oauth2-proxy/main.go

package main

import (
	"fmt"
	"math/rand"
	"net"
	"os"
	"os/signal"
	"runtime"
	"syscall"
	"time"

	"github.com/justinas/alice"
	"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options"
	"github.com/oauth2-proxy/oauth2-proxy/pkg/logger"
	"github.com/oauth2-proxy/oauth2-proxy/pkg/middleware"
	"github.com/oauth2-proxy/oauth2-proxy/pkg/validation"
)

func main() {
	logger.SetFlags(logger.Lshortfile)
	flagSet := options.NewFlagSet()

	config := flagSet.String("config", "", "path to config file")
	showVersion := flagSet.Bool("version", false, "print version string")

	err := flagSet.Parse(os.Args[1:])
	if err != nil {
		logger.Printf("ERROR: Failed to parse flags: %v", err)
		os.Exit(1)
	}

	if *showVersion {
		fmt.Printf("oauth2-proxy %s (built with %s)\n", VERSION, runtime.Version())
		return
	}

	legacyOpts := options.NewLegacyOptions()
	err = options.Load(*config, flagSet, legacyOpts)
	if err != nil {
		logger.Errorf("ERROR: Failed to load config: %v", err)
		os.Exit(1)
	}

	opts, err := legacyOpts.ToOptions()
	if err != nil {
		logger.Errorf("ERROR: Failed to convert config: %v", err)
		os.Exit(1)
	}

	err = validation.Validate(opts)
	if err != nil {
		logger.Printf("%s", err)
		os.Exit(1)
	}

	validator := NewValidator(opts.EmailDomains, opts.AuthenticatedEmailsFile)
	oauthproxy, err := NewOAuthProxy(opts, validator)
	if err != nil {
		logger.Errorf("ERROR: Failed to initialise OAuth2 Proxy: %v", err)
		os.Exit(1)
	}

	rand.Seed(time.Now().UnixNano())

	chain := alice.New()

	if opts.ForceHTTPS {
		_, httpsPort, err := net.SplitHostPort(opts.HTTPSAddress)
		if err != nil {
			logger.Fatalf("FATAL: invalid HTTPS address %q: %v", opts.HTTPAddress, err)
		}
		chain = chain.Append(middleware.NewRedirectToHTTPS(httpsPort))
	}

	healthCheckPaths := []string{opts.PingPath}
	healthCheckUserAgents := []string{opts.PingUserAgent}
	if opts.GCPHealthChecks {
		healthCheckPaths = append(healthCheckPaths, "/liveness_check", "/readiness_check")
		healthCheckUserAgents = append(healthCheckUserAgents, "GoogleHC/1.0")
	}

	// To silence logging of health checks, register the health check handler before
	// the logging handler
	if opts.Logging.SilencePing {
		chain = chain.Append(middleware.NewHealthCheck(healthCheckPaths, healthCheckUserAgents), LoggingHandler)
	} else {
		chain = chain.Append(LoggingHandler, middleware.NewHealthCheck(healthCheckPaths, healthCheckUserAgents))
	}

	s := &Server{
		Handler: chain.Then(oauthproxy),
		Opts:    opts,
		stop:    make(chan struct{}, 1),
	}
	// Observe signals in background goroutine.
	go func() {
		sigint := make(chan os.Signal, 1)
		signal.Notify(sigint, os.Interrupt, syscall.SIGTERM)
		<-sigint
		s.stop <- struct{}{} // notify having caught signal
	}()
	s.ListenAndServe()
}
initial code import 2012-12-11 04:59:23 +03:00			`package main`

