ca91b5eddd
This change extracts the UserMap class from NewValidator() so that its LoadAuthenticatedEmailsFile() method can be called concurrently. This method is called by a goroutine containing a fsnotify.Watcher watching the authenticated emails file. Watching isn't forever aborted when the authenticated emails file disappears. The goroutine will call os.Stat() up to twenty times a second if the file is persistently missing, but that's the pathological case, not the common one. The common case is that some editors (including Vim) will perform a rename-and-replace when updating a file, triggering fsnotify.Rename events, and the file will temporarily disappear. This watcher goroutine handles that case. Also, on some platforms (notably Arch Linux), a remove will be preceded by a fsnotify.Chmod, causing a race between the upcoming fsnotify.Remove and the call to UserMap.LoadAuthenticatedEmailsFile(). Hence, we treat fsnotify.Chmod the same as fsnotify.Remove and fsnotify.Rename. There's no significant penalty to re-adding a file to the watcher. Also contains the following small changes from the summary of commits below: - Minor optimization of email domain search - Fixed api_test.go on Windows - Add deferred File.Close() calls where needed - Log error and return if emails file doesn't parse These are the original commits from #89 squashed into this one: 0c6f2b6 Refactor validator_test to prepare for more tests e0c792b Add more test cases to validator_test a9a9d93 Minor optimization of email domain search b763ea5 Extract LoadAuthenticatedEmailsFile() 8cdaf7f Introduce synchronized UserMap type 1b84eef Add UserMap methods, locking af15dcf Reload authenticated-emails-file upon update 6d95548 Make UserMap operations lock-free Per: - http://stackoverflow.com/questions/21447463/is-assigning-a-pointer-atomic-in-golang - https://groups.google.com/forum/#!msg/golang-nuts/ueSvaEKgyLY/ZW_74IC4PekJ 75755d5 Fix tests on Windows d0eab2e Ignore email file watcher Chmod events 0b9798b Fix watcher on Ubuntu 12.04 3a8251a WaitForReplacement() to retry emails file watch a57fd29 Add deferred File.Close() calls where needed Because correctness: Don't leak file handles anywhere, and prepare for future panics and early returns. 52ed3fd Log error and return if emails file doesn't parse 40100d4 Add gopkg.in/fsnotify.v1 dependency to Godeps file 17dfbbc Avoid a race when Remove is preceded by Chmod |
||
---|---|---|
api | ||
contrib | ||
providers | ||
.gitignore | ||
.travis.yml | ||
cookies_test.go | ||
cookies.go | ||
dist.sh | ||
env_options_test.go | ||
env_options.go | ||
Godeps | ||
htpasswd_test.go | ||
htpasswd.go | ||
LICENSE | ||
logging_handler.go | ||
main.go | ||
oauthproxy_test.go | ||
oauthproxy.go | ||
options_test.go | ||
options.go | ||
README.md | ||
string_array.go | ||
templates_test.go | ||
templates.go | ||
test.sh | ||
validator_test.go | ||
validator_watcher_copy_test.go | ||
validator_watcher_test.go | ||
validator.go | ||
version.go | ||
watcher_unsupported.go | ||
watcher.go |
google_auth_proxy
A reverse proxy that provides authentication using Google and other OAuth2 providers to validate individual accounts, or a whole google apps domain.
Architecture
_______ ___________________ __________
|Nginx| ----> |google_auth_proxy| ----> |upstream|
------- ------------------- ----------
||
\/
[google oauth2 api]
Installation
- Download Prebuilt Binary or build from
master
with$ go get github.com/bitly/google_auth_proxy
which should put the binary in$GOROOT/bin
- Register an OAuth Application with Google
- Configure Google Auth Proxy using config file, command line options, or environment variables
- Deploy behind a SSL endpoint (example provided for Nginx)
OAuth Configuration
You will need to register an OAuth application with Google (or another
provider), and configure it with Redirect URI(s) for the domain
you intend to run google_auth_proxy
on.
For Google, the registration steps are:
- Create a new project: https://console.developers.google.com/project
- Under "APIs & Auth", choose "Credentials"
- Now, choose "Create new Client ID"
- The Application Type should be Web application
- Enter your domain in the Authorized Javascript Origins
https://internal.yourcompany.com
- Enter the correct Authorized Redirect URL
https://internal.yourcompany.com/oauth2/callback
- NOTE:
google_auth_proxy
will only callback on the path/oauth2/callback
- NOTE:
- Under "APIs & Auth" choose "Consent Screen"
- Fill in the necessary fields and Save (this is required)
- Take note of the Client ID and Client Secret
For LinkedIn, the registration steps are:
- Create a new project: https://www.linkedin.com/secure/developer
- In the OAuth User Agreement section:
- In default scope, select r_basicprofile and r_emailaddress.
