Introduce validate-url flag/config
This commit is contained in:
Mike Bland
parent
8e2d83600c
commit
72857018ee
1
main.go
1
main.go
@ -56,6 +56,7 @@ func main() {
|
|||||||
flagSet.String("login-url", "", "Authentication endpoint")
|
flagSet.String("login-url", "", "Authentication endpoint")
|
||||||
flagSet.String("redeem-url", "", "Token redemption endpoint")
|
flagSet.String("redeem-url", "", "Token redemption endpoint")
|
||||||
flagSet.String("profile-url", "", "Profile access endpoint")
|
flagSet.String("profile-url", "", "Profile access endpoint")
|
||||||
|
flagSet.String("validate-url", "", "Access token validation endpoint")
|
||||||
flagSet.String("scope", "", "Oauth scope specification")
|
flagSet.String("scope", "", "Oauth scope specification")
|
||||||
|
|
||||||
flagSet.Parse(os.Args[1:])
|
flagSet.Parse(os.Args[1:])
|
||||||
|
|||||||
@ -40,6 +40,7 @@ type OauthProxy struct {
|
|||||||
provider providers.Provider
|
provider providers.Provider
|
||||||
oauthRedemptionUrl *url.URL // endpoint to redeem the code
|
oauthRedemptionUrl *url.URL // endpoint to redeem the code
|
||||||
oauthLoginUrl *url.URL // to redirect the user to
|
oauthLoginUrl *url.URL // to redirect the user to
|
||||||
|
oauthValidateUrl *url.URL // to validate the access token
|
||||||
oauthScope string
|
oauthScope string
|
||||||
clientID string
|
clientID string
|
||||||
clientSecret string
|
clientSecret string
|
||||||
@ -146,6 +147,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
|
|||||||
provider: opts.provider,
|
provider: opts.provider,
|
||||||
oauthRedemptionUrl: opts.provider.Data().RedeemUrl,
|
oauthRedemptionUrl: opts.provider.Data().RedeemUrl,
|
||||||
oauthLoginUrl: opts.provider.Data().LoginUrl,
|
oauthLoginUrl: opts.provider.Data().LoginUrl,
|
||||||
|
oauthValidateUrl: opts.provider.Data().ValidateUrl,
|
||||||
serveMux: serveMux,
|
serveMux: serveMux,
|
||||||
redirectUrl: redirectUrl,
|
redirectUrl: redirectUrl,
|
||||||
skipAuthRegex: opts.SkipAuthRegex,
|
skipAuthRegex: opts.SkipAuthRegex,
|
||||||
|
|||||||
12
options.go
12
options.go
@ -39,11 +39,12 @@ type Options struct {
|
|||||||
|
|
||||||
// These options allow for other providers besides Google, with
|
// These options allow for other providers besides Google, with
|
||||||
// potential overrides.
|
// potential overrides.
|
||||||
Provider string `flag:"provider" cfg:"provider"`
|
Provider string `flag:"provider" cfg:"provider"`
|
||||||
LoginUrl string `flag:"login-url" cfg:"login_url"`
|
LoginUrl string `flag:"login-url" cfg:"login_url"`
|
||||||
RedeemUrl string `flag:"redeem-url" cfg:"redeem_url"`
|
RedeemUrl string `flag:"redeem-url" cfg:"redeem_url"`
|
||||||
ProfileUrl string `flag:"profile-url" cfg:"profile_url"`
|
ProfileUrl string `flag:"profile-url" cfg:"profile_url"`
|
||||||
Scope string `flag:"scope" cfg:"scope"`
|
ValidateUrl string `flag:"validate-url" cfg:"validate_url"`
|
||||||
|
Scope string `flag:"scope" cfg:"scope"`
|
||||||
|
|
||||||
RequestLogging bool `flag:"request-logging" cfg:"request_logging"`
|
RequestLogging bool `flag:"request-logging" cfg:"request_logging"`
|
||||||
|
|
||||||
@ -148,6 +149,7 @@ func parseProviderInfo(o *Options, msgs []string) []string {
|
|||||||
p.LoginUrl, msgs = parseUrl(o.LoginUrl, "login", msgs)
|
p.LoginUrl, msgs = parseUrl(o.LoginUrl, "login", msgs)
