v2.0 & cleanup changes
* bump version to 2.0 * remove --cookie-https-only option * add windows build to dist.sh * rename --cookie-key to --cookie-name
This commit is contained in:
parent
1946739e98
commit
d78aa13464
@ -3,10 +3,11 @@ go:
|
|||||||
- 1.3.3
|
- 1.3.3
|
||||||
- 1.4.2
|
- 1.4.2
|
||||||
script:
|
script:
|
||||||
- curl -s https://raw.githubusercontent.com/pote/gpm/v1.3.1/bin/gpm > gpm
|
- curl -s https://raw.githubusercontent.com/pote/gpm/v1.3.2/bin/gpm > gpm
|
||||||
- chmod +x gpm
|
- chmod +x gpm
|
||||||
- ./gpm install
|
- ./gpm install
|
||||||
- ./test.sh
|
- ./test.sh
|
||||||
|
sudo: false
|
||||||
notifications:
|
notifications:
|
||||||
email: false
|
email: false
|
||||||
|
|
||||||
|
@ -17,7 +17,7 @@ to validate accounts by email, domain or group.
|
|||||||
|
|
||||||
## Installation
|
## Installation
|
||||||
|
|
||||||
1. Download [Prebuilt Binary](https://github.com/bitly/oauth2_proxy/releases) (current release is `v1.1.1`) or build with `$ go get github.com/bitly/oauth2_proxy` which will put the binary in `$GOROOT/bin`
|
1. Download [Prebuilt Binary](https://github.com/bitly/oauth2_proxy/releases) (current release is `v2.0`) or build with `$ go get github.com/bitly/oauth2_proxy` which will put the binary in `$GOROOT/bin`
|
||||||
2. Select a Provider and Register an OAuth Application with a Provider
|
2. Select a Provider and Register an OAuth Application with a Provider
|
||||||
3. Configure OAuth2 Proxy using config file, command line options, or environment variables
|
3. Configure OAuth2 Proxy using config file, command line options, or environment variables
|
||||||
4. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
|
4. Configure SSL or Deploy behind a SSL endpoint (example provided for Nginx)
|
||||||
@ -99,8 +99,7 @@ Usage of oauth2_proxy:
|
|||||||
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
|
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
|
||||||
-cookie-expire=168h0m0s: expire timeframe for cookie
|
-cookie-expire=168h0m0s: expire timeframe for cookie
|
||||||
-cookie-httponly=true: set HttpOnly cookie flag
|
-cookie-httponly=true: set HttpOnly cookie flag
|
||||||
-cookie-https-only=true: set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)
|
-cookie-key="_oauth2_proxy": the name of the cookie that the oauth_proxy creates
|
||||||
-cookie-key="_oauth2proxy": the name of the cookie that the oauth_proxy creates
|
|
||||||
-cookie-refresh=0: refresh the cookie when less than this much time remains before expiration; 0 to disable
|
-cookie-refresh=0: refresh the cookie when less than this much time remains before expiration; 0 to disable
|
||||||
-cookie-secret="": the seed string for secure cookies
|
-cookie-secret="": the seed string for secure cookies
|
||||||
-cookie-secure=true: set secure (HTTPS) cookie flag
|
-cookie-secure=true: set secure (HTTPS) cookie flag
|
||||||
|
@ -54,7 +54,7 @@
|
|||||||
# custom_templates_dir = ""
|
# custom_templates_dir = ""
|
||||||
|
|
||||||
## Cookie Settings
|
## Cookie Settings
|
||||||
## Key - the cookie name
|
## Name - the cookie name
|
||||||
## Secret - the seed string for secure cookies; should be 16, 24, or 32 bytes
|
## Secret - the seed string for secure cookies; should be 16, 24, or 32 bytes
|
||||||
## for use with an AES cipher when cookie_refresh or pass_access_token
|
