disable email validation; rename email-domain argument

This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers
This commit is contained in:
Jehiah Czebotar 2015-06-06 14:37:54 -04:00
parent c5ccd43767
commit 56d19b1c84
6 changed files with 25 additions and 15 deletions

View File

@ -55,7 +55,7 @@ For Google, the registration steps are:
1. Create a new project: https://github.com/settings/developers
2. Under `Authorization callback URL` enter the correct url ie `https://internal.yourcompany.com/oauth2/callback`
The GitHub auth provider supports two additional parameters to restrict authentication to Organization or Team level access.
The GitHub auth provider supports two additional parameters to restrict authentication to Organization or Team level access. Restricting by org and team is normally accompanied with `--email-domain=*`
-github-org="": restrict logins to members of this organisation
-github-team="": restrict logins to members of this team
@ -102,9 +102,9 @@ Usage of oauth2_proxy:
-cookie-secure=true: set secure (HTTPS) cookie flag
-custom-templates-dir="": path to custom html templates
-display-htpasswd-form=true: display username / password login form if an htpasswd file is provided
-email-domain=: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
-github-org="": restrict logins to members of this organisation
-github-team="": restrict logins to members of this team
-google-apps-domain=: authenticate against the given Google apps domain (may be given multiple times)
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
-http-address="127.0.0.1:4180": [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients
-login-url="": Authentication endpoint
@ -163,7 +163,7 @@ The command line to run `oauth2_proxy` would look like this:
```bash
./oauth2_proxy \
--google-apps-domain="yourcompany.com" \
--email-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \
--cookie-secure=true \

View File

@ -22,8 +22,10 @@
## when disabled the upstream Host is used as the Host Header
# pass_host_header = true
## Email Domains to allow authentication for (this whitelists any email on this domain)
# google_apps_domains = [
## Email Domains to allow authentication for (this authorizes any email on this domain)
## for more granular authorization use `authenticated_emails_file`
## To authorize any email addresses use "*"
# email_domains = [
# "yourcompany.com"
# ]

16
main.go
View File

@ -20,7 +20,7 @@ func main() {
log.SetFlags(log.Ldate | log.Ltime | log.Lshortfile)
flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError)
googleAppsDomains := StringArray{}
emailDomains := StringArray{}
upstreams := StringArray{}
skipAuthRegex := StringArray{}
@ -35,7 +35,7 @@ func main() {
flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")
flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)")
flagSet.Var(&googleAppsDomains, "google-apps-domain", "authenticate against the given Google apps domain (may be given multiple times)")
flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
flagSet.String("github-org", "", "restrict logins to members of this organisation")
flagSet.String("github-team", "", "restrict logins to members of this team")
flagSet.String("client-id", "", "the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")
@ -89,14 +89,14 @@ func main() {
os.Exit(1)
}
validator := NewValidator(opts.GoogleAppsDomains, opts.AuthenticatedEmailsFile)
validator := NewValidator(opts.EmailDomains, opts.AuthenticatedEmailsFile)
oauthproxy := NewOauthProxy(opts, validator)
if len(opts.GoogleAppsDomains) != 0 && opts.AuthenticatedEmailsFile == "" {
if len(opts.GoogleAppsDomains) > 1 {
oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using one of the following domains: %v", strings.Join(opts.GoogleAppsDomains, ", "))
} else {
oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using %v", opts.GoogleAppsDomains[0])
if len(opts.EmailDomains) != 0 && opts.AuthenticatedEmailsFile == "" {
if len(opts.EmailDomains) > 1 {
oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using one of the following domains: %v", strings.Join(opts.EmailDomains, ", "))
} else if opts.EmailDomains[0] != "*" {
oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using %v", opts.EmailDomains[0])
}
}

View File

@ -450,7 +450,7 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
value, err := buildCookieValue(
email, p.AesCipher, access_token)
if err != nil {
log.Printf(err.Error())
log.Printf("%s", err)
}
p.SetCookie(rw, req, value)
http.Redirect(rw, req, redirect, 302)

View File

@ -19,7 +19,7 @@ type Options struct {
ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"`
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
GoogleAppsDomains []string `flag:"google-apps-domain" cfg:"google_apps_domains"`
EmailDomains []string `flag:"email-domain" cfg:"email_domains"`
GitHubOrg string `flag:"github-org" cfg:"github_org"`
GitHubTeam string `flag:"github-team" cfg:"github_team"`
HtpasswdFile string `flag:"htpasswd-file" cfg:"htpasswd_file"`

View File

@ -62,7 +62,12 @@ func newValidatorImpl(domains []string, usersFile string,
done <-chan bool, onUpdate func()) func(string) bool {
validUsers := NewUserMap(usersFile, done, onUpdate)
var allowAll bool
for i, domain := range domains {
if domain == "*" {
allowAll = true
continue
}
domains[i] = fmt.Sprintf("@%s", strings.ToLower(domain))
}
@ -75,6 +80,9 @@ func newValidatorImpl(domains []string, usersFile string,
if !valid {
valid = validUsers.IsValid(email)
}
if allowAll {
valid = true
}
log.Printf("validating: is %s valid? %v", email, valid)
return valid
}