Merge pull request #71 from jehiah/cookie_secure_flag_71

Rename flag to set secure (https) cookies
This commit is contained in:
Jehiah Czebotar 2015-03-19 14:49:11 -04:00
commit d5169f92f7
5 changed files with 35 additions and 25 deletions

View File

@ -64,9 +64,11 @@ Usage of google_auth_proxy:
-config="": path to config file
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
-cookie-expire=168h0m0s: expire timeframe for cookie
-cookie-httponly=true: set HttpOnly cookie
-cookie-https-only=true: set HTTPS only cookie
-cookie-httponly=true: set HttpOnly cookie flag
-cookie-https-only=true: set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)
-cookie-secret="": the seed string for secure cookies
-cookie-secure=true: set secure (HTTPS) cookie flag
-custom-templates-dir="": path to custom html templates
-display-htpasswd-form=true: display username / password login form if an htpasswd file is provided
-google-apps-domain=: authenticate against the given Google apps domain (may be given multiple times)
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
@ -75,7 +77,6 @@ Usage of google_auth_proxy:
-pass-host-header=true: pass the request Host Header to upstream
-redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
-skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
-custom templates-dir="": path to custom html templates
-upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path
-version=false: print version string
```
@ -120,7 +121,7 @@ The command line to run `google_auth_proxy` would look like this:
--google-apps-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \
--cookie-https-only=true \
--cookie-secure=true \
--client-id=... \
--client-secret=...
```

View File

@ -49,5 +49,5 @@
# cookie_secret = ""
# cookie_domain = ""
# cookie_expire = "168h"
# cookie_https_only = true
# cookie_secure = true
# cookie_httponly = true

View File

@ -43,8 +43,9 @@ func main() {
flagSet.String("cookie-secret", "", "the seed string for secure cookies")
flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
flagSet.Bool("cookie-https-only", true, "set HTTPS only cookie")
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie")
flagSet.Bool("cookie-https-only", true, "set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)")
flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag")
flagSet.Parse(os.Args[1:])

View File

@ -24,13 +24,13 @@ const oauthStartPath = "/oauth2/start"
const oauthCallbackPath = "/oauth2/callback"
type OauthProxy struct {
CookieSeed string
CookieKey string
CookieDomain string
CookieHttpsOnly bool
CookieHttpOnly bool
CookieExpire time.Duration
Validator func(string) bool
CookieSeed string
CookieKey string
CookieDomain string
CookieSecure bool
CookieHttpOnly bool
CookieExpire time.Duration
Validator func(string) bool
redirectUrl *url.URL // the url to receive requests at
oauthRedemptionUrl *url.URL // endpoint to redeem the code
@ -98,15 +98,21 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
if domain == "" {
domain = "<default>"
}
log.Printf("Cookie settings: https_only (SSL required): %v httponly: %v expiry: %s domain:%s", opts.CookieHttpsOnly, opts.CookieHttpOnly, opts.CookieExpire, domain)
if !opts.CookieHttpsOnly {
log.Printf("Warning: cookie-https-only setting is deprecated and will be removed in a future version. use cookie-secure")
opts.CookieSecure = opts.CookieHttpsOnly
}
log.Printf("Cookie settings: secure (https):%v httponly:%v expiry:%s domain:%s", opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain)
return &OauthProxy{
CookieKey: "_oauthproxy",
CookieSeed: opts.CookieSecret,
CookieDomain: opts.CookieDomain,
CookieHttpsOnly: opts.CookieHttpsOnly,
CookieHttpOnly: opts.CookieHttpOnly,
CookieExpire: opts.CookieExpire,
Validator: validator,
CookieKey: "_oauthproxy",
CookieSeed: opts.CookieSecret,
CookieDomain: opts.CookieDomain,
CookieSecure: opts.CookieSecure,
CookieHttpOnly: opts.CookieHttpOnly,
CookieExpire: opts.CookieExpire,
Validator: validator,
clientID: opts.ClientID,
clientSecret: opts.ClientSecret,
@ -130,7 +136,7 @@ func (p *OauthProxy) GetRedirectUrl(host string) string {
var u url.URL
u = *p.redirectUrl
if u.Scheme == "" {
if p.CookieHttpsOnly {
if p.CookieSecure {
u.Scheme = "https"
} else {
u.Scheme = "http"
@ -265,7 +271,7 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
Path: "/",
Domain: domain,
HttpOnly: p.CookieHttpOnly,
Secure: p.CookieHttpsOnly,
Secure: p.CookieSecure,
Expires: time.Now().Add(p.CookieExpire),
}
http.SetCookie(rw, cookie)

View File

@ -24,7 +24,8 @@ type Options struct {
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // set secure cookie flag
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
Upstreams []string `flag:"upstream" cfg:"upstreams"`
@ -43,6 +44,7 @@ func NewOptions() *Options {
HttpAddress: "127.0.0.1:4180",
DisplayHtpasswdForm: true,
CookieHttpsOnly: true,
CookieSecure: true,
CookieHttpOnly: true,
CookieExpire: time.Duration(168) * time.Hour,
PassBasicAuth: true,