			`import (`
testing 2012-12-17 21:38:33 +03:00			`"fmt"`
add login.gov provider (#55) * first stab at login.gov provider * fixing bugs now that I think I understand things better * fixing up dependencies * remove some debug stuff * Fixing all dependencies to point at my fork * forgot to hit save on the github rehome here * adding options for setting keys and so on, use JWT workflow instead of PKCE * forgot comma * was too aggressive with search/replace * need JWTKey to be byte array * removed custom refresh stuff * do our own custom jwt claim and store it in the normal session store * golang json types are strange * I have much to learn about golang * fix time and signing key * add http lib * fixed claims up since we don't need custom claims * add libs * forgot ioutil * forgot ioutil * moved back to pusher location * changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov * update dependencies * do JWTs properly * finished oidc flow, fixed up tests to work better * updated comments, added test that we set expiresOn properly * got confused with header and post vs get * clean up debug and test dir * add login.gov to README, remove references to my repo * forgot to remove un-needed code * can use sample_key* instead of generating your own * updated changelog * apparently golint wants comments like this * linter wants non-standard libs in a separate grouping * Update options.go Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov> * Update options.go Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov> * remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback * github doesn't seem to do gofmt when merging. :-) * update CODEOWNERS * check the nonce * validate the JWT fully * forgot to add pubjwk-url to README * unexport the struct * fix up the err masking that travis found * update nonce comment by request of @JoelSpeed * argh. Thought I'd formatted the merge properly, but apparently not. * fixed test to not fail if the query time was greater than zero 2019-03-20 15:44:51 +02:00			`"math/rand"`
Move RedirectToHTTPS to middleware package Moves the logic for redirecting to HTTPs to a middleware package and adds tests for this logic. Also makes the functionality more useful, previously it always redirected to the HTTPS address of the proxy, which may not have been intended, now it will redirect based on if a port is provided in the URL (assume public facing 80 to 443 or 4180 to 8443 for example) 2020-06-12 19:18:41 +02:00			`"net"`
update to new scopes 2014-08-07 23:16:39 +03:00			`"os"`
Implement graceful shutdown and propagate request context (#468) * feature: Implement graceful shutdown Propagate the request context to the Redis client. It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client. The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently. Added handling of Unix signals to http server. Upgrade go-redis/redis to v7. * Update dependencies - Upgrade golang/x/* and google-api-go - Migrate fsnotify import from gopkg.in to github.com - Replace bmizerany/assert with stretchr/testify/assert * add doc for wrapper interface * Update CHANGELOG.md * fix: upgrade fsnotify to v1.4.9 * fix: remove unnessary logging * fix: wait until all connections have been closed * refactor: move chan to main for testing * add assert to check if stop chan is empty * add an idiomatic for sync.WaitGroup with timeout 2020-04-04 17:12:38 +02:00			`"os/signal"`
show Go version 2015-03-20 05:03:00 +02:00			`"runtime"`
Implement graceful shutdown and propagate request context (#468) * feature: Implement graceful shutdown Propagate the request context to the Redis client. It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client. The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently. Added handling of Unix signals to http server. Upgrade go-redis/redis to v7. * Update dependencies - Upgrade golang/x/* and google-api-go - Migrate fsnotify import from gopkg.in to github.com - Replace bmizerany/assert with stretchr/testify/assert * add doc for wrapper interface * Update CHANGELOG.md * fix: upgrade fsnotify to v1.4.9 * fix: remove unnessary logging * fix: wait until all connections have been closed * refactor: move chan to main for testing * add assert to check if stop chan is empty * add an idiomatic for sync.WaitGroup with timeout 2020-04-04 17:12:38 +02:00			`"syscall"`
always set httponly (there is no good reason not to); simplify httponly and expire flags 2014-11-08 20:26:55 +02:00			`"time"`
initial code import 2012-12-11 04:59:23 +03:00
Integrate HealthCheck middleware 2020-06-14 21:58:44 +02:00			`"github.com/justinas/alice"`
Replace options loading with viper 2020-04-13 12:34:25 +02:00			`"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/options"`
Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:54:36 +02:00			`"github.com/oauth2-proxy/oauth2-proxy/pkg/logger"`
Integrate HealthCheck middleware 2020-06-14 21:58:44 +02:00			`"github.com/oauth2-proxy/oauth2-proxy/pkg/middleware"`
Move Options and Validation to package 2020-04-13 14:50:34 +02:00			`"github.com/oauth2-proxy/oauth2-proxy/pkg/validation"`
initial code import 2012-12-11 04:59:23 +03:00			`)`

