meutel/oauth2_proxy
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove group delimiter parameter. Add env var for PermitUsers

Browse Source
This commit is contained in:
Lukasz Leszczuk 2019-09-13 15:32:35 +02:00
parent 28066aa729
commit fb421109aa
4 changed files with 11 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
main.go
View File

@ -45,7 +45,6 @@ func main() {
flagSet.String("filter-groups", "", "exclude groups that do not contain this value in its 'displayName' (Azure only)") flagSet.String("filter-groups", "", "exclude groups that do not contain this value in its 'displayName' (Azure only)")
flagSet.Var(&permittedGroups, "permit-groups", "restrict logins to members of this group (may be given multiple times; Azure).") flagSet.Var(&permittedGroups, "permit-groups", "restrict logins to members of this group (may be given multiple times; Azure).")
flagSet.Var(&permittedUsers, "permit-users", "let users in unconditionally") flagSet.Var(&permittedUsers, "permit-users", "let users in unconditionally")
flagSet.String("groups-delimiter", "|", "delimiter between group names if more than one found. By default it is '|' symbol")
flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header") flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header") flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream") flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")

6
oauthproxy.go
View File

@ -88,7 +88,6 @@ type OAuthProxy struct {
SetXAuthRequest bool SetXAuthRequest bool
PassBasicAuth bool PassBasicAuth bool
PassGroups bool PassGroups bool
GroupsDelimiter string
FilterGroups string FilterGroups string
SkipProviderButton bool SkipProviderButton bool
PassUserHeaders bool PassUserHeaders bool
@ -284,7 +283,6 @@ func NewOAuthProxy(opts *Options, validator func(string) bool) *OAuthProxy {
SetXAuthRequest: opts.SetXAuthRequest, SetXAuthRequest: opts.SetXAuthRequest,
PassBasicAuth: opts.PassBasicAuth, PassBasicAuth: opts.PassBasicAuth,
PassGroups: opts.PassGroups, PassGroups: opts.PassGroups,
GroupsDelimiter: opts.GroupsDelimiter,
FilterGroups: opts.FilterGroups, FilterGroups: opts.FilterGroups,
PassUserHeaders: opts.PassUserHeaders, PassUserHeaders: opts.PassUserHeaders,
BasicAuthPassword: opts.BasicAuthPassword, BasicAuthPassword: opts.BasicAuthPassword,
@ -848,7 +846,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
req.Header.Del("X-Forwarded-Email") req.Header.Del("X-Forwarded-Email")
} }
if p.PassGroups && len(session.Groups) != 0 { if p.PassGroups && len(session.Groups) != 0 {
req.Header["X-Forwarded-Groups"] = []string{strings.Join(session.Groups, p.GroupsDelimiter)} req.Header["X-Forwarded-Groups"] = []string{strings.Join(session.Groups, ",")}
} }
} }
@ -877,7 +875,7 @@ func (p *OAuthProxy) addHeadersForProxying(rw http.ResponseWriter, req *http.Req
} }
} }
if p.PassGroups && len(session.Groups) != 0 { if p.PassGroups && len(session.Groups) != 0 {
rw.Header().Set("X-Auth-Request-Groups", strings.Join(session.Groups, p.GroupsDelimiter)) rw.Header().Set("X-Auth-Request-Groups", strings.Join(session.Groups, ","))
} }
} }