## for use with an AES cipher when cookie_refresh or pass_access_token
|
||||||
## is set
|
## is set
|
||||||
@ -65,7 +65,7 @@
|
|||||||
## Refresh revalidated the OAuth token to ensure it is still valid. ie: 24h
|
## Refresh revalidated the OAuth token to ensure it is still valid. ie: 24h
|
||||||
## Secure - secure cookies are only sent by the browser of a HTTPS connection (recommended)
|
## Secure - secure cookies are only sent by the browser of a HTTPS connection (recommended)
|
||||||
## HttpOnly - httponly cookies are not readable by javascript (recommended)
|
## HttpOnly - httponly cookies are not readable by javascript (recommended)
|
||||||
# cookie_key = "_oauth2proxy"
|
# cookie_name = "_oauth2_proxy"
|
||||||
# cookie_secret = ""
|
# cookie_secret = ""
|
||||||
# cookie_domain = ""
|
# cookie_domain = ""
|
||||||
# cookie_expire = "168h"
|
# cookie_expire = "168h"
|
||||||
|
2
dist.sh
2
dist.sh
@ -18,7 +18,7 @@ goversion=$(go version | awk '{print $3}')
|
|||||||
echo "... running tests"
|
echo "... running tests"
|
||||||
./test.sh || exit 1
|
./test.sh || exit 1
|
||||||
|
|
||||||
for os in linux darwin; do
|
for os in windows linux darwin; do
|
||||||
echo "... building v$version for $os/$arch"
|
echo "... building v$version for $os/$arch"
|
||||||
BUILD=$(mktemp -d -t oauth2_proxy)
|
BUILD=$(mktemp -d -t oauth2_proxy)
|
||||||
TARGET="oauth2_proxy-$version.$os-$arch.$goversion"
|
TARGET="oauth2_proxy-$version.$os-$arch.$goversion"
|
||||||
|
5
main.go
5
main.go
@ -46,12 +46,11 @@ func main() {
|
|||||||
flagSet.String("custom-templates-dir", "", "path to custom html templates")
|
flagSet.String("custom-templates-dir", "", "path to custom html templates")
|
||||||
flagSet.String("proxy-prefix", "/oauth2", "the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)")
|
flagSet.String("proxy-prefix", "/oauth2", "the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)")
|
||||||
|
|
||||||
flagSet.String("cookie-key", "_oauth2proxy", "the name of the cookie that the oauth_proxy creates")
|
flagSet.String("cookie-name", "_oauth2_proxy", "the name of the cookie that the oauth_proxy creates")
|
||||||
flagSet.String("cookie-secret", "", "the seed string for secure cookies")
|
flagSet.String("cookie-secret", "", "the seed string for secure cookies")
|
||||||
flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
|
flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
|
||||||
flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
|
flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
|
||||||
flagSet.Duration("cookie-refresh", time.Duration(0)*time.Hour, "refresh the cookie when less than this much time remains before expiration; 0 to disable")
|
flagSet.Duration("cookie-refresh", time.Duration(0), "refresh the cookie when less than this much time remains before expiration; 0 to disable")
|
||||||
flagSet.Bool("cookie-https-only", true, "set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)")
|
|
||||||
flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
|
flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
|
||||||
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag")
|
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag")
|
||||||
|
|
||||||
|
@ -21,7 +21,7 @@ import (
|
|||||||
|
|
||||||
type OauthProxy struct {
|
type OauthProxy struct {
|
||||||
CookieSeed string
|
CookieSeed string
|