			`func main() {`
Auth and standard logging with file rolling 2019-02-10 18:37:45 +02:00			`logger.SetFlags(logger.Lshortfile)`
Move FlagSet to Options package 2020-04-13 15:20:04 +02:00			`flagSet := options.NewFlagSet()`
Add config file support 2014-11-09 21:51:10 +02:00
			`config := flagSet.String("config", "", "path to config file")`
			`showVersion := flagSet.Bool("version", false, "print version string")`

Address gosec findings Mostly handling unhandled errors appropriately. If logging to STDERR fails, we panic. Added #nosec comments to findings we are OK with. 2020-07-20 07:24:18 +02:00			`err := flagSet.Parse(os.Args[1:])`
			`if err != nil {`
			`logger.Printf("ERROR: Failed to parse flags: %v", err)`
			`os.Exit(1)`
			`}`
Add config file support 2014-11-09 21:51:10 +02:00
better environment parsing 2014-11-10 04:07:02 +02:00			`if *showVersion {`
Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:54:36 +02:00			`fmt.Printf("oauth2-proxy %s (built with %s)\n", VERSION, runtime.Version())`
better environment parsing 2014-11-10 04:07:02 +02:00			`return`
			`}`

Configure OAuth2 Proxy to use new upstreams package and LegacyConfig 2020-05-26 21:06:27 +02:00			`legacyOpts := options.NewLegacyOptions()`
Address gosec findings Mostly handling unhandled errors appropriately. If logging to STDERR fails, we panic. Added #nosec comments to findings we are OK with. 2020-07-20 07:24:18 +02:00			`err = options.Load(*config, flagSet, legacyOpts)`
Replace options loading with viper 2020-04-13 12:34:25 +02:00			`if err != nil {`
Allow Logging to stdout with separate Error Log Channel (#718) * Add dedicated error logging writer * Document new errors to stdout flag * Update changelog * Thread-safe the log buffer * Address feedback * Remove duplication by adding log level * Clean up error formatting * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-08-10 12:44:08 +02:00			`logger.Errorf("ERROR: Failed to load config: %v", err)`
Replace options loading with viper 2020-04-13 12:34:25 +02:00			`os.Exit(1)`
Add config file support 2014-11-09 21:51:10 +02:00			`}`
initial code import 2012-12-11 04:59:23 +03:00
Configure OAuth2 Proxy to use new upstreams package and LegacyConfig 2020-05-26 21:06:27 +02:00			`opts, err := legacyOpts.ToOptions()`
			`if err != nil {`
Allow Logging to stdout with separate Error Log Channel (#718) * Add dedicated error logging writer * Document new errors to stdout flag * Update changelog * Thread-safe the log buffer * Address feedback * Remove duplication by adding log level * Clean up error formatting * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-08-10 12:44:08 +02:00			`logger.Errorf("ERROR: Failed to convert config: %v", err)`
Configure OAuth2 Proxy to use new upstreams package and LegacyConfig 2020-05-26 21:06:27 +02:00			`os.Exit(1)`
			`}`