|
||||||
p.RedeemUrl, msgs = parseUrl(o.RedeemUrl, "redeem", msgs)
|
p.RedeemUrl, msgs = parseUrl(o.RedeemUrl, "redeem", msgs)
|
||||||
p.ProfileUrl, msgs = parseUrl(o.ProfileUrl, "profile", msgs)
|
p.ProfileUrl, msgs = parseUrl(o.ProfileUrl, "profile", msgs)
|
||||||
|
p.ValidateUrl, msgs = parseUrl(o.ValidateUrl, "validate", msgs)
|
||||||
o.provider = providers.New(o.Provider, p)
|
o.provider = providers.New(o.Provider, p)
|
||||||
return msgs
|
return msgs
|
||||||
}
|
}
|
||||||
|
|||||||
@ -24,6 +24,11 @@ func NewGoogleProvider(p *ProviderData) *GoogleProvider {
|
|||||||
Host: "accounts.google.com",
|
Host: "accounts.google.com",
|
||||||
Path: "/o/oauth2/token"}
|
Path: "/o/oauth2/token"}
|
||||||
}
|
}
|
||||||
|
if p.ValidateUrl.String() == "" {
|
||||||
|
p.ValidateUrl = &url.URL{Scheme: "https",
|
||||||
|
Host: "www.googleapis.com",
|
||||||
|
Path: "/oauth2/v1/tokeninfo"}
|
||||||
|
}
|
||||||
if p.Scope == "" {
|
if p.Scope == "" {
|
||||||
p.Scope = "profile email"
|
p.Scope = "profile email"
|
||||||
}
|
}
|
||||||
|
|||||||
@ -15,6 +15,7 @@ func newGoogleProvider() *GoogleProvider {
|
|||||||
LoginUrl: &url.URL{},
|
LoginUrl: &url.URL{},
|
||||||
RedeemUrl: &url.URL{},
|
RedeemUrl: &url.URL{},
|
||||||
ProfileUrl: &url.URL{},
|
ProfileUrl: &url.URL{},
|
||||||
|
ValidateUrl: &url.URL{},
|
||||||
Scope: ""})
|
Scope: ""})
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -26,6 +27,8 @@ func TestGoogleProviderDefaults(t *testing.T) {
|
|||||||
p.Data().LoginUrl.String())
|
p.Data().LoginUrl.String())
|
||||||
assert.Equal(t, "https://accounts.google.com/o/oauth2/token",
|
assert.Equal(t, "https://accounts.google.com/o/oauth2/token",
|
||||||
p.Data().RedeemUrl.String())
|
p.Data().RedeemUrl.String())
|
||||||
|
assert.Equal(t, "https://www.googleapis.com/oauth2/v1/tokeninfo",
|
||||||
|
p.Data().ValidateUrl.String())
|
||||||
assert.Equal(t, "", p.Data().ProfileUrl.String())
|
assert.Equal(t, "", p.Data().ProfileUrl.String())
|
||||||
assert.Equal(t, "profile email", p.Data().Scope)
|
assert.Equal(t, "profile email", p.Data().Scope)
|
||||||
}
|
}
|
||||||
@ -45,6 +48,10 @@ func TestGoogleProviderOverrides(t *testing.T) {
|
|||||||
Scheme: "https",
|
Scheme: "https",
|
||||||
Host: "example.com",
|
Host: "example.com",
|
||||||
Path: "/oauth/profile"},
|
Path: "/oauth/profile"},
|
||||||
|
ValidateUrl: &url.URL{
|
||||||
|
Scheme: "https",
|
||||||
|
Host: "example.com",
|
||||||
|
Path: "/oauth/tokeninfo"},
|
||||||
Scope: "profile"})
|
Scope: "profile"})
|
||||||
assert.NotEqual(t, nil, p)
|
assert.NotEqual(t, nil, p)
|
||||||
assert.Equal(t, "Google", p.Data().ProviderName)
|
assert.Equal(t, "Google", p.Data().ProviderName)
|
||||||
@ -54,6 +61,8 @@ func TestGoogleProviderOverrides(t *testing.T) {
|
|||||||
p.Data().RedeemUrl.String())
|
p.Data().RedeemUrl.String())
|
||||||
assert.Equal(t, "https://example.com/oauth/profile",
|
assert.Equal(t, "https://example.com/oauth/profile",
|
||||||
p.Data().ProfileUrl.String())
|
p.Data().ProfileUrl.String())
|
||||||
|
assert.Equal(t, "https://example.com/oauth/tokeninfo",
|
||||||
|
p.Data().ValidateUrl.String())
|
||||||
assert.Equal(t, "profile", p.Data().Scope)
|
assert.Equal(t, "profile", p.Data().Scope)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -32,6 +32,11 @@ func NewMyUsaProvider(p *ProviderData) *MyUsaProvider {
