disable email validation; rename email-domain argument
This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers
This commit is contained in:
parent
c5ccd43767
commit
56d19b1c84
@ -55,7 +55,7 @@ For Google, the registration steps are:
|
||||
1. Create a new project: https://github.com/settings/developers
|
||||
2. Under `Authorization callback URL` enter the correct url ie `https://internal.yourcompany.com/oauth2/callback`
|
||||
|
||||
The GitHub auth provider supports two additional parameters to restrict authentication to Organization or Team level access.
|
||||
The GitHub auth provider supports two additional parameters to restrict authentication to Organization or Team level access. Restricting by org and team is normally accompanied with `--email-domain=*`
|
||||
|
||||
-github-org="": restrict logins to members of this organisation
|
||||
-github-team="": restrict logins to members of this team
|
||||
@ -102,9 +102,9 @@ Usage of oauth2_proxy:
|
||||
-cookie-secure=true: set secure (HTTPS) cookie flag
|
||||
-custom-templates-dir="": path to custom html templates
|
||||
-display-htpasswd-form=true: display username / password login form if an htpasswd file is provided
|
||||
-email-domain=: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
|
||||
-github-org="": restrict logins to members of this organisation
|
||||
-github-team="": restrict logins to members of this team
|
||||
-google-apps-domain=: authenticate against the given Google apps domain (may be given multiple times)
|
||||
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
|
||||
-http-address="127.0.0.1:4180": [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients
|
||||
-login-url="": Authentication endpoint
|
||||
@ -163,7 +163,7 @@ The command line to run `oauth2_proxy` would look like this:
|
||||
|
||||
```bash
|
||||
./oauth2_proxy \
|
||||
--google-apps-domain="yourcompany.com" \
|
||||
--email-domain="yourcompany.com" \
|
||||
--upstream=http://127.0.0.1:8080/ \
|
||||
--cookie-secret=... \
|
||||
--cookie-secure=true \
|
||||
|
@ -22,8 +22,10 @@
|
||||
## when disabled the upstream Host is used as the Host Header
|
||||
# pass_host_header = true
|
||||
|
||||
## Email Domains to allow authentication for (this whitelists any email on this domain)
|
||||
# google_apps_domains = [
|
||||
## Email Domains to allow authentication for (this authorizes any email on this domain)
|
||||
## for more granular authorization use `authenticated_emails_file`
|
||||
## To authorize any email addresses use "*"
|
||||
# email_domains = [
|
||||
# "yourcompany.com"
|
||||
# ]
|
||||
|
||||
|
16
main.go
16
main.go
@ -20,7 +20,7 @@ func main() {
|
||||
log.SetFlags(log.Ldate | log.Ltime | log.Lshortfile)
|
||||
flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError)
|
||||
|
||||
googleAppsDomains := StringArray{}
|
||||
emailDomains := StringArray{}
|
||||
upstreams := StringArray{}
|
||||
skipAuthRegex := StringArray{}
|
||||
|
||||
@ -35,7 +35,7 @@ func main() {
|
||||
flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")
|
||||
flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)")
|
||||
|
||||
flagSet.Var(&googleAppsDomains, "google-apps-domain", "authenticate against the given Google apps domain (may be given multiple times)")
|
||||
flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
|
||||
flagSet.String("github-org", "", "restrict logins to members of this organisation")
|
||||
flagSet.String("github-team", "", "restrict logins to members of this team")
|
||||
flagSet.String("client-id", "", "the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")
|
||||
@ -89,14 +89,14 @@ func main() {
|
||||
os.Exit(1)
|
||||
}
|
||||
|
||||
validator := NewValidator(opts.GoogleAppsDomains, opts.AuthenticatedEmailsFile)
|
||||
validator := NewValidator(opts.EmailDomains, opts.AuthenticatedEmailsFile)
|
||||
oauthproxy := NewOauthProxy(opts, validator)
|
||||
|
||||
if len(opts.GoogleAppsDomains) != 0 && opts.AuthenticatedEmailsFile == "" {
|
||||
if len(opts.GoogleAppsDomains) > 1 {
|
||||
oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using one of the following domains: %v", strings.Join(opts.GoogleAppsDomains, ", "))
|
||||
} else {
|
||||
oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using %v", opts.GoogleAppsDomains[0])
|
||||
if len(opts.EmailDomains) != 0 && opts.AuthenticatedEmailsFile == "" {
|
||||
if len(opts.EmailDomains) > 1 {
|
||||
oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using one of the following domains: %v", strings.Join(opts.EmailDomains, ", "))
|
||||
} else if opts.EmailDomains[0] != "*" {
|
||||
oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using %v", opts.EmailDomains[0])
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -450,7 +450,7 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
|
||||
value, err := buildCookieValue(
|
||||
email, p.AesCipher, access_token)
|
||||
if err != nil {
|
||||
log.Printf(err.Error())
|
||||
log.Printf("%s", err)
|
||||
}
|
||||
p.SetCookie(rw, req, value)
|
||||
http.Redirect(rw, req, redirect, 302)
|
||||
|
@ -19,7 +19,7 @@ type Options struct {
|
||||
ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"`
|
||||
|
||||
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
|
||||
GoogleAppsDomains []string `flag:"google-apps-domain" cfg:"google_apps_domains"`
|
||||
EmailDomains []string `flag:"email-domain" cfg:"email_domains"`
|
||||
GitHubOrg string `flag:"github-org" cfg:"github_org"`
|
||||
GitHubTeam string `flag:"github-team" cfg:"github_team"`
|
||||
HtpasswdFile string `flag:"htpasswd-file" cfg:"htpasswd_file"`
|
||||
|
@ -62,7 +62,12 @@ func newValidatorImpl(domains []string, usersFile string,
|
||||
done <-chan bool, onUpdate func()) func(string) bool {
|
||||
validUsers := NewUserMap(usersFile, done, onUpdate)
|
||||
|
||||
var allowAll bool
|
||||
for i, domain := range domains {
|
||||
if domain == "*" {
|
||||
allowAll = true
|
||||
continue
|
||||
}
|
||||
domains[i] = fmt.Sprintf("@%s", strings.ToLower(domain))
|
||||
}
|
||||
|
||||
@ -75,6 +80,9 @@ func newValidatorImpl(domains []string, usersFile string,
|
||||
if !valid {
|
||||
valid = validUsers.IsValid(email)
|
||||
}
|
||||
if allowAll {
|
||||
valid = true
|
||||
}
|
||||
log.Printf("validating: is %s valid? %v", email, valid)
|
||||
return valid
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user