Remove group delimiter parameter. Add env var for PermitUsers

2019-09-13 15:32:35 +02:00 · 2019-09-13 15:32:35 +02:00 · fb421109aa
commit fb421109aa
parent 28066aa729
4 changed files with 11 additions and 14 deletions
--- a/main.go
+++ b/main.go
@ -45,7 +45,6 @@ func main() {
 	flagSet.String("filter-groups", "", "exclude groups that do not contain this value in its 'displayName' (Azure only)")
 	flagSet.Var(&permittedGroups, "permit-groups", "restrict logins to members of this group (may be given multiple times; Azure).")
 	flagSet.Var(&permittedUsers, "permit-users", "let users in unconditionally")
-	flagSet.String("groups-delimiter", "|", "delimiter between group names if more than one found. By default it is '|' symbol")
 	flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
 	flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
 	flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")
--- a/oauthproxy.go
+++ b/oauthproxy.go
@ -88,7 +88,6 @@ type OAuthProxy struct {
 	SetXAuthRequest     bool
 	PassBasicAuth       bool
 	PassGroups          bool
-	GroupsDelimiter     string
 	FilterGroups        string
 	SkipProviderButton  bool
 	PassUserHeaders     bool
@ -284,7 +283,6 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
 		SetXAuthRequest:     opts.SetXAuthRequest,
 		PassBasicAuth:       opts.PassBasicAuth,
 		PassGroups:          opts.PassGroups,
-		GroupsDelimiter:     opts.GroupsDelimiter,
 		FilterGroups:        opts.FilterGroups,
 		PassUserHeaders:     opts.PassUserHeaders,
 		BasicAuthPassword:   opts.BasicAuthPassword,
@ -848,7 +846,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
 			req.Header.Del("X-Forwarded-Email")
 		}
 		if p.PassGroups && len(session.Groups) != 0 {
-			req.Header["X-Forwarded-Groups"] = []string{strings.Join(session.Groups, p.GroupsDelimiter)}
+			req.Header["X-Forwarded-Groups"] = []string{strings.Join(session.Groups, ",")}
 		}
 	}

@ -877,7 +875,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
 			}
 		}
 		if p.PassGroups && len(session.Groups) != 0 {
-			rw.Header().Set("X-Auth-Request-Groups", strings.Join(session.Groups, p.GroupsDelimiter))
+			rw.Header().Set("X-Auth-Request-Groups", strings.Join(session.Groups, ","))
 		}
 	}

--- a/options.go
+++ b/options.go
@ -72,8 +72,7 @@ type Options struct {
 	PassGroups                    bool          `flag:"pass-groups" cfg:"pass_groups" env:"OAUTH2_PROXY_PASS_GROUPS"`
 	FilterGroups                  string        `flag:"filter-groups" cfg:"filter_groups" env:"OAUTH2_PROXY_FILTER_GROUPS"`
 	PermitGroups                  []string      `flag:"permit-groups" cfg:"permit_groups" env:"OAUTH2_PROXY_PERMIT_GROUPS"`
-	GroupsDelimiter               string        `flag:"groups-delimiter" cfg:"groups_delimiter" env:"OAUTH2_PROXY_GROUPS_DELIMITER"`
-	PermitUsers                   []string      `flag:"permit-users" cfg:"permit_users"`
+	PermitUsers                   []string      `flag:"permit-users" cfg:"permit_users" env:"OAUTH2_PROXY_PERMIT_USERS"`
 	BasicAuthPassword             string        `flag:"basic-auth-password" cfg:"basic_auth_password" env:"OAUTH2_PROXY_BASIC_AUTH_PASSWORD"`
 	PassAccessToken               bool          `flag:"pass-access-token" cfg:"pass_access_token" env:"OAUTH2_PROXY_PASS_ACCESS_TOKEN"`
 	PassHostHeader                bool          `flag:"pass-host-header" cfg:"pass_host_header" env:"OAUTH2_PROXY_PASS_HOST_HEADER"`
@ -166,7 +165,6 @@ func NewOptions() *Options {
 		PassUserHeaders:                  true,
 		PassGroups:                       false,
 		FilterGroups:                     "",
-		GroupsDelimiter:                  "|",
 		PermitGroups:                     []string{},
 		PermitUsers:                      []string{},
 		PassAccessToken:                  false,
--- a/providers/azure.go
+++ b/providers/azure.go
@ -199,6 +199,7 @@ func (p *AzureProvider) GetLoginURL(redirectURI, state string) string {

 	return a.String()
 }
+
 // Get list of groups (optionally with Group IDs) that ONLY allowed for user
 // That means even if user has wider group membership, only membership in those groups will be forwarded
 func (p *AzureProvider) SetGroupRestriction(groups []string) {
@ -217,6 +218,7 @@ func (p *AzureProvider) SetGroupRestriction(groups []string) {
 		}
 	}
 }
+
 // Get list of users (optionally with User IDs) that could still be allowed to login
 // when group membership calls fail (e.g. insufficient permissions)
 func (p *AzureProvider) SetGroupsExemption(exemptions []string) {
@ -226,19 +228,19 @@ func (p *AzureProvider) SetGroupsExemption(exemptions []string) {
 	}

 	var userName string
-	var userId string
+	var userID string
 	for _, pRecord := range exemptions {
 		splittedRecord := strings.Split(pRecord, ":")

 		if len(splittedRecord) == 1 {
-			userName, userId = splittedRecord[0], ""
+			userName, userID = splittedRecord[0], ""
 		} else if len(splittedRecord) == 2 {
-			userName, userId = splittedRecord[0], splittedRecord[1]
+			userName, userID = splittedRecord[0], splittedRecord[1]
 		} else {
 			userName = splittedRecord[0] + ":" + splittedRecord[1]
-			userId = splittedRecord[2]
+			userID = splittedRecord[2]
 		}
-		p.ExemptedUsers[userName] = userId
+		p.ExemptedUsers[userName] = userID
 	}
 }

@ -248,7 +250,7 @@ func (p *AzureProvider) ValidateGroupWithSession(s *sessions.SessionState) bool
 		return true
 	}
 	// return true if user listed in exemptions
-	for userName, _ := range p.ExemptedUsers {
+	for userName := range p.ExemptedUsers {
 		if s.Email == userName {
 			return true
 		}