1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-28 09:08:44 +02:00
oauth2-proxy/main.go

123 lines
5.5 KiB
Go
Raw Normal View History

2012-12-11 04:59:23 +03:00
package main
import (
"flag"
2012-12-17 21:38:33 +03:00
"fmt"
2012-12-11 04:59:23 +03:00
"log"
2014-08-07 23:16:39 +03:00
"os"
2015-03-20 05:03:00 +02:00
"runtime"
2012-12-11 04:59:23 +03:00
"strings"
"time"
2012-12-11 04:59:23 +03:00
2014-11-09 21:51:10 +02:00
"github.com/BurntSushi/toml"
"github.com/mreiferson/go-options"
2012-12-11 04:59:23 +03:00
)
func main() {
2015-05-21 05:23:48 +02:00
log.SetFlags(log.Ldate | log.Ltime | log.Lshortfile)
2015-05-21 08:50:21 +02:00
flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError)
2014-11-09 21:51:10 +02:00
emailDomains := StringArray{}
2014-11-09 21:51:10 +02:00
upstreams := StringArray{}
skipAuthRegex := StringArray{}
googleGroups := StringArray{}
2014-11-09 21:51:10 +02:00
config := flagSet.String("config", "", "path to config file")
showVersion := flagSet.Bool("version", false, "print version string")
flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")
2015-06-08 03:51:47 +02:00
flagSet.String("https-address", ":443", "<addr>:<port> to listen on for HTTPS clients")
flagSet.String("tls-cert", "", "path to certificate file")
flagSet.String("tls-key", "", "path to private key file")
2014-11-09 21:51:10 +02:00
flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint. If multiple, routing is based on path")
flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
2015-03-17 21:15:15 +02:00
flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")
flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)")
2014-11-09 21:51:10 +02:00
flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
2015-05-21 05:23:48 +02:00
flagSet.String("github-org", "", "restrict logins to members of this organisation")
flagSet.String("github-team", "", "restrict logins to members of this team")
flagSet.Var(&googleGroups, "google-group", "restrict logins to members of this google group (may be given multiple times).")
flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls")
flagSet.String("google-service-account-json", "", "the path to the service account json credentials")
2015-05-21 08:50:21 +02:00
flagSet.String("client-id", "", "the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")
2014-11-09 21:51:10 +02:00
flagSet.String("client-secret", "", "the OAuth Client Secret")
flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption")
flagSet.Bool("display-htpasswd-form", true, "display username / password login form if an htpasswd file is provided")
2015-03-18 00:06:06 +02:00
flagSet.String("custom-templates-dir", "", "path to custom html templates")
flagSet.String("proxy-prefix", "/oauth2", "the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)")
flagSet.String("cookie-name", "_oauth2_proxy", "the name of the cookie that the oauth_proxy creates")
2014-11-09 21:51:10 +02:00
flagSet.String("cookie-secret", "", "the seed string for secure cookies")
2014-11-10 04:07:02 +02:00
flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
2014-11-09 21:51:10 +02:00
flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
2015-06-23 20:01:05 +02:00
flagSet.Duration("cookie-refresh", time.Duration(0), "refresh the cookie after this duration; 0 to disable")
2015-03-18 05:13:45 +02:00
flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag")
2014-11-09 21:51:10 +02:00
flagSet.Bool("request-logging", true, "Log requests to stdout")
2015-06-08 03:51:47 +02:00
flagSet.String("provider", "google", "OAuth provider")
flagSet.String("login-url", "", "Authentication endpoint")
flagSet.String("redeem-url", "", "Token redemption endpoint")
flagSet.String("profile-url", "", "Profile access endpoint")
2015-05-08 23:13:35 +02:00
flagSet.String("validate-url", "", "Access token validation endpoint")
flagSet.String("scope", "", "Oauth scope specification")
flagSet.String("approval-prompt", "force", "Oauth approval_prompt")
2014-11-09 21:51:10 +02:00
flagSet.Parse(os.Args[1:])
2014-11-10 04:07:02 +02:00
if *showVersion {
2015-05-21 08:50:21 +02:00
fmt.Printf("oauth2_proxy v%s (built with %s)\n", VERSION, runtime.Version())
2014-11-10 04:07:02 +02:00
return
}
2014-11-09 21:51:10 +02:00
opts := NewOptions()
2014-11-15 06:06:07 +02:00
cfg := make(EnvOptions)
2014-11-09 21:51:10 +02:00
if *config != "" {
_, err := toml.DecodeFile(*config, &cfg)
if err != nil {
log.Fatalf("ERROR: failed to load config file %s - %s", *config, err)
}
}
2014-11-15 06:06:07 +02:00
cfg.LoadEnvForStruct(opts)
2014-11-09 21:51:10 +02:00
options.Resolve(opts, flagSet, cfg)
2012-12-11 04:59:23 +03:00
2014-11-09 21:51:10 +02:00
err := opts.Validate()
2012-12-11 04:59:23 +03:00
if err != nil {
2014-11-09 21:51:10 +02:00
log.Printf("%s", err)
os.Exit(1)
2012-12-11 04:59:23 +03:00
}
validator := NewValidator(opts.EmailDomains, opts.AuthenticatedEmailsFile)
2014-11-09 21:51:10 +02:00
oauthproxy := NewOauthProxy(opts, validator)
if len(opts.EmailDomains) != 0 && opts.AuthenticatedEmailsFile == "" {
if len(opts.EmailDomains) > 1 {
oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using one of the following domains: %v", strings.Join(opts.EmailDomains, ", "))
} else if opts.EmailDomains[0] != "*" {
oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using %v", opts.EmailDomains[0])
2014-11-09 07:26:52 +02:00
}
2012-12-11 04:59:23 +03:00
}
2014-11-09 21:51:10 +02:00
if opts.HtpasswdFile != "" {
2014-11-10 04:07:02 +02:00
log.Printf("using htpasswd file %s", opts.HtpasswdFile)
2014-11-09 21:51:10 +02:00
oauthproxy.HtpasswdFile, err = NewHtpasswdFromFile(opts.HtpasswdFile)
oauthproxy.DisplayHtpasswdForm = opts.DisplayHtpasswdForm
2012-12-17 21:38:33 +03:00
if err != nil {
2014-11-09 21:51:10 +02:00
log.Fatalf("FATAL: unable to open %s %s", opts.HtpasswdFile, err)
2012-12-17 21:38:33 +03:00
}
2012-12-11 04:59:23 +03:00
}
2014-11-09 21:51:10 +02:00
2015-06-08 03:51:47 +02:00
s := &Server{
Handler: LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging),
Opts: opts,
}
2015-06-08 03:51:47 +02:00
s.ListenAndServe()
2012-12-11 04:59:23 +03:00
}