"`
initial code import 2012-12-11 01:59:23 +00:00			`"log"`
			`"net"`
			`"net/http"`
Added scheme parsing to http-address param Can now listen for HTTP clients on unix sockets (and any other Go-supported stream oriented network - see golang.org/pkg/net/#Listen). Default behaviour is unchanged, any http-address without a scheme is given the default of tcp. Amended the README so that the usage output is up to date. 2015-02-11 01:07:40 +00:00			`"net/url"`
update to new scopes 2014-08-07 20:16:39 +00:00			`"os"`
initial code import 2012-12-11 01:59:23 +00:00			`"strings"`
always set httponly (there is no good reason not to); simplify httponly and expire flags 2014-11-08 18:26:55 +00:00			`"time"`
initial code import 2012-12-11 01:59:23 +00:00
Add config file support 2014-11-09 19:51:10 +00:00			`"github.com/BurntSushi/toml"`
			`"github.com/mreiferson/go-options"`
initial code import 2012-12-11 01:59:23 +00:00			`)`

			`func main() {`
Add config file support 2014-11-09 19:51:10 +00:00			`flagSet := flag.NewFlagSet("google_auth_proxy", flag.ExitOnError)`

			`googleAppsDomains := StringArray{}`
			`upstreams := StringArray{}`
Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00			`skipAuthRegex := StringArray{}`
Add config file support 2014-11-09 19:51:10 +00:00
			`config := flagSet.String("config", "", "path to config file")`
			`showVersion := flagSet.Bool("version", false, "print version string")`

Added scheme parsing to http-address param Can now listen for HTTP clients on unix sockets (and any other Go-supported stream oriented network - see golang.org/pkg/net/#Listen). Default behaviour is unchanged, any http-address without a scheme is given the default of tcp. Amended the README so that the usage output is up to date. 2015-02-11 01:07:40 +00:00			`flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")`
Add config file support 2014-11-09 19:51:10 +00:00			`flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")`
			`flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint. If multiple, routing is based on path")`
			`flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")`
add --proxy-host-header option 2015-03-17 19:15:15 +00:00			`flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")`
Adding Support for multi white listed urls with regex url match. 2015-01-12 09:18:41 +00:00			`flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)")`
Add config file support 2014-11-09 19:51:10 +00:00
			`flagSet.Var(&googleAppsDomains, "google-apps-domain", "authenticate against the given Google apps domain (may be given multiple times)")`
			`flagSet.String("client-id", "", "the Google OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")`
			`flagSet.String("client-secret", "", "the OAuth Client Secret")`
			`flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")`
			`flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption")`
Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 20:38:57 +00:00			`flagSet.Bool("display-htpasswd-form", true, "display username / password login form if an htpasswd file is provided")`
secrets as environment variables. closes #5 2013-07-30 21:31:59 +00:00
Add config file support 2014-11-09 19:51:10 +00:00			`flagSet.String("cookie-secret", "", "the seed string for secure cookies")`
better environment parsing 2014-11-10 02:07:02 +00:00			`flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")`
Add config file support 2014-11-09 19:51:10 +00:00			`flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")`
options bug fixes; set https cookies on by default 2014-11-10 03:21:46 +00:00			`flagSet.Bool("cookie-https-only", true, "set HTTPS only cookie")`
Add flag to enable/disable cookie's HttpOnly flag. 2015-01-19 15:52:18 +00:00			`flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie")`
Add config file support 2014-11-09 19:51:10 +00:00
			`flagSet.Parse(os.Args[1:])`

better environment parsing 2014-11-10 02:07:02 +00:00			`if *showVersion {`
			`fmt.Printf("google_auth_proxy v%s\n", VERSION)`
			`return`
			`}`

Add config file support 2014-11-09 19:51:10 +00:00			`opts := NewOptions()`

test/fix environment var parsing 2014-11-15 04:06:07 +00:00			`cfg := make(EnvOptions)`
Add config file support 2014-11-09 19:51:10 +00:00			`if *config != "" {`
			`_, err := toml.DecodeFile(*config, &cfg)`
			`if err != nil {`
			`log.Fatalf("ERROR: failed to load config file %s - %s", *config, err)`
			`}`
			`}`
test/fix environment var parsing 2014-11-15 04:06:07 +00:00			`cfg.LoadEnvForStruct(opts)`
Add config file support 2014-11-09 19:51:10 +00:00			`options.Resolve(opts, flagSet, cfg)`
initial code import 2012-12-11 01:59:23 +00:00
Add config file support 2014-11-09 19:51:10 +00:00			`err := opts.Validate()`
initial code import 2012-12-11 01:59:23 +00:00			`if err != nil {`
Add config file support 2014-11-09 19:51:10 +00:00			`log.Printf("%s", err)`
			`os.Exit(1)`
initial code import 2012-12-11 01:59:23 +00:00			`}`

