Remove group delimiter parameter. Add env var for PermitUsers

This commit is contained in:
Lukasz Leszczuk 2019-09-13 15:32:35 +02:00
parent 28066aa729
commit fb421109aa
4 changed files with 11 additions and 14 deletions

View File

@ -45,7 +45,6 @@ func main() {
flagSet.String("filter-groups", "", "exclude groups that do not contain this value in its 'displayName' (Azure only)")
flagSet.Var(&permittedGroups, "permit-groups", "restrict logins to members of this group (may be given multiple times; Azure).")
flagSet.Var(&permittedUsers, "permit-users", "let users in unconditionally")
flagSet.String("groups-delimiter", "|", "delimiter between group names if more than one found. By default it is '|' symbol")
flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")

View File

@ -88,7 +88,6 @@ type OAuthProxy struct {
SetXAuthRequest bool
PassBasicAuth bool
PassGroups bool
GroupsDelimiter string
FilterGroups string
SkipProviderButton bool
PassUserHeaders bool
@ -284,7 +283,6 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
SetXAuthRequest: opts.SetXAuthRequest,
PassBasicAuth: opts.PassBasicAuth,
PassGroups: opts.PassGroups,
GroupsDelimiter: opts.GroupsDelimiter,
FilterGroups: opts.FilterGroups,
PassUserHeaders: opts.PassUserHeaders,
BasicAuthPassword: opts.BasicAuthPassword,
@ -848,7 +846,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
req.Header.Del("X-Forwarded-Email")
}
if p.PassGroups && len(session.Groups) != 0 {
req.Header["X-Forwarded-Groups"] = []string{strings.Join(session.Groups, p.GroupsDelimiter)}
req.Header["X-Forwarded-Groups"] = []string{strings.Join(session.Groups, ",")}
}
}
@ -877,7 +875,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
}
}
if p.PassGroups && len(session.Groups) != 0 {
rw.Header().Set("X-Auth-Request-Groups", strings.Join(session.Groups, p.GroupsDelimiter))
rw.Header().Set("X-Auth-Request-Groups", strings.Join(session.Groups, ","))
}
}

View File

@ -72,8 +72,7 @@ type Options struct {
PassGroups bool `flag:"pass-groups" cfg:"pass_groups" env:"OAUTH2_PROXY_PASS_GROUPS"`
FilterGroups string `flag:"filter-groups" cfg:"filter_groups" env:"OAUTH2_PROXY_FILTER_GROUPS"`
PermitGroups []string `flag:"permit-groups" cfg:"permit_groups" env:"OAUTH2_PROXY_PERMIT_GROUPS"`
GroupsDelimiter string `flag:"groups-delimiter" cfg:"groups_delimiter" env:"OAUTH2_PROXY_GROUPS_DELIMITER"`
PermitUsers []string `flag:"permit-users" cfg:"permit_users"`
PermitUsers []string `flag:"permit-users" cfg:"permit_users" env:"OAUTH2_PROXY_PERMIT_USERS"`
BasicAuthPassword string `flag:"basic-auth-password" cfg:"basic_auth_password" env:"OAUTH2_PROXY_BASIC_AUTH_PASSWORD"`
PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token" env:"OAUTH2_PROXY_PASS_ACCESS_TOKEN"`
PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header" env:"OAUTH2_PROXY_PASS_HOST_HEADER"`
@ -166,7 +165,6 @@ func NewOptions() *Options {
PassUserHeaders: true,
PassGroups: false,
FilterGroups: "",
GroupsDelimiter: "|",
PermitGroups: []string{},
PermitUsers: []string{},
PassAccessToken: false,

View File

@ -199,6 +199,7 @@ func (p *AzureProvider) GetLoginURL(redirectURI, state string) string {
return a.String()
}
// Get list of groups (optionally with Group IDs) that ONLY allowed for user
// That means even if user has wider group membership, only membership in those groups will be forwarded
func (p *AzureProvider) SetGroupRestriction(groups []string) {
@ -217,6 +218,7 @@ func (p *AzureProvider) SetGroupRestriction(groups []string) {
}
}
}
// Get list of users (optionally with User IDs) that could still be allowed to login
// when group membership calls fail (e.g. insufficient permissions)
func (p *AzureProvider) SetGroupsExemption(exemptions []string) {
@ -226,19 +228,19 @@ func (p *AzureProvider) SetGroupsExemption(exemptions []string) {
}
var userName string
var userId string
var userID string
for _, pRecord := range exemptions {
splittedRecord := strings.Split(pRecord, ":")
if len(splittedRecord) == 1 {
userName, userId = splittedRecord[0], ""
userName, userID = splittedRecord[0], ""
} else if len(splittedRecord) == 2 {
userName, userId = splittedRecord[0], splittedRecord[1]
userName, userID = splittedRecord[0], splittedRecord[1]
} else {
userName = splittedRecord[0] + ":" + splittedRecord[1]
userId = splittedRecord[2]
userID = splittedRecord[2]
}
p.ExemptedUsers[userName] = userId
p.ExemptedUsers[userName] = userID
}
}
@ -248,7 +250,7 @@ func (p *AzureProvider) ValidateGroupWithSession(s *sessions.SessionState) bool
return true
}
// return true if user listed in exemptions
for userName, _ := range p.ExemptedUsers {
for userName := range p.ExemptedUsers {
if s.Email == userName {
return true
}