Add a new provider for Bitbucket,
can be configured from the options
specifying team and/or repository
that the user must be part/have access
to in order to grant login.
alone
Previously some headers that are normally set by the proxy (and may be
replied upstream for authorization decisiions) were not being set
depending on values in the users sesssion.
This change ensure that if a given header is sometimes set, it will
always be either set or removed.
It might be worth considerating always deleting these headers if we
didn't add them.
* New flag "-ssl-upstream-insecure-skip-validation" to skip SSL validation for upstreams with self generated / invalid SSL certificates.
* Fix tests for modified NewReverseProxy method.
* Added change to the changelog.
* Remove duplicate entries from changelog.
* Initial version of OIDC based GitLab provider
* Add support for email domain check to GitLab provider
* Add gitlab.com as default issuer for GitLab provider
* Update documentation for GitLab provider
* Update unit tests for new GitLab provider implementation
* Update CHANGELOG for GitLab provider
* Rename GitLab test access token as response to linter
* Check Google group membership with hasMember and get.
This PR is an enhancement built on
https://github.com/pusher/oauth2_proxy/pull/160. That PR reduces the
number of calls to the Google Admin API and simplifies the code by
using the hasMember method. It also supports checking membership in
nested groups.
However, the above message doesn't handle members who are not a part
of the domain. The hasMember API returns a 400 for that case. As a
fallback, when the API returns a 400, this change will try using the
`get` API which works as expected for members who aren't a part of the
domain. Supporting members who belong to the Google group but aren't
part of the domain is a requested feature from
https://github.com/pusher/oauth2_proxy/issues/95.
https://developers.google.com/admin-sdk/directory/v1/reference/members/get
Note that nested members who are not a part of the domain will not be
correctly detected with this change.
* Update CHANGELOG.
* Fix incorrect JSON and stop escaping strings.
* Add comments for each scenario.
Add ability to silence logging of requests to /ping endpoint, reducing
log clutter
Pros:
- Don't have to change all handlers to set/not set silent ping logging
- Don't have to duplicate `loggingHandler` (this could be preferable yet)
Cons:
- Leaking oauth2proxy logic into `package logger`
- Defining default pingPath in two locations
Alternative:
- Add generic exclude path to `logger.go` and pass in `/ping`.
This will let Docker cache the results of the vendor dependencies.
Making re-builds during testing faster.
Also clean-up spurious test & rm in ./configure
Fix an unsupported protocol scheme error when validating tokens by
ensuring that the ValidateURL generates a non-empty string. The Azure
provider doesn't define any ValidateURL and therefore uses the default
value of `url.Parse("")` which is not `nil`.
The following log summary shows the issue:
2019/06/14 12:26:04 oauthproxy.go:799: 10.244.1.3:34112 ("10.244.1.1") refreshing 16h26m29s old session cookie for Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true} (refresh after 1h0m0s)
2019/06/14 12:26:04 internal_util.go:60: GET ?access_token=eyJ0...
2019/06/14 12:26:04 internal_util.go:61: token validation request failed: Get ?access_token=eyJ0...: unsupported protocol scheme ""
2019/06/14 12:26:04 oauthproxy.go:822: 10.244.1.3:34112 ("10.244.1.1") removing session. error validating Session{email:jonas.fonseca@example.com user:jonas.fonseca token:true}
