From 8027cc454e0fd571de69d496f1de13c51d2ab6e7 Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Fri, 24 May 2019 16:55:12 +0100 Subject: [PATCH 01/10] Move api to pkg/requests --- api/api.go => pkg/requests/requests.go | 2 +- api/api_test.go => pkg/requests/requests_test.go | 2 +- providers/azure.go | 4 ++-- providers/facebook.go | 4 ++-- providers/gitlab.go | 4 ++-- providers/internal_util.go | 4 ++-- providers/linkedin.go | 4 ++-- 7 files changed, 12 insertions(+), 12 deletions(-) rename api/api.go => pkg/requests/requests.go (98%) rename api/api_test.go => pkg/requests/requests_test.go (99%) diff --git a/api/api.go b/pkg/requests/requests.go similarity index 98% rename from api/api.go rename to pkg/requests/requests.go index c5d5623e..aac22e47 100644 --- a/api/api.go +++ b/pkg/requests/requests.go @@ -1,4 +1,4 @@ -package api +package requests import ( "encoding/json" diff --git a/api/api_test.go b/pkg/requests/requests_test.go similarity index 99% rename from api/api_test.go rename to pkg/requests/requests_test.go index 7bdf1b7d..99a4c3b6 100644 --- a/api/api_test.go +++ b/pkg/requests/requests_test.go @@ -1,4 +1,4 @@ -package api +package requests import ( "io/ioutil" diff --git a/providers/azure.go b/providers/azure.go index a7961d20..31544328 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -7,9 +7,9 @@ import ( "net/url" "github.com/bitly/go-simplejson" - "github.com/pusher/oauth2_proxy/api" "github.com/pusher/oauth2_proxy/logger" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/requests" ) // AzureProvider represents an Azure based Identity Provider @@ -102,7 +102,7 @@ func (p *AzureProvider) GetEmailAddress(s *sessions.SessionState) (string, error } req.Header = getAzureHeader(s.AccessToken) - json, err := api.Request(req) + json, err := requests.Request(req) if err != nil { return "", err diff --git a/providers/facebook.go b/providers/facebook.go index 9897a1b6..abd53828 100644 --- a/providers/facebook.go +++ b/providers/facebook.go @@ -6,8 +6,8 @@ import ( "net/http" "net/url" - "github.com/pusher/oauth2_proxy/api" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/requests" ) // FacebookProvider represents an Facebook based Identity Provider @@ -69,7 +69,7 @@ func (p *FacebookProvider) GetEmailAddress(s *sessions.SessionState) (string, er Email string } var r result - err = api.RequestJSON(req, &r) + err = requests.RequestJSON(req, &r) if err != nil { return "", err } diff --git a/providers/gitlab.go b/providers/gitlab.go index af956c4c..c9a4a1fc 100644 --- a/providers/gitlab.go +++ b/providers/gitlab.go @@ -4,9 +4,9 @@ import ( "net/http" "net/url" - "github.com/pusher/oauth2_proxy/api" "github.com/pusher/oauth2_proxy/logger" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/requests" ) // GitLabProvider represents an GitLab based Identity Provider @@ -53,7 +53,7 @@ func (p *GitLabProvider) GetEmailAddress(s *sessions.SessionState) (string, erro logger.Printf("failed building request %s", err) return "", err } - json, err := api.Request(req) + json, err := requests.Request(req) if err != nil { logger.Printf("failed making request %s", err) return "", err diff --git a/providers/internal_util.go b/providers/internal_util.go index 7144dee0..bb5f4f54 100644 --- a/providers/internal_util.go +++ b/providers/internal_util.go @@ -5,8 +5,8 @@ import ( "net/http" "net/url" - "github.com/pusher/oauth2_proxy/api" "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/requests" ) // stripToken is a helper function to obfuscate "access_token" @@ -55,7 +55,7 @@ func validateToken(p Provider, accessToken string, header http.Header) bool { params := url.Values{"access_token": {accessToken}} endpoint = endpoint + "?" + params.Encode() } - resp, err := api.RequestUnparsedResponse(endpoint, header) + resp, err := requests.RequestUnparsedResponse(endpoint, header) if err != nil { logger.Printf("GET %s", stripToken(endpoint)) logger.Printf("token validation request failed: %s", err) diff --git a/providers/linkedin.go b/providers/linkedin.go index a31b4a11..bca29360 100644 --- a/providers/linkedin.go +++ b/providers/linkedin.go @@ -6,8 +6,8 @@ import ( "net/http" "net/url" - "github.com/pusher/oauth2_proxy/api" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/requests" ) // LinkedInProvider represents an LinkedIn based Identity Provider @@ -61,7 +61,7 @@ func (p *LinkedInProvider) GetEmailAddress(s *sessions.SessionState) (string, er } req.Header = getLinkedInHeader(s.AccessToken) - json, err := api.Request(req) + json, err := requests.Request(req) if err != nil { return "", err } From d1ef14becc300ee2ad65c07a032daf51dac2ca01 Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Fri, 24 May 2019 17:06:48 +0100 Subject: [PATCH 02/10] Move cookie to pkg/encryption --- oauthproxy.go | 4 ++-- options.go | 6 +++--- pkg/apis/options/sessions.go | 6 ++---- pkg/apis/sessions/session_state.go | 8 ++++---- pkg/apis/sessions/session_state_test.go | 14 +++++++------- cookie/cookies.go => pkg/encryption/cipher.go | 2 +- .../encryption/cipher_test.go | 2 +- {cookie => pkg/encryption}/nonce.go | 2 +- pkg/sessions/cookie/session_store.go | 8 ++++---- pkg/sessions/redis/redis_store.go | 12 ++++++------ pkg/sessions/session_store_test.go | 6 +++--- pkg/sessions/utils/utils.go | 6 +++--- providers/provider_default.go | 6 +++--- providers/providers.go | 6 +++--- 14 files changed, 43 insertions(+), 45 deletions(-) rename cookie/cookies.go => pkg/encryption/cipher.go (99%) rename cookie/cookies_test.go => pkg/encryption/cipher_test.go (98%) rename {cookie => pkg/encryption}/nonce.go (93%) diff --git a/oauthproxy.go b/oauthproxy.go index 389b2a99..62d1a18a 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -14,9 +14,9 @@ import ( "time" "github.com/mbland/hmacauth" - "github.com/pusher/oauth2_proxy/cookie" "github.com/pusher/oauth2_proxy/logger" sessionsapi "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/encryption" "github.com/pusher/oauth2_proxy/providers" "github.com/yhat/wsutil" ) @@ -555,7 +555,7 @@ func (p *OAuthProxy) SignOut(rw http.ResponseWriter, req *http.Request) { // OAuthStart starts the OAuth2 authentication flow func (p *OAuthProxy) OAuthStart(rw http.ResponseWriter, req *http.Request) { - nonce, err := cookie.Nonce() + nonce, err := encryption.Nonce() if err != nil { logger.Printf("Error obtaining nonce: %s", err.Error()) p.ErrorPage(rw, 500, "Internal Error", err.Error()) diff --git a/options.go b/options.go index 0460bce2..2b506e34 100644 --- a/options.go +++ b/options.go @@ -17,10 +17,10 @@ import ( oidc "github.com/coreos/go-oidc" "github.com/dgrijalva/jwt-go" "github.com/mbland/hmacauth" - "github.com/pusher/oauth2_proxy/cookie" "github.com/pusher/oauth2_proxy/logger" "github.com/pusher/oauth2_proxy/pkg/apis/options" sessionsapi "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/encryption" "github.com/pusher/oauth2_proxy/pkg/sessions" "github.com/pusher/oauth2_proxy/providers" "gopkg.in/natefinch/lumberjack.v2" @@ -268,7 +268,7 @@ func (o *Options) Validate() error { } msgs = parseProviderInfo(o, msgs) - var cipher *cookie.Cipher + var cipher *encryption.Cipher if o.PassAccessToken || o.SetAuthorization || o.PassAuthorization || (o.CookieRefresh != time.Duration(0)) { validCookieSecretSize := false for _, i := range []int{16, 24, 32} { @@ -293,7 +293,7 @@ func (o *Options) Validate() error { len(secretBytes(o.CookieSecret)), suffix)) } else { var err error - cipher, err = cookie.NewCipher(secretBytes(o.CookieSecret)) + cipher, err = encryption.NewCipher(secretBytes(o.CookieSecret)) if err != nil { msgs = append(msgs, fmt.Sprintf("cookie-secret error: %v", err)) } diff --git a/pkg/apis/options/sessions.go b/pkg/apis/options/sessions.go index c72da3dd..c96d490c 100644 --- a/pkg/apis/options/sessions.go +++ b/pkg/apis/options/sessions.go @@ -1,13 +1,11 @@ package options -import ( - "github.com/pusher/oauth2_proxy/cookie" -) +import "github.com/pusher/oauth2_proxy/pkg/encryption" // SessionOptions contains configuration options for the SessionStore providers. type SessionOptions struct { Type string `flag:"session-store-type" cfg:"session_store_type" env:"OAUTH2_PROXY_SESSION_STORE_TYPE"` - Cipher *cookie.Cipher + Cipher *encryption.Cipher CookieStoreOptions RedisStoreOptions } diff --git a/pkg/apis/sessions/session_state.go b/pkg/apis/sessions/session_state.go index 01789ff6..84c0dc90 100644 --- a/pkg/apis/sessions/session_state.go +++ b/pkg/apis/sessions/session_state.go @@ -7,7 +7,7 @@ import ( "strings" "time" - "github.com/pusher/oauth2_proxy/cookie" + "github.com/pusher/oauth2_proxy/pkg/encryption" ) // SessionState is used to store information about the currently authenticated user session @@ -66,7 +66,7 @@ func (s *SessionState) String() string { } // EncodeSessionState returns string representation of the current session -func (s *SessionState) EncodeSessionState(c *cookie.Cipher) (string, error) { +func (s *SessionState) EncodeSessionState(c *encryption.Cipher) (string, error) { var ss SessionState if c == nil { // Store only Email and User when cipher is unavailable @@ -133,7 +133,7 @@ func legacyDecodeSessionStatePlain(v string) (*SessionState, error) { // legacyDecodeSessionState attempts to decode the session state string // generated by v3.1.0 or older -func legacyDecodeSessionState(v string, c *cookie.Cipher) (*SessionState, error) { +func legacyDecodeSessionState(v string, c *encryption.Cipher) (*SessionState, error) { chunks := strings.Split(v, "|") if c == nil { @@ -176,7 +176,7 @@ func legacyDecodeSessionState(v string, c *cookie.Cipher) (*SessionState, error) } // DecodeSessionState decodes the session cookie string into a SessionState -func DecodeSessionState(v string, c *cookie.Cipher) (*SessionState, error) { +func DecodeSessionState(v string, c *encryption.Cipher) (*SessionState, error) { var ssj SessionStateJSON var ss *SessionState err := json.Unmarshal([]byte(v), &ssj) diff --git a/pkg/apis/sessions/session_state_test.go b/pkg/apis/sessions/session_state_test.go index a48344e8..c8ccff10 100644 --- a/pkg/apis/sessions/session_state_test.go +++ b/pkg/apis/sessions/session_state_test.go @@ -5,8 +5,8 @@ import ( "testing" "time" - "github.com/pusher/oauth2_proxy/cookie" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/encryption" "github.com/stretchr/testify/assert" ) @@ -14,9 +14,9 @@ const secret = "0123456789abcdefghijklmnopqrstuv" const altSecret = "0000000000abcdefghijklmnopqrstuv" func TestSessionStateSerialization(t *testing.T) { - c, err := cookie.NewCipher([]byte(secret)) + c, err := encryption.NewCipher([]byte(secret)) assert.Equal(t, nil, err) - c2, err := cookie.NewCipher([]byte(altSecret)) + c2, err := encryption.NewCipher([]byte(altSecret)) assert.Equal(t, nil, err) s := &sessions.SessionState{ Email: "user@domain.com", @@ -54,9 +54,9 @@ func TestSessionStateSerialization(t *testing.T) { } func TestSessionStateSerializationWithUser(t *testing.T) { - c, err := cookie.NewCipher([]byte(secret)) + c, err := encryption.NewCipher([]byte(secret)) assert.Equal(t, nil, err) - c2, err := cookie.NewCipher([]byte(altSecret)) + c2, err := encryption.NewCipher([]byte(altSecret)) assert.Equal(t, nil, err) s := &sessions.SessionState{ User: "just-user", @@ -146,7 +146,7 @@ func TestExpired(t *testing.T) { type testCase struct { sessions.SessionState Encoded string - Cipher *cookie.Cipher + Cipher *encryption.Cipher Error bool } @@ -203,7 +203,7 @@ func TestDecodeSessionState(t *testing.T) { eString := string(eJSON) eUnix := e.Unix() - c, err := cookie.NewCipher([]byte(secret)) + c, err := encryption.NewCipher([]byte(secret)) assert.NoError(t, err) testCases := []testCase{ diff --git a/cookie/cookies.go b/pkg/encryption/cipher.go similarity index 99% rename from cookie/cookies.go rename to pkg/encryption/cipher.go index 0d354e15..c308330f 100644 --- a/cookie/cookies.go +++ b/pkg/encryption/cipher.go @@ -1,4 +1,4 @@ -package cookie +package encryption import ( "crypto/aes" diff --git a/cookie/cookies_test.go b/pkg/encryption/cipher_test.go similarity index 98% rename from cookie/cookies_test.go rename to pkg/encryption/cipher_test.go index 500550e6..fb6a4aa7 100644 --- a/cookie/cookies_test.go +++ b/pkg/encryption/cipher_test.go @@ -1,4 +1,4 @@ -package cookie +package encryption import ( "encoding/base64" diff --git a/cookie/nonce.go b/pkg/encryption/nonce.go similarity index 93% rename from cookie/nonce.go rename to pkg/encryption/nonce.go index 6def1488..69850c4e 100644 --- a/cookie/nonce.go +++ b/pkg/encryption/nonce.go @@ -1,4 +1,4 @@ -package cookie +package encryption import ( "crypto/rand" diff --git a/pkg/sessions/cookie/session_store.go b/pkg/sessions/cookie/session_store.go index c40dd233..960be905 100644 --- a/pkg/sessions/cookie/session_store.go +++ b/pkg/sessions/cookie/session_store.go @@ -8,10 +8,10 @@ import ( "strings" "time" - "github.com/pusher/oauth2_proxy/cookie" "github.com/pusher/oauth2_proxy/pkg/apis/options" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" "github.com/pusher/oauth2_proxy/pkg/cookies" + "github.com/pusher/oauth2_proxy/pkg/encryption" "github.com/pusher/oauth2_proxy/pkg/sessions/utils" ) @@ -28,7 +28,7 @@ var _ sessions.SessionStore = &SessionStore{} // interface that stores sessions in client side cookies type SessionStore struct { CookieOptions *options.CookieOptions - CookieCipher *cookie.Cipher + CookieCipher *encryption.Cipher } // Save takes a sessions.SessionState and stores the information from it @@ -53,7 +53,7 @@ func (s *SessionStore) Load(req *http.Request) (*sessions.SessionState, error) { // always http.ErrNoCookie return nil, fmt.Errorf("Cookie %q not present", s.CookieOptions.CookieName) } - val, _, ok := cookie.Validate(c, s.CookieOptions.CookieSecret, s.CookieOptions.CookieExpire) + val, _, ok := encryption.Validate(c, s.CookieOptions.CookieSecret, s.CookieOptions.CookieExpire) if !ok { return nil, errors.New("Cookie Signature not valid") } @@ -96,7 +96,7 @@ func (s *SessionStore) setSessionCookie(rw http.ResponseWriter, req *http.Reques // authentication details func (s *SessionStore) makeSessionCookie(req *http.Request, value string, now time.Time) []*http.Cookie { if value != "" { - value = cookie.SignedValue(s.CookieOptions.CookieSecret, s.CookieOptions.CookieName, value, now) + value = encryption.SignedValue(s.CookieOptions.CookieSecret, s.CookieOptions.CookieName, value, now) } c := s.makeCookie(req, s.CookieOptions.CookieName, value, s.CookieOptions.CookieExpire, now) if len(c.Value) > 4096-len(s.CookieOptions.CookieName) { diff --git a/pkg/sessions/redis/redis_store.go b/pkg/sessions/redis/redis_store.go index 82e941e7..ed33d72d 100644 --- a/pkg/sessions/redis/redis_store.go +++ b/pkg/sessions/redis/redis_store.go @@ -13,10 +13,10 @@ import ( "time" "github.com/go-redis/redis" - "github.com/pusher/oauth2_proxy/cookie" "github.com/pusher/oauth2_proxy/pkg/apis/options" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" "github.com/pusher/oauth2_proxy/pkg/cookies" + "github.com/pusher/oauth2_proxy/pkg/encryption" ) // TicketData