Merge pull request #71 from jehiah/cookie_secure_flag_71

Rename flag to set secure (https) cookies
This commit is contained in:
Jehiah Czebotar 2015-03-19 14:49:11 -04:00
commit d5169f92f7
5 changed files with 35 additions and 25 deletions

View File

@ -64,9 +64,11 @@ Usage of google_auth_proxy:
-config="": path to config file -config="": path to config file
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)* -cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
-cookie-expire=168h0m0s: expire timeframe for cookie -cookie-expire=168h0m0s: expire timeframe for cookie
-cookie-httponly=true: set HttpOnly cookie -cookie-httponly=true: set HttpOnly cookie flag
-cookie-https-only=true: set HTTPS only cookie -cookie-https-only=true: set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)
-cookie-secret="": the seed string for secure cookies -cookie-secret="": the seed string for secure cookies
-cookie-secure=true: set secure (HTTPS) cookie flag
-custom-templates-dir="": path to custom html templates
-display-htpasswd-form=true: display username / password login form if an htpasswd file is provided -display-htpasswd-form=true: display username / password login form if an htpasswd file is provided
-google-apps-domain=: authenticate against the given Google apps domain (may be given multiple times) -google-apps-domain=: authenticate against the given Google apps domain (may be given multiple times)
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption -htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
@ -75,7 +77,6 @@ Usage of google_auth_proxy:
-pass-host-header=true: pass the request Host Header to upstream -pass-host-header=true: pass the request Host Header to upstream
-redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback" -redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
-skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times) -skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
-custom templates-dir="": path to custom html templates
-upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path -upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path
-version=false: print version string -version=false: print version string
``` ```
@ -120,7 +121,7 @@ The command line to run `google_auth_proxy` would look like this:
--google-apps-domain="yourcompany.com" \ --google-apps-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \ --upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \ --cookie-secret=... \
--cookie-https-only=true \ --cookie-secure=true \
--client-id=... \ --client-id=... \
--client-secret=... --client-secret=...
``` ```

View File

@ -49,5 +49,5 @@
# cookie_secret = "" # cookie_secret = ""
# cookie_domain = "" # cookie_domain = ""
# cookie_expire = "168h" # cookie_expire = "168h"
# cookie_https_only = true # cookie_secure = true
# cookie_httponly = true # cookie_httponly = true

View File

@ -43,8 +43,9 @@ func main() {
flagSet.String("cookie-secret", "", "the seed string for secure cookies") flagSet.String("cookie-secret", "", "the seed string for secure cookies")
flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*") flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie") flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
flagSet.Bool("cookie-https-only", true, "set HTTPS only cookie") flagSet.Bool("cookie-https-only", true, "set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)")
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie") flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag")
flagSet.Parse(os.Args[1:]) flagSet.Parse(os.Args[1:])

View File

@ -24,13 +24,13 @@ const oauthStartPath = "/oauth2/start"
const oauthCallbackPath = "/oauth2/callback" const oauthCallbackPath = "/oauth2/callback"
type OauthProxy struct { type OauthProxy struct {
CookieSeed string CookieSeed string
CookieKey string CookieKey string
CookieDomain string CookieDomain string
CookieHttpsOnly bool CookieSecure bool
CookieHttpOnly bool CookieHttpOnly bool
CookieExpire time.Duration CookieExpire time.Duration
Validator func(string) bool Validator func(string) bool
redirectUrl *url.URL // the url to receive requests at redirectUrl *url.URL // the url to receive requests at
oauthRedemptionUrl *url.URL // endpoint to redeem the code oauthRedemptionUrl *url.URL // endpoint to redeem the code
@ -98,15 +98,21 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
if domain == "" { if domain == "" {
domain = "<default>" domain = "<default>"
} }
log.Printf("Cookie settings: https_only (SSL required): %v httponly: %v expiry: %s domain:%s", opts.CookieHttpsOnly, opts.CookieHttpOnly, opts.CookieExpire, domain) if !opts.CookieHttpsOnly {
log.Printf("Warning: cookie-https-only setting is deprecated and will be removed in a future version. use cookie-secure")
opts.CookieSecure = opts.CookieHttpsOnly
}
log.Printf("Cookie settings: secure (https):%v httponly:%v expiry:%s domain:%s", opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain)
return &OauthProxy{ return &OauthProxy{
CookieKey: "_oauthproxy", CookieKey: "_oauthproxy",
CookieSeed: opts.CookieSecret, CookieSeed: opts.CookieSecret,
CookieDomain: opts.CookieDomain, CookieDomain: opts.CookieDomain,
CookieHttpsOnly: opts.CookieHttpsOnly, CookieSecure: opts.CookieSecure,
CookieHttpOnly: opts.CookieHttpOnly, CookieHttpOnly: opts.CookieHttpOnly,
CookieExpire: opts.CookieExpire, CookieExpire: opts.CookieExpire,
Validator: validator, Validator: validator,
clientID: opts.ClientID, clientID: opts.ClientID,
clientSecret: opts.ClientSecret, clientSecret: opts.ClientSecret,
@ -130,7 +136,7 @@ func (p *OauthProxy) GetRedirectUrl(host string) string {
var u url.URL var u url.URL
u = *p.redirectUrl u = *p.redirectUrl
if u.Scheme == "" { if u.Scheme == "" {
if p.CookieHttpsOnly { if p.CookieSecure {
u.Scheme = "https" u.Scheme = "https"
} else { } else {
u.Scheme = "http" u.Scheme = "http"
@ -265,7 +271,7 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
Path: "/", Path: "/",
Domain: domain, Domain: domain,
HttpOnly: p.CookieHttpOnly, HttpOnly: p.CookieHttpOnly,
Secure: p.CookieHttpsOnly, Secure: p.CookieSecure,
Expires: time.Now().Add(p.CookieExpire), Expires: time.Now().Add(p.CookieExpire),
} }
http.SetCookie(rw, cookie) http.SetCookie(rw, cookie)

View File

@ -24,7 +24,8 @@ type Options struct {
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"` CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"GOOGLE_AUTH_PROXY_COOKIE_SECRET"`
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"` CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"GOOGLE_AUTH_PROXY_COOKIE_DOMAIN"`
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"` CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"GOOGLE_AUTH_PROXY_COOKIE_EXPIRE"`
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // set secure cookie flag CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"` CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
Upstreams []string `flag:"upstream" cfg:"upstreams"` Upstreams []string `flag:"upstream" cfg:"upstreams"`
@ -43,6 +44,7 @@ func NewOptions() *Options {
HttpAddress: "127.0.0.1:4180", HttpAddress: "127.0.0.1:4180",
DisplayHtpasswdForm: true, DisplayHtpasswdForm: true,
CookieHttpsOnly: true, CookieHttpsOnly: true,
CookieSecure: true,
CookieHttpOnly: true, CookieHttpOnly: true,
CookieExpire: time.Duration(168) * time.Hour, CookieExpire: time.Duration(168) * time.Hour,
PassBasicAuth: true, PassBasicAuth: true,