Move Options and Validation to package 2020-04-13 14:50:34 +02:00			`err = validation.Validate(opts)`
initial code import 2012-12-11 04:59:23 +03:00			`if err != nil {`
Auth and standard logging with file rolling 2019-02-10 18:37:45 +02:00			`logger.Printf("%s", err)`
Add config file support 2014-11-09 21:51:10 +02:00			`os.Exit(1)`
initial code import 2012-12-11 04:59:23 +03:00			`}`
Auth and standard logging with file rolling 2019-02-10 18:37:45 +02:00
disable email validation; rename email-domain argument This adds a "*" option to --email-domain to disable email validation, and this renames `--google-apps-domain` to `--email-domain` for clarity across providers 2015-06-06 20:37:54 +02:00			`validator := NewValidator(opts.EmailDomains, opts.AuthenticatedEmailsFile)`
Initialise Session Storage in NewOAuthProxy instead of validation 2020-05-25 15:00:49 +02:00			`oauthproxy, err := NewOAuthProxy(opts, validator)`
			`if err != nil {`
Allow Logging to stdout with separate Error Log Channel (#718) * Add dedicated error logging writer * Document new errors to stdout flag * Update changelog * Thread-safe the log buffer * Address feedback * Remove duplication by adding log level * Clean up error formatting * Apply suggestions from code review Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> 2020-08-10 12:44:08 +02:00			`logger.Errorf("ERROR: Failed to initialise OAuth2 Proxy: %v", err)`
Initialise Session Storage in NewOAuthProxy instead of validation 2020-05-25 15:00:49 +02:00			`os.Exit(1)`
			`}`
Add config file support 2014-11-09 21:51:10 +02:00
add login.gov provider (#55) * first stab at login.gov provider * fixing bugs now that I think I understand things better * fixing up dependencies * remove some debug stuff * Fixing all dependencies to point at my fork * forgot to hit save on the github rehome here * adding options for setting keys and so on, use JWT workflow instead of PKCE * forgot comma * was too aggressive with search/replace * need JWTKey to be byte array * removed custom refresh stuff * do our own custom jwt claim and store it in the normal session store * golang json types are strange * I have much to learn about golang * fix time and signing key * add http lib * fixed claims up since we don't need custom claims * add libs * forgot ioutil * forgot ioutil * moved back to pusher location * changed proxy github location back so that it builds externally, fixed up []byte stuff, removed client_secret if we are using login.gov * update dependencies * do JWTs properly * finished oidc flow, fixed up tests to work better * updated comments, added test that we set expiresOn properly * got confused with header and post vs get * clean up debug and test dir * add login.gov to README, remove references to my repo * forgot to remove un-needed code * can use sample_key* instead of generating your own * updated changelog * apparently golint wants comments like this * linter wants non-standard libs in a separate grouping * Update options.go Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov> * Update options.go Co-Authored-By: timothy-spencer <timothy.spencer@gsa.gov> * remove sample_key, improve comments related to client-secret, fix changelog related to PR feedback * github doesn't seem to do gofmt when merging. :-) * update CODEOWNERS * check the nonce * validate the JWT fully * forgot to add pubjwk-url to README * unexport the struct * fix up the err masking that travis found * update nonce comment by request of @JoelSpeed * argh. Thought I'd formatted the merge properly, but apparently not. * fixed test to not fail if the query time was greater than zero 2019-03-20 15:44:51 +02:00			`rand.Seed(time.Now().UnixNano())`

Integrate HealthCheck middleware 2020-06-14 21:58:44 +02:00			`chain := alice.New()`

			`if opts.ForceHTTPS {`
Move RedirectToHTTPS to middleware package Moves the logic for redirecting to HTTPs to a middleware package and adds tests for this logic. Also makes the functionality more useful, previously it always redirected to the HTTPS address of the proxy, which may not have been intended, now it will redirect based on if a port is provided in the URL (assume public facing 80 to 443 or 4180 to 8443 for example) 2020-06-12 19:18:41 +02:00			`_, httpsPort, err := net.SplitHostPort(opts.HTTPSAddress)`
			`if err != nil {`
			`logger.Fatalf("FATAL: invalid HTTPS address %q: %v", opts.HTTPAddress, err)`
			`}`
			`chain = chain.Append(middleware.NewRedirectToHTTPS(httpsPort))`
Integrate HealthCheck middleware 2020-06-14 21:58:44 +02:00			`}`

