From fb421109aae5030153f09f2720ae13fda00ef3ef Mon Sep 17 00:00:00 2001 From: Lukasz Leszczuk Date: Fri, 13 Sep 2019 15:32:35 +0200 Subject: [PATCH] Remove group delimiter parameter. Add env var for PermitUsers --- main.go | 1 - oauthproxy.go | 6 ++---- options.go | 4 +--- providers/azure.go | 14 ++++++++------ 4 files changed, 11 insertions(+), 14 deletions(-) diff --git a/main.go b/main.go index 540eda5..bdd9ea6 100644 --- a/main.go +++ b/main.go @@ -45,7 +45,6 @@ func main() { flagSet.String("filter-groups", "", "exclude groups that do not contain this value in its 'displayName' (Azure only)") flagSet.Var(&permittedGroups, "permit-groups", "restrict logins to members of this group (may be given multiple times; Azure).") flagSet.Var(&permittedUsers, "permit-users", "let users in unconditionally") - flagSet.String("groups-delimiter", "|", "delimiter between group names if more than one found. By default it is '|' symbol") flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header") flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header") flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream") diff --git a/oauthproxy.go b/oauthproxy.go index 03427a3..af322be 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -88,7 +88,6 @@ type OAuthProxy struct { SetXAuthRequest bool PassBasicAuth bool PassGroups bool - GroupsDelimiter string FilterGroups string SkipProviderButton bool PassUserHeaders bool @@ -284,7 +283,6 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy { SetXAuthRequest: opts.SetXAuthRequest, PassBasicAuth: opts.PassBasicAuth, PassGroups: opts.PassGroups, - GroupsDelimiter: opts.GroupsDelimiter, FilterGroups: opts.FilterGroups, PassUserHeaders: opts.PassUserHeaders, BasicAuthPassword: opts.BasicAuthPassword, @@ -848,7 +846,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req req.Header.Del("X-Forwarded-Email") } if p.PassGroups && len(session.Groups) != 0 { - req.Header["X-Forwarded-Groups"] = []string{strings.Join(session.Groups, p.GroupsDelimiter)} + req.Header["X-Forwarded-Groups"] = []string{strings.Join(session.Groups, ",")} } } @@ -877,7 +875,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req } } if p.PassGroups && len(session.Groups) != 0 { - rw.Header().Set("X-Auth-Request-Groups", strings.Join(session.Groups, p.GroupsDelimiter)) + rw.Header().Set("X-Auth-Request-Groups", strings.Join(session.Groups, ",")) } } diff --git a/options.go b/options.go index 0236c60..7ec1bad 100644 --- a/options.go +++ b/options.go @@ -72,8 +72,7 @@ type Options struct { PassGroups bool `flag:"pass-groups" cfg:"pass_groups" env:"OAUTH2_PROXY_PASS_GROUPS"` FilterGroups string `flag:"filter-groups" cfg:"filter_groups" env:"OAUTH2_PROXY_FILTER_GROUPS"` PermitGroups []string `flag:"permit-groups" cfg:"permit_groups" env:"OAUTH2_PROXY_PERMIT_GROUPS"` - GroupsDelimiter string `flag:"groups-delimiter" cfg:"groups_delimiter" env:"OAUTH2_PROXY_GROUPS_DELIMITER"` - PermitUsers []string `flag:"permit-users" cfg:"permit_users"` + PermitUsers []string `flag:"permit-users" cfg:"permit_users" env:"OAUTH2_PROXY_PERMIT_USERS"` BasicAuthPassword string `flag:"basic-auth-password" cfg:"basic_auth_password" env:"OAUTH2_PROXY_BASIC_AUTH_PASSWORD"` PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token" env:"OAUTH2_PROXY_PASS_ACCESS_TOKEN"` PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header" env:"OAUTH2_PROXY_PASS_HOST_HEADER"` @@ -166,7 +165,6 @@ func NewOptions() *Options { PassUserHeaders: true, PassGroups: false, FilterGroups: "", - GroupsDelimiter: "|", PermitGroups: []string{}, PermitUsers: []string{}, PassAccessToken: false, diff --git a/providers/azure.go b/providers/azure.go index 3a63d4b..71184e5 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -199,6 +199,7 @@ func (p *AzureProvider) GetLoginURL(redirectURI, state string) string { return a.String() } + // Get list of groups (optionally with Group IDs) that ONLY allowed for user // That means even if user has wider group membership, only membership in those groups will be forwarded func (p *AzureProvider) SetGroupRestriction(groups []string) { @@ -217,6 +218,7 @@ func (p *AzureProvider) SetGroupRestriction(groups []string) { } } } + // Get list of users (optionally with User IDs) that could still be allowed to login // when group membership calls fail (e.g. insufficient permissions) func (p *AzureProvider) SetGroupsExemption(exemptions []string) { @@ -226,19 +228,19 @@ func (p *AzureProvider) SetGroupsExemption(exemptions []string) { } var userName string - var userId string + var userID string for _, pRecord := range exemptions { splittedRecord := strings.Split(pRecord, ":") if len(splittedRecord) == 1 { - userName, userId = splittedRecord[0], "" + userName, userID = splittedRecord[0], "" } else if len(splittedRecord) == 2 { - userName, userId = splittedRecord[0], splittedRecord[1] + userName, userID = splittedRecord[0], splittedRecord[1] } else { userName = splittedRecord[0] + ":" + splittedRecord[1] - userId = splittedRecord[2] + userID = splittedRecord[2] } - p.ExemptedUsers[userName] = userId + p.ExemptedUsers[userName] = userID } } @@ -248,7 +250,7 @@ func (p *AzureProvider) ValidateGroupWithSession(s *sessions.SessionState) bool return true } // return true if user listed in exemptions - for userName, _ := range p.ExemptedUsers { + for userName := range p.ExemptedUsers { if s.Email == userName { return true }