|
|||||||
Host: myUsaHost,
|
Host: myUsaHost,
|
||||||
Path: "/api/v1/profile"}
|
Path: "/api/v1/profile"}
|
||||||
}
|
}
|
||||||
|
if p.ValidateUrl.String() == "" {
|
||||||
|
p.ValidateUrl = &url.URL{Scheme: "https",
|
||||||
|
Host: myUsaHost,
|
||||||
|
Path: "/api/v1/tokeninfo"}
|
||||||
|
}
|
||||||
if p.Scope == "" {
|
if p.Scope == "" {
|
||||||
p.Scope = "profile.email"
|
p.Scope = "profile.email"
|
||||||
}
|
}
|
||||||
|
|||||||
@ -21,11 +21,13 @@ func testMyUsaProvider(hostname string) *MyUsaProvider {
|
|||||||
LoginUrl: &url.URL{},
|
LoginUrl: &url.URL{},
|
||||||
RedeemUrl: &url.URL{},
|
RedeemUrl: &url.URL{},
|
||||||
ProfileUrl: &url.URL{},
|
ProfileUrl: &url.URL{},
|
||||||
|
ValidateUrl: &url.URL{},
|
||||||
Scope: ""})
|
Scope: ""})
|
||||||
if hostname != "" {
|
if hostname != "" {
|
||||||
updateUrl(p.Data().LoginUrl, hostname)
|
updateUrl(p.Data().LoginUrl, hostname)
|
||||||
updateUrl(p.Data().RedeemUrl, hostname)
|
updateUrl(p.Data().RedeemUrl, hostname)
|
||||||
updateUrl(p.Data().ProfileUrl, hostname)
|
updateUrl(p.Data().ProfileUrl, hostname)
|
||||||
|
updateUrl(p.Data().ValidateUrl, hostname)
|
||||||
}
|
}
|
||||||
return p
|
return p
|
||||||
}
|
}
|
||||||
@ -56,6 +58,8 @@ func TestMyUsaProviderDefaults(t *testing.T) {
|
|||||||
p.Data().RedeemUrl.String())
|
p.Data().RedeemUrl.String())
|
||||||
assert.Equal(t, "https://alpha.my.usa.gov/api/v1/profile",
|
assert.Equal(t, "https://alpha.my.usa.gov/api/v1/profile",
|
||||||
p.Data().ProfileUrl.String())
|
p.Data().ProfileUrl.String())
|
||||||
|
assert.Equal(t, "https://alpha.my.usa.gov/api/v1/tokeninfo",
|
||||||
|
p.Data().ValidateUrl.String())
|
||||||
assert.Equal(t, "profile.email", p.Data().Scope)
|
assert.Equal(t, "profile.email", p.Data().Scope)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -74,6 +78,10 @@ func TestMyUsaProviderOverrides(t *testing.T) {
|
|||||||
Scheme: "https",
|
Scheme: "https",
|
||||||
Host: "example.com",
|
Host: "example.com",
|
||||||
Path: "/oauth/profile"},
|
Path: "/oauth/profile"},
|
||||||
|
ValidateUrl: &url.URL{
|
||||||
|
Scheme: "https",
|
||||||
|
Host: "example.com",
|
||||||
|
Path: "/oauth/tokeninfo"},
|
||||||
Scope: "profile"})
|
Scope: "profile"})
|
||||||
assert.NotEqual(t, nil, p)
|
assert.NotEqual(t, nil, p)
|
||||||
assert.Equal(t, "MyUSA", p.Data().ProviderName)
|
assert.Equal(t, "MyUSA", p.Data().ProviderName)
|
||||||
@ -83,6 +91,8 @@ func TestMyUsaProviderOverrides(t *testing.T) {
|
|||||||
p.Data().RedeemUrl.String())
|
p.Data().RedeemUrl.String())
|
||||||
assert.Equal(t, "https://example.com/oauth/profile",
|
assert.Equal(t, "https://example.com/oauth/profile",
|
||||||
p.Data().ProfileUrl.String())
|
p.Data().ProfileUrl.String())
|
||||||
|
assert.Equal(t, "https://example.com/oauth/tokeninfo",
|
||||||
|
p.Data().ValidateUrl.String())
|
||||||
assert.Equal(t, "profile", p.Data().Scope)
|
assert.Equal(t, "profile", p.Data().Scope)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -9,6 +9,7 @@ type ProviderData struct {
|
|||||||
LoginUrl *url.URL
|
LoginUrl *url.URL
|
||||||
RedeemUrl *url.URL
|
RedeemUrl *url.URL
|
||||||
ProfileUrl *url.URL
|
ProfileUrl *url.URL
|
||||||
|
ValidateUrl *url.URL
|
||||||
Scope string
|
Scope string
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user