			`healthCheckPaths := []string{opts.PingPath}`
			`healthCheckUserAgents := []string{opts.PingUserAgent}`
added an option to enable GCP healthcheck endpoints 2019-03-20 23:29:44 +02:00			`if opts.GCPHealthChecks {`
Integrate HealthCheck middleware 2020-06-14 21:58:44 +02:00			`healthCheckPaths = append(healthCheckPaths, "/liveness_check", "/readiness_check")`
			`healthCheckUserAgents = append(healthCheckUserAgents, "GoogleHC/1.0")`
			`}`

			`// To silence logging of health checks, register the health check handler before`
			`// the logging handler`
			`if opts.Logging.SilencePing {`
			`chain = chain.Append(middleware.NewHealthCheck(healthCheckPaths, healthCheckUserAgents), LoggingHandler)`
added an option to enable GCP healthcheck endpoints 2019-03-20 23:29:44 +02:00			`} else {`
Integrate HealthCheck middleware 2020-06-14 21:58:44 +02:00			`chain = chain.Append(LoggingHandler, middleware.NewHealthCheck(healthCheckPaths, healthCheckUserAgents))`
added an option to enable GCP healthcheck endpoints 2019-03-20 23:29:44 +02:00			`}`
Integrate HealthCheck middleware 2020-06-14 21:58:44 +02:00
support TLS directly 2015-06-08 03:51:47 +02:00			`s := &Server{`
Integrate HealthCheck middleware 2020-06-14 21:58:44 +02:00			`Handler: chain.Then(oauthproxy),`
support TLS directly 2015-06-08 03:51:47 +02:00			`Opts: opts,`
Implement graceful shutdown and propagate request context (#468) * feature: Implement graceful shutdown Propagate the request context to the Redis client. It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client. The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently. Added handling of Unix signals to http server. Upgrade go-redis/redis to v7. * Update dependencies - Upgrade golang/x/* and google-api-go - Migrate fsnotify import from gopkg.in to github.com - Replace bmizerany/assert with stretchr/testify/assert * add doc for wrapper interface * Update CHANGELOG.md * fix: upgrade fsnotify to v1.4.9 * fix: remove unnessary logging * fix: wait until all connections have been closed * refactor: move chan to main for testing * add assert to check if stop chan is empty * add an idiomatic for sync.WaitGroup with timeout 2020-04-04 17:12:38 +02:00			`stop: make(chan struct{}, 1),`
Added scheme parsing to http-address param Can now listen for HTTP clients on unix sockets (and any other Go-supported stream oriented network - see golang.org/pkg/net/#Listen). Default behaviour is unchanged, any http-address without a scheme is given the default of tcp. Amended the README so that the usage output is up to date. 2015-02-11 03:07:40 +02:00			`}`
Implement graceful shutdown and propagate request context (#468) * feature: Implement graceful shutdown Propagate the request context to the Redis client. It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client. The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently. Added handling of Unix signals to http server. Upgrade go-redis/redis to v7. * Update dependencies - Upgrade golang/x/* and google-api-go - Migrate fsnotify import from gopkg.in to github.com - Replace bmizerany/assert with stretchr/testify/assert * add doc for wrapper interface * Update CHANGELOG.md * fix: upgrade fsnotify to v1.4.9 * fix: remove unnessary logging * fix: wait until all connections have been closed * refactor: move chan to main for testing * add assert to check if stop chan is empty * add an idiomatic for sync.WaitGroup with timeout 2020-04-04 17:12:38 +02:00			`// Observe signals in background goroutine.`
			`go func() {`
			`sigint := make(chan os.Signal, 1)`
			`signal.Notify(sigint, os.Interrupt, syscall.SIGTERM)`
			`<-sigint`
			`s.stop <- struct{}{} // notify having caught signal`
			`}()`
support TLS directly 2015-06-08 03:51:47 +02:00			`s.ListenAndServe()`
initial code import 2012-12-11 04:59:23 +03:00			`}`