||||||
CookieKey string
|
CookieName string
|
||||||
CookieDomain string
|
CookieDomain string
|
||||||
CookieSecure bool
|
CookieSecure bool
|
||||||
CookieHttpOnly bool
|
CookieHttpOnly bool
|
||||||
@ -109,12 +109,8 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
|
|||||||
if domain == "" {
|
if domain == "" {
|
||||||
domain = "<default>"
|
domain = "<default>"
|
||||||
}
|
}
|
||||||
if !opts.CookieHttpsOnly {
|
|
||||||
log.Printf("Warning: cookie-https-only setting is deprecated and will be removed in a future version. use cookie-secure")
|
|
||||||
opts.CookieSecure = opts.CookieHttpsOnly
|
|
||||||
}
|
|
||||||
|
|
||||||
log.Printf("Cookie settings: name:%s secure (https):%v httponly:%v expiry:%s domain:%s", opts.CookieKey, opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain)
|
log.Printf("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domain:%s", opts.CookieName, opts.CookieSecure, opts.CookieHttpOnly, opts.CookieExpire, domain)
|
||||||
|
|
||||||
var aes_cipher cipher.Block
|
var aes_cipher cipher.Block
|
||||||
if opts.PassAccessToken || (opts.CookieRefresh != time.Duration(0)) {
|
if opts.PassAccessToken || (opts.CookieRefresh != time.Duration(0)) {
|
||||||
@ -127,7 +123,7 @@ func NewOauthProxy(opts *Options, validator func(string) bool) *OauthProxy {
|
|||||||
}
|
}
|
||||||
|
|
||||||
return &OauthProxy{
|
return &OauthProxy{
|
||||||
CookieKey: opts.CookieKey,
|
CookieName: opts.CookieName,
|
||||||
CookieSeed: opts.CookieSecret,
|
CookieSeed: opts.CookieSecret,
|
||||||
CookieDomain: opts.CookieDomain,
|
CookieDomain: opts.CookieDomain,
|
||||||
CookieSecure: opts.CookieSecure,
|
CookieSecure: opts.CookieSecure,
|
||||||
@ -208,11 +204,11 @@ func (p *OauthProxy) MakeCookie(req *http.Request, value string, expiration time
|
|||||||
}
|
}
|
||||||
|
|
||||||
if value != "" {
|
if value != "" {
|
||||||
value = signedCookieValue(p.CookieSeed, p.CookieKey, value)
|
value = signedCookieValue(p.CookieSeed, p.CookieName, value)
|
||||||
}
|
}
|
||||||
|
|
||||||
return &http.Cookie{
|
return &http.Cookie{
|
||||||
Name: p.CookieKey,
|
Name: p.CookieName,
|
||||||
Value: value,
|
Value: value,
|
||||||
Path: "/",
|
Path: "/",
|
||||||
Domain: domain,
|
Domain: domain,
|
||||||
@ -233,7 +229,7 @@ func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val st
|
|||||||
func (p *OauthProxy) ProcessCookie(rw http.ResponseWriter, req *http.Request) (email, user, access_token string, ok bool) {
|
func (p *OauthProxy) ProcessCookie(rw http.ResponseWriter, req *http.Request) (email, user, access_token string, ok bool) {
|
||||||
var value string
|
var value string
|
||||||
var timestamp time.Time
|
var timestamp time.Time
|
||||||
cookie, err := req.Cookie(p.CookieKey)
|
cookie, err := req.Cookie(p.CookieName)
|
||||||
if err == nil {
|
if err == nil {
|
||||||
value, timestamp, ok = validateCookie(cookie, p.CookieSeed)
|
value, timestamp, ok = validateCookie(cookie, p.CookieSeed)
|
||||||
if ok {
|
if ok {
|
||||||
|
@ -193,9 +193,9 @@ func (pat_test *PassAccessTokenTest) getCallbackEndpoint() (http_code int,
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (pat_test *PassAccessTokenTest) getRootEndpoint(cookie string) (http_code int, access_token string) {
|
func (pat_test *PassAccessTokenTest) getRootEndpoint(cookie string) (http_code int, access_token string) {
|
||||||