Add config file support 2014-11-09 19:51:10 +00:00			`validator := NewValidator(opts.GoogleAppsDomains, opts.AuthenticatedEmailsFile)`
			`oauthproxy := NewOauthProxy(opts, validator)`

			`if len(opts.GoogleAppsDomains) != 0 && opts.AuthenticatedEmailsFile == "" {`
			`if len(opts.GoogleAppsDomains) > 1 {`
			`oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using one of the following domains: %v", strings.Join(opts.GoogleAppsDomains, ", "))`
pretty styling of sign in page 2014-11-09 05:26:52 +00:00			`} else {`
Add config file support 2014-11-09 19:51:10 +00:00			`oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using %v", opts.GoogleAppsDomains[0])`
pretty styling of sign in page 2014-11-09 05:26:52 +00:00			`}`
initial code import 2012-12-11 01:59:23 +00:00			`}`
Add config file support 2014-11-09 19:51:10 +00:00
			`if opts.HtpasswdFile != "" {`
better environment parsing 2014-11-10 02:07:02 +00:00			`log.Printf("using htpasswd file %s", opts.HtpasswdFile)`
Add config file support 2014-11-09 19:51:10 +00:00			`oauthproxy.HtpasswdFile, err = NewHtpasswdFromFile(opts.HtpasswdFile)`
Allow hiding custom login UI even if an htpasswd file is provided. 2014-12-09 20:38:57 +00:00			`oauthproxy.DisplayHtpasswdForm = opts.DisplayHtpasswdForm`
testing 2012-12-17 18:38:33 +00:00			`if err != nil {`
Add config file support 2014-11-09 19:51:10 +00:00			`log.Fatalf("FATAL: unable to open %s %s", opts.HtpasswdFile, err)`
testing 2012-12-17 18:38:33 +00:00			`}`
initial code import 2012-12-11 01:59:23 +00:00			`}`
Add config file support 2014-11-09 19:51:10 +00:00
Added scheme parsing to http-address param Can now listen for HTTP clients on unix sockets (and any other Go-supported stream oriented network - see golang.org/pkg/net/#Listen). Default behaviour is unchanged, any http-address without a scheme is given the default of tcp. Amended the README so that the usage output is up to date. 2015-02-11 01:07:40 +00:00			`u, err := url.Parse(opts.HttpAddress)`
initial code import 2012-12-11 01:59:23 +00:00			`if err != nil {`
Added scheme parsing to http-address param Can now listen for HTTP clients on unix sockets (and any other Go-supported stream oriented network - see golang.org/pkg/net/#Listen). Default behaviour is unchanged, any http-address without a scheme is given the default of tcp. Amended the README so that the usage output is up to date. 2015-02-11 01:07:40 +00:00			`log.Fatalf("FATAL: could not parse %#v: %v", opts.HttpAddress, err)`
initial code import 2012-12-11 01:59:23 +00:00			`}`
Added scheme parsing to http-address param Can now listen for HTTP clients on unix sockets (and any other Go-supported stream oriented network - see golang.org/pkg/net/#Listen). Default behaviour is unchanged, any http-address without a scheme is given the default of tcp. Amended the README so that the usage output is up to date. 2015-02-11 01:07:40 +00:00
			`var networkType string`
			`switch u.Scheme {`
			`case "", "http":`
			`networkType = "tcp"`
			`default:`
			`networkType = u.Scheme`
			`}`
			`listenAddr := strings.TrimPrefix(u.String(), u.Scheme+"://")`

			`listener, err := net.Listen(networkType, listenAddr)`
			`if err != nil {`
			`log.Fatalf("FATAL: listen (%s, %s) failed - %s", networkType, listenAddr, err)`
			`}`
			`log.Printf("listening on %s", listenAddr)`
initial code import 2012-12-11 01:59:23 +00:00
			`server := &http.Server{Handler: oauthproxy}`
			`err = server.Serve(listener)`
			`if err != nil && !strings.Contains(err.Error(), "use of closed network connection") {`
Add config file support 2014-11-09 19:51:10 +00:00			`log.Printf("ERROR: http.Serve() - %s", err)`
initial code import 2012-12-11 01:59:23 +00:00			`}`

Add config file support 2014-11-09 19:51:10 +00:00			`log.Printf("HTTP: closing %s", listener.Addr())`
initial code import 2012-12-11 01:59:23 +00:00			`}`