- In "OAuth 2.0 Redirect URLs", enter
https://internal.yourcompany.com/oauth2/callback
- Fill in the remaining required fields and Save.
- Take note of the Consumer Key / API Key and Consumer Secret / Secret Key
Configuration
google_auth_proxy
can be configured via config file, command line options or environment variables.
Config File
An example google_auth_proxy.cfg config file is in the contrib directory. It can be used by specifying -config=/etc/google_auth_proxy.cfg
Command Line Options
Usage of google_auth_proxy:
-authenticated-emails-file="": authenticate against emails via file (one per line)
-client-id="": the Google OAuth Client ID: ie: "123456.apps.googleusercontent.com"
-client-secret="": the OAuth Client Secret
-config="": path to config file
-cookie-domain="": an optional cookie domain to force cookies to (ie: .yourcompany.com)*
-cookie-expire=168h0m0s: expire timeframe for cookie
-cookie-httponly=true: set HttpOnly cookie flag
-cookie-https-only=true: set secure (HTTPS) cookies (deprecated. use --cookie-secure setting)
-cookie-secret="": the seed string for secure cookies
-cookie-secure=true: set secure (HTTPS) cookie flag
-custom-templates-dir="": path to custom html templates
-display-htpasswd-form=true: display username / password login form if an htpasswd file is provided
-google-apps-domain=: authenticate against the given Google apps domain (may be given multiple times)
-htpasswd-file="": additionally authenticate against a htpasswd file. Entries must be created with "htpasswd -s" for SHA encryption
-http-address="127.0.0.1:4180": [http://]<addr>:<port> or unix://<path> to listen on for HTTP clients
-login-url="": Authentication endpoint
-pass-access-token=false: pass OAuth access_token to upstream via X-Forwarded-Access-Token header
-pass-basic-auth=true: pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream
-pass-host-header=true: pass the request Host Header to upstream
-profile-url="": Profile access endpoint
-provider="": Oauth provider (defaults to Google)
-redeem-url="": Token redemption endpoint
-redirect-url="": the OAuth Redirect URL. ie: "https://internalapp.yourcompany.com/oauth2/callback"
-request-logging=true: Log requests to stdout
-scope="": Oauth scope specification
-skip-auth-regex=: bypass authentication for requests path's that match (may be given multiple times)
-upstream=: the http url(s) of the upstream endpoint. If multiple, routing is based on path
-version=false: print version string
Environment variables
The environment variables GOOGLE_AUTH_PROXY_CLIENT_ID
, GOOGLE_AUTH_PROXY_CLIENT_SECRET
, GOOGLE_AUTH_PROXY_COOKIE_SECRET
, GOOGLE_AUTH_PROXY_COOKIE_DOMAIN
and GOOGLE_AUTH_PROXY_COOKIE_EXPIRE
can be used in place of the corresponding command-line arguments.
Example Nginx Configuration
This example has a Nginx SSL endpoint proxying to google_auth_proxy
on port 4180
.
google_auth_proxy
then authenticates requests for an upstream application running on port 8080
. The external
endpoint for this example would be https://internal.yourcompany.com/
.
An example Nginx config follows. Note the use of Strict-Transport-Security
header to pin requests to SSL
via HSTS:
server {
listen 443 default ssl;
server_name internal.yourcompany.com;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/cert.key;
add_header Strict-Transport-Security max-age=1209600;
location / {
proxy_pass http://127.0.0.1:4180;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 1;
proxy_send_timeout 30;
proxy_read_timeout 30;
}
}
The command line to run google_auth_proxy
would look like this:
./google_auth_proxy \
--google-apps-domain="yourcompany.com" \
--upstream=http://127.0.0.1:8080/ \
--cookie-secret=... \
--cookie-secure=true \
--client-id=... \
--client-secret=...
Endpoint Documentation
Google Auth Proxy responds directly to the following endpoints. All other endpoints will be proxied upstream when authenticated.
- /ping - returns an 200 OK response
- /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
- /oauth2/start - a URL that will redirect to start the OAuth cycle
- /oauth2/callback - the URL used at the end of the OAuth cycle. The oauth app will be configured with this ass the callback url.
Logging Format
Google Auth Proxy logs requests to stdout in a format similar to Apache Combined Log.
<REMOTE_ADDRESS> - <user@domain.com> [19/Mar/2015:17:20:19 -0400] <HOST_HEADER> GET <UPSTREAM_HOST> "/path/" HTTP/1.1 "<USER_AGENT>" <RESPONSE_CODE> <RESPONSE_BYTES> <REQUEST_DURATION>
Providers other than Google
Other providers besides Google can be specified by the providers
flag/config
directive. Right now this includes:
Adding a new Provider
Follow the examples in the providers
package to define a new
Provider
instance. Add a new case
to
providers.New()
to allow the auth proxy to use the
new Provider
.