Merge remote-tracking branch 'origin/master' into enhanced_logging

2019-02-15 10:14:18 -08:00 · 2019-02-15 10:14:18 -08:00 · 8a2dc3c51d
commit 8a2dc3c51d
parent b8da1dec4a ec4444fa3b
3 changed files with 57 additions and 19 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,28 @@
 # Vx.x.x (Pre-release)

+## Changes since v3.1.0
+
+# v3.1.0
+
+## Release highlights
+
+- Introduction of ARM releases and and general improvements to Docker builds
+- Improvements to OIDC provider allowing pass-through of ID Tokens
+- Multiple redirect domains can now be whitelisted
+- Streamed responses are now flushed periodically
+
+## Important notes
+
+- If you have been using [#bitly/621](https://github.com/bitly/oauth2_proxy/pull/621)
+  and have cookies larger than the 4kb limit,
+  the cookie splitting pattern has changed and now uses `_` in place of `-` when
+  indexing cookies.
+  This will force users to reauthenticate the first time they use `v3.1.0`.
+- Streamed responses will now be flushed every 1 second by default.
+  Previously streamed responses were flushed only when the buffer was full.
+  To retain the old behaviour set `--flush-interval=0`.
+  See [#23](https://github.com/pusher/oauth2_proxy/pull/23) for further details.
+
 ## Changes since v3.0.0

 - [#14](https://github.com/pusher/oauth2_proxy/pull/14) OIDC ID Token, Authorization Headers, Refreshing and Verification (@joelspeed)
@ -7,12 +30,12 @@
  - Implement token refreshing in OIDC provider
  - Split cookies larger than 4k limit into multiple cookies
  - Implement token validation in OIDC provider
- [#15](https://github.com/pusher/oauth2_proxy/pull/21) WhitelistDomains (@joelspeed)
+- [#15](https://github.com/pusher/oauth2_proxy/pull/15) WhitelistDomains (@joelspeed)
  - Add `--whitelist-domain` flag to allow redirection to approved domains after OAuth flow
 - [#21](https://github.com/pusher/oauth2_proxy/pull/21) Docker Improvement (@yaegashi)
  - Move Docker base image from debian to alpine
  - Install ca-certificates in docker image
- [#23](https://github.com/pusher/oauth2_proxy/pull/21) Flushed streaming responses
+- [#23](https://github.com/pusher/oauth2_proxy/pull/23) Flushed streaming responses
  - Long-running upstream responses will get flushed every <timeperiod> (1 second by default)
 - [#24](https://github.com/pusher/oauth2_proxy/pull/24) Redirect fix (@agentgonzo)
  - After a successful login, you will be redirected to your original URL rather than /
--- a/32
+++ b/32
@ -1,6 +1,6 @@
 include .env
 BINARY := oauth2_proxy
-VERSION := $(shell git describe --always --long --dirty --tags 2>/dev/null || echo "undefined")
+VERSION := $(shell git describe --always --dirty --tags 2>/dev/null || echo "undefined")
 .NOTPARALLEL:

 .PHONY: all
@ -47,17 +47,31 @@ $(BINARY):

 .PHONY: docker
 docker:
-	docker build -f Dockerfile -t pusher/oauth2_proxy:latest .
+	docker build -f Dockerfile -t quay.io/pusher/oauth2_proxy:latest .