4
options.go
View File

@ -72,8 +72,7 @@ type Options struct {
PassGroups bool `flag:"pass-groups" cfg:"pass_groups" env:"OAUTH2_PROXY_PASS_GROUPS"` PassGroups bool `flag:"pass-groups" cfg:"pass_groups" env:"OAUTH2_PROXY_PASS_GROUPS"`
FilterGroups string `flag:"filter-groups" cfg:"filter_groups" env:"OAUTH2_PROXY_FILTER_GROUPS"` FilterGroups string `flag:"filter-groups" cfg:"filter_groups" env:"OAUTH2_PROXY_FILTER_GROUPS"`
PermitGroups []string `flag:"permit-groups" cfg:"permit_groups" env:"OAUTH2_PROXY_PERMIT_GROUPS"` PermitGroups []string `flag:"permit-groups" cfg:"permit_groups" env:"OAUTH2_PROXY_PERMIT_GROUPS"`
GroupsDelimiter string `flag:"groups-delimiter" cfg:"groups_delimiter" env:"OAUTH2_PROXY_GROUPS_DELIMITER"` PermitUsers []string `flag:"permit-users" cfg:"permit_users" env:"OAUTH2_PROXY_PERMIT_USERS"`
PermitUsers []string `flag:"permit-users" cfg:"permit_users"`
BasicAuthPassword string `flag:"basic-auth-password" cfg:"basic_auth_password" env:"OAUTH2_PROXY_BASIC_AUTH_PASSWORD"` BasicAuthPassword string `flag:"basic-auth-password" cfg:"basic_auth_password" env:"OAUTH2_PROXY_BASIC_AUTH_PASSWORD"`
PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token" env:"OAUTH2_PROXY_PASS_ACCESS_TOKEN"` PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token" env:"OAUTH2_PROXY_PASS_ACCESS_TOKEN"`
PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header" env:"OAUTH2_PROXY_PASS_HOST_HEADER"` PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header" env:"OAUTH2_PROXY_PASS_HOST_HEADER"`
@ -166,7 +165,6 @@ func NewOptions() *Options {
PassUserHeaders: true, PassUserHeaders: true,
PassGroups: false, PassGroups: false,
FilterGroups: "", FilterGroups: "",
GroupsDelimiter: "|",
PermitGroups: []string{}, PermitGroups: []string{},
PermitUsers: []string{}, PermitUsers: []string{},
PassAccessToken: false, PassAccessToken: false,

14
providers/azure.go
View File

@ -199,6 +199,7 @@ func (p *AzureProvider) GetLoginURL(redirectURI, state string) string {
return a.String() return a.String()
} }
// Get list of groups (optionally with Group IDs) that ONLY allowed for user // Get list of groups (optionally with Group IDs) that ONLY allowed for user
// That means even if user has wider group membership, only membership in those groups will be forwarded // That means even if user has wider group membership, only membership in those groups will be forwarded
func (p *AzureProvider) SetGroupRestriction(groups []string) { func (p *AzureProvider) SetGroupRestriction(groups []string) {
@ -217,6 +218,7 @@ func (p *AzureProvider) SetGroupRestriction(groups []string) {
} }
} }
} }
// Get list of users (optionally with User IDs) that could still be allowed to login // Get list of users (optionally with User IDs) that could still be allowed to login
// when group membership calls fail (e.g. insufficient permissions) // when group membership calls fail (e.g. insufficient permissions)
func (p *AzureProvider) SetGroupsExemption(exemptions []string) { func (p *AzureProvider) SetGroupsExemption(exemptions []string) {
@ -226,19 +228,19 @@ func (p *AzureProvider) SetGroupsExemption(exemptions []string) {
} }
var userName string var userName string
var userId string var userID string
for _, pRecord := range exemptions { for _, pRecord := range exemptions {
splittedRecord := strings.Split(pRecord, ":") splittedRecord := strings.Split(pRecord, ":")
if len(splittedRecord) == 1 { if len(splittedRecord) == 1 {
userName, userId = splittedRecord[0], "" userName, userID = splittedRecord[0], ""
} else if len(splittedRecord) == 2 { } else if len(splittedRecord) == 2 {
userName, userId = splittedRecord[0], splittedRecord[1] userName, userID = splittedRecord[0], splittedRecord[1]
} else { } else {
userName = splittedRecord[0] + ":" + splittedRecord[1] userName = splittedRecord[0] + ":" + splittedRecord[1]
userId = splittedRecord[2] userID = splittedRecord[2]
} }
p.ExemptedUsers[userName] = userId p.ExemptedUsers[userName] = userID
} }
} }
@ -248,7 +250,7 @@ func (p *AzureProvider) ValidateGroupWithSession(s *sessions.SessionState) bool
return true return true
} }
// return true if user listed in exemptions // return true if user listed in exemptions
for userName, _ := range p.ExemptedUsers { for userName := range p.ExemptedUsers {
if s.Email == userName { if s.Email == userName {
return true return true
} }