Remove group delimiter parameter. Add env var for PermitUsers
This commit is contained in:
parent
28066aa729
commit
fb421109aa
1
main.go
1
main.go
@ -45,7 +45,6 @@ func main() {
|
||||
flagSet.String("filter-groups", "", "exclude groups that do not contain this value in its 'displayName' (Azure only)")
|
||||
flagSet.Var(&permittedGroups, "permit-groups", "restrict logins to members of this group (may be given multiple times; Azure).")
|
||||
flagSet.Var(&permittedUsers, "permit-users", "let users in unconditionally")
|
||||
flagSet.String("groups-delimiter", "|", "delimiter between group names if more than one found. By default it is '|' symbol")
|
||||
flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
|
||||
flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
|
||||
flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")
|
||||
|
@ -88,7 +88,6 @@ type OAuthProxy struct {
|
||||
SetXAuthRequest bool
|
||||
PassBasicAuth bool
|
||||
PassGroups bool
|
||||
GroupsDelimiter string
|
||||
FilterGroups string
|
||||
SkipProviderButton bool
|
||||
PassUserHeaders bool
|
||||
@ -284,7 +283,6 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
|
||||
SetXAuthRequest: opts.SetXAuthRequest,
|
||||
PassBasicAuth: opts.PassBasicAuth,
|
||||
PassGroups: opts.PassGroups,
|
||||
GroupsDelimiter: opts.GroupsDelimiter,
|
||||
FilterGroups: opts.FilterGroups,
|
||||
PassUserHeaders: opts.PassUserHeaders,
|
||||
BasicAuthPassword: opts.BasicAuthPassword,
|
||||
@ -848,7 +846,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
|
||||
req.Header.Del("X-Forwarded-Email")
|
||||
}
|
||||
if p.PassGroups && len(session.Groups) != 0 {
|
||||
req.Header["X-Forwarded-Groups"] = []string{strings.Join(session.Groups, p.GroupsDelimiter)}
|
||||
req.Header["X-Forwarded-Groups"] = []string{strings.Join(session.Groups, ",")}
|
||||
}
|
||||
}
|
||||
|
||||
@ -877,7 +875,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
|
||||
}
|
||||
}
|
||||
if p.PassGroups && len(session.Groups) != 0 {
|
||||
rw.Header().Set("X-Auth-Request-Groups", strings.Join(session.Groups, p.GroupsDelimiter))
|
||||
rw.Header().Set("X-Auth-Request-Groups", strings.Join(session.Groups, ","))
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -72,8 +72,7 @@ type Options struct {
|
||||
PassGroups bool `flag:"pass-groups" cfg:"pass_groups" env:"OAUTH2_PROXY_PASS_GROUPS"`
|
||||
FilterGroups string `flag:"filter-groups" cfg:"filter_groups" env:"OAUTH2_PROXY_FILTER_GROUPS"`
|
||||
PermitGroups []string `flag:"permit-groups" cfg:"permit_groups" env:"OAUTH2_PROXY_PERMIT_GROUPS"`
|
||||
GroupsDelimiter string `flag:"groups-delimiter" cfg:"groups_delimiter" env:"OAUTH2_PROXY_GROUPS_DELIMITER"`
|
||||
PermitUsers []string `flag:"permit-users" cfg:"permit_users"`
|
||||
PermitUsers []string `flag:"permit-users" cfg:"permit_users" env:"OAUTH2_PROXY_PERMIT_USERS"`
|
||||
BasicAuthPassword string `flag:"basic-auth-password" cfg:"basic_auth_password" env:"OAUTH2_PROXY_BASIC_AUTH_PASSWORD"`
|
||||
PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token" env:"OAUTH2_PROXY_PASS_ACCESS_TOKEN"`
|
||||
PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header" env:"OAUTH2_PROXY_PASS_HOST_HEADER"`
|
||||
@ -166,7 +165,6 @@ func NewOptions() *Options {
|
||||
PassUserHeaders: true,
|
||||
PassGroups: false,
|
||||
FilterGroups: "",
|
||||
GroupsDelimiter: "|",
|
||||
PermitGroups: []string{},
|
||||
PermitUsers: []string{},
|
||||
PassAccessToken: false,
|
||||
|
@ -199,6 +199,7 @@ func (p *AzureProvider) GetLoginURL(redirectURI, state string) string {
|
||||
|
||||
return a.String()
|
||||
}
|
||||
|
||||
// Get list of groups (optionally with Group IDs) that ONLY allowed for user
|
||||
// That means even if user has wider group membership, only membership in those groups will be forwarded
|
||||
func (p *AzureProvider) SetGroupRestriction(groups []string) {
|
||||
@ -217,6 +218,7 @@ func (p *AzureProvider) SetGroupRestriction(groups []string) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Get list of users (optionally with User IDs) that could still be allowed to login
|
||||
// when group membership calls fail (e.g. insufficient permissions)
|
||||
func (p *AzureProvider) SetGroupsExemption(exemptions []string) {
|
||||
@ -226,19 +228,19 @@ func (p *AzureProvider) SetGroupsExemption(exemptions []string) {
|
||||
}
|
||||
|
||||
var userName string
|
||||
var userId string
|
||||
var userID string
|
||||
for _, pRecord := range exemptions {
|
||||
splittedRecord := strings.Split(pRecord, ":")
|
||||
|
||||
if len(splittedRecord) == 1 {
|
||||
userName, userId = splittedRecord[0], ""
|
||||
userName, userID = splittedRecord[0], ""
|
||||
} else if len(splittedRecord) == 2 {
|
||||
userName, userId = splittedRecord[0], splittedRecord[1]
|
||||
userName, userID = splittedRecord[0], splittedRecord[1]
|
||||
} else {
|
||||
userName = splittedRecord[0] + ":" + splittedRecord[1]
|
||||
userId = splittedRecord[2]
|
||||
userID = splittedRecord[2]
|
||||
}
|
||||
p.ExemptedUsers[userName] = userId
|
||||
p.ExemptedUsers[userName] = userID
|
||||
}
|
||||
}
|
||||
|
||||
@ -248,7 +250,7 @@ func (p *AzureProvider) ValidateGroupWithSession(s *sessions.SessionState) bool
|
||||
return true
|
||||
}
|
||||
// return true if user listed in exemptions
|
||||
for userName, _ := range p.ExemptedUsers {
|
||||
for userName := range p.ExemptedUsers {
|
||||
if s.Email == userName {
|
||||
return true
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user