 .PHONY: docker-all
 docker-all: docker
-	docker build -f Dockerfile -t pusher/oauth2_proxy:latest-amd64 .
-	docker build -f Dockerfile -t pusher/oauth2_proxy:${VERSION} .
-	docker build -f Dockerfile -t pusher/oauth2_proxy:${VERSION}-amd64 .
-	docker build -f Dockerfile.arm64 -t pusher/oauth2_proxy:latest-arm64 .
-	docker build -f Dockerfile.arm64 -t pusher/oauth2_proxy:${VERSION}-arm64 .
-	docker build -f Dockerfile.armv6 -t pusher/oauth2_proxy:latest-armv6 .
-	docker build -f Dockerfile.armv6 -t pusher/oauth2_proxy:${VERSION}-armv6 .
+	docker build -f Dockerfile -t quay.io/pusher/oauth2_proxy:latest-amd64 .
+	docker build -f Dockerfile -t quay.io/pusher/oauth2_proxy:${VERSION} .
+	docker build -f Dockerfile -t quay.io/pusher/oauth2_proxy:${VERSION}-amd64 .
+	docker build -f Dockerfile.arm64 -t quay.io/pusher/oauth2_proxy:latest-arm64 .
+	docker build -f Dockerfile.arm64 -t quay.io/pusher/oauth2_proxy:${VERSION}-arm64 .
+	docker build -f Dockerfile.armv6 -t quay.io/pusher/oauth2_proxy:latest-armv6 .
+	docker build -f Dockerfile.armv6 -t quay.io/pusher/oauth2_proxy:${VERSION}-armv6 .
+
+.PHONY: docker-push
+docker-push:
+	docker push quay.io/pusher/oauth2_proxy:latest
+
+.PHONY: docker-push-all
+docker-push-all: docker-push
+	docker push quay.io/pusher/oauth2_proxy:latest-amd64
+	docker push quay.io/pusher/oauth2_proxy:${VERSION}
+	docker push quay.io/pusher/oauth2_proxy:${VERSION}-amd64
+	docker push quay.io/pusher/oauth2_proxy:latest-arm64
+	docker push quay.io/pusher/oauth2_proxy:${VERSION}-arm64
+	docker push quay.io/pusher/oauth2_proxy:latest-armv6
+	docker push quay.io/pusher/oauth2_proxy:${VERSION}-armv6

 .PHONY: test
 test: dep lint
--- a/README.md
+++ b/README.md
@ -19,17 +19,17 @@ A list of changes can be seen in the [CHANGELOG](CHANGELOG.md).

 1.  Choose how to deploy:

-    a. Download [Prebuilt Binary](https://github.com/pusher/oauth2_proxy/releases) (current release is `v3.0.0`)
+    a. Download [Prebuilt Binary](https://github.com/pusher/oauth2_proxy/releases) (current release is `v3.1.0`)

    b. Build with `$ go get github.com/pusher/oauth2_proxy` which will put the binary in `$GOROOT/bin`

-    c. Using the prebuilt docker image [quay.io/pusher/oauth2_proxy](https://quay.io/pusher/oauth2_proxy)
+    c. Using the prebuilt docker image [quay.io/pusher/oauth2_proxy](https://quay.io/pusher/oauth2_proxy) (AMD64, ARMv6 and ARM64 tags available)

 Prebuilt binaries can be validated by extracting the file and verifying it against the `sha256sum.txt` checksum file provided for each release starting with version `v3.0.0`.

 ```
 sha256sum -c sha256sum.txt 2>&1 | grep OK
-oauth2_proxy-3.0.0.linux-amd64: OK
+oauth2_proxy-3.1.0.linux-amd64: OK
 ```

 2.  Select a Provider and Register an OAuth Application with a Provider
@ -203,6 +203,7 @@ Usage of oauth2_proxy:
  -custom-templates-dir string: path to custom html templates
  -display-htpasswd-form: display username / password login form if an htpasswd file is provided (default true)
  -email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
+  -flush-interval: period between flushing response buffers when streaming responses (default "1s")
  -footer string: custom footer string. Use "-" to disable default footer.
  -github-org string: restrict logins to members of this organisation
  -github-team string: restrict logins to members of any of these teams (slug), separated by a comma
@ -481,19 +482,19 @@ server {
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

-    # When using the --set-authorization flag, some provider's cookies can exceed the 4kb 
-    # limit and so the OAuth2 Proxy splits these into multiple parts. 
+    # When using the --set-authorization flag, some provider's cookies can exceed the 4kb
+    # limit and so the OAuth2 Proxy splits these into multiple parts.
    # Nginx normally only copies the first `Set-Cookie` header from the auth_request to the response,
    # so if your cookies are larger than 4kb, you will need to extract additional cookies manually.
    auth_request_set $auth_cookie_name_upstream_1 $upstream_cookie_auth_cookie_name_1;
-      
+
    # Extract the Cookie attributes from the first Set-Cookie header and append them
    # to the second part ($upstream_cookie_* variables only contain the raw cookie content)
    if ($auth_cookie ~* "(; .*)") {
-        set $auth_cookie_name_0 $auth_cookie; 
+        set $auth_cookie_name_0 $auth_cookie;
        set $auth_cookie_name_1 "auth_cookie_name_1=$auth_cookie_name_upstream_1$1";
    }
-    
+
    # Send both Set-Cookie headers now if there was a second part
    if ($auth_cookie_name_upstream_1) {
        add_header Set-Cookie $auth_cookie_name_0;