cookie_key := pat_test.proxy.CookieKey
|
cookieName := pat_test.proxy.CookieName
|
||||||
var value string
|
var value string
|
||||||
key_prefix := cookie_key + "="
|
key_prefix := cookieName + "="
|
||||||
|
|
||||||
for _, field := range strings.Split(cookie, "; ") {
|
for _, field := range strings.Split(cookie, "; ") {
|
||||||
value = strings.TrimPrefix(field, key_prefix)
|
value = strings.TrimPrefix(field, key_prefix)
|
||||||
@ -214,7 +214,7 @@ func (pat_test *PassAccessTokenTest) getRootEndpoint(cookie string) (http_code i
|
|||||||
return 0, ""
|
return 0, ""
|
||||||
}
|
}
|
||||||
req.AddCookie(&http.Cookie{
|
req.AddCookie(&http.Cookie{
|
||||||
Name: cookie_key,
|
Name: cookieName,
|
||||||
Value: value,
|
Value: value,
|
||||||
Path: "/",
|
Path: "/",
|
||||||
Expires: time.Now().Add(time.Duration(24)),
|
Expires: time.Now().Add(time.Duration(24)),
|
||||||
|
@ -29,12 +29,11 @@ type Options struct {
|
|||||||
DisplayHtpasswdForm bool `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
|
DisplayHtpasswdForm bool `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
|
||||||
CustomTemplatesDir string `flag:"custom-templates-dir" cfg:"custom_templates_dir"`
|
CustomTemplatesDir string `flag:"custom-templates-dir" cfg:"custom_templates_dir"`
|
||||||
|
|
||||||
CookieKey string `flag:"cookie-key" cfg:"cookie_key" env:"OAUTH2_PROXY_COOKIE_KEY"`
|
CookieName string `flag:"cookie-name" cfg:"cookie_name" env:"OAUTH2_PROXY_COOKIE_NAME"`
|
||||||
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"OAUTH2_PROXY_COOKIE_SECRET"`
|
CookieSecret string `flag:"cookie-secret" cfg:"cookie_secret" env:"OAUTH2_PROXY_COOKIE_SECRET"`
|
||||||
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"OAUTH2_PROXY_COOKIE_DOMAIN"`
|
CookieDomain string `flag:"cookie-domain" cfg:"cookie_domain" env:"OAUTH2_PROXY_COOKIE_DOMAIN"`
|
||||||
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"OAUTH2_PROXY_COOKIE_EXPIRE"`
|
CookieExpire time.Duration `flag:"cookie-expire" cfg:"cookie_expire" env:"OAUTH2_PROXY_COOKIE_EXPIRE"`
|
||||||
CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"OAUTH2_PROXY_COOKIE_REFRESH"`
|
CookieRefresh time.Duration `flag:"cookie-refresh" cfg:"cookie_refresh" env:"OAUTH2_PROXY_COOKIE_REFRESH"`
|
||||||
CookieHttpsOnly bool `flag:"cookie-https-only" cfg:"cookie_https_only"` // deprecated use cookie-secure
|
|
||||||
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
|
CookieSecure bool `flag:"cookie-secure" cfg:"cookie_secure"`
|
||||||
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
|
CookieHttpOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"`
|
||||||
|
|
||||||
@ -68,8 +67,7 @@ func NewOptions() *Options {
|
|||||||
HttpAddress: "127.0.0.1:4180",
|
HttpAddress: "127.0.0.1:4180",
|
||||||
HttpsAddress: ":443",
|
HttpsAddress: ":443",
|
||||||
DisplayHtpasswdForm: true,
|
DisplayHtpasswdForm: true,
|
||||||
CookieKey: "_oauthproxy",
|
CookieName: "_oauth2_proxy",
|
||||||
CookieHttpsOnly: true,
|
|
||||||
CookieSecure: true,
|
CookieSecure: true,
|
||||||
CookieHttpOnly: true,
|
CookieHttpOnly: true,
|
||||||
CookieExpire: time.Duration(168) * time.Hour,
|
CookieExpire: time.Duration(168) * time.Hour,
|
||||||
|
@ -1,3 +1,3 @@
|
|||||||
package main
|
package main
|
||||||
|
|
||||||
const VERSION = "1.1.1"
|
const VERSION = "2.0"
|
||||||
|
Loading…
Reference in New Issue
Block a user