is a structure representing the ticket used in server session storage @@ -28,7 +28,7 @@ type TicketData struct { // SessionStore is an implementation of the sessions.SessionStore // interface that stores sessions in redis type SessionStore struct { - CookieCipher *cookie.Cipher + CookieCipher *encryption.Cipher CookieOptions *options.CookieOptions Client *redis.Client } @@ -106,7 +106,7 @@ func (store *SessionStore) Load(req *http.Request) (*sessions.SessionState, erro return nil, fmt.Errorf("error loading session: %s", err) } - val, _, ok := cookie.Validate(requestCookie, store.CookieOptions.CookieSecret, store.CookieOptions.CookieExpire) + val, _, ok := encryption.Validate(requestCookie, store.CookieOptions.CookieSecret, store.CookieOptions.CookieExpire) if !ok { return nil, fmt.Errorf("Cookie Signature not valid") } @@ -166,7 +166,7 @@ func (store *SessionStore) Clear(rw http.ResponseWriter, req *http.Request) erro return fmt.Errorf("error retrieving cookie: %v", err) } - val, _, ok := cookie.Validate(requestCookie, store.CookieOptions.CookieSecret, store.CookieOptions.CookieExpire) + val, _, ok := encryption.Validate(requestCookie, store.CookieOptions.CookieSecret, store.CookieOptions.CookieExpire) if !ok { return fmt.Errorf("Cookie Signature not valid") } @@ -186,7 +186,7 @@ func (store *SessionStore) Clear(rw http.ResponseWriter, req *http.Request) erro // makeCookie makes a cookie, signing the value if present func (store *SessionStore) makeCookie(req *http.Request, value string, expires time.Duration, now time.Time) *http.Cookie { if value != "" { - value = cookie.SignedValue(store.CookieOptions.CookieSecret, store.CookieOptions.CookieName, value, now) + value = encryption.SignedValue(store.CookieOptions.CookieSecret, store.CookieOptions.CookieName, value, now) } return cookies.MakeCookieFromOptions( req, @@ -230,7 +230,7 @@ func (store *SessionStore) getTicket(requestCookie *http.Cookie) (*TicketData, e } // An existing cookie exists, try to retrieve the ticket - val, _, ok := cookie.Validate(requestCookie, store.CookieOptions.CookieSecret, store.CookieOptions.CookieExpire) + val, _, ok := encryption.Validate(requestCookie, store.CookieOptions.CookieSecret, store.CookieOptions.CookieExpire) if !ok { // Cookie is invalid, create a new ticket return newTicket() diff --git a/pkg/sessions/session_store_test.go b/pkg/sessions/session_store_test.go index 47ad4b76..fd0b0e58 100644 --- a/pkg/sessions/session_store_test.go +++ b/pkg/sessions/session_store_test.go @@ -13,10 +13,10 @@ import ( "github.com/alicebob/miniredis" . "github.com/onsi/ginkgo" . "github.com/onsi/gomega" - "github.com/pusher/oauth2_proxy/cookie" "github.com/pusher/oauth2_proxy/pkg/apis/options" sessionsapi "github.com/pusher/oauth2_proxy/pkg/apis/sessions" "github.com/pusher/oauth2_proxy/pkg/cookies" + "github.com/pusher/oauth2_proxy/pkg/encryption" "github.com/pusher/oauth2_proxy/pkg/sessions" sessionscookie "github.com/pusher/oauth2_proxy/pkg/sessions/cookie" "github.com/pusher/oauth2_proxy/pkg/sessions/redis" @@ -158,7 +158,7 @@ var _ = Describe("NewSessionStore", func() { BeforeEach(func() { By("Using a valid cookie with a different providers session encoding") broken := "BrokenSessionFromADifferentSessionImplementation" - value := cookie.SignedValue(cookieOpts.CookieSecret, cookieOpts.CookieName, broken, time.Now()) + value := encryption.SignedValue(cookieOpts.CookieSecret, cookieOpts.CookieName, broken, time.Now()) cookie := cookies.MakeCookieFromOptions(request, cookieOpts.CookieName, value, cookieOpts, cookieOpts.CookieExpire, time.Now()) request.AddCookie(cookie) @@ -354,7 +354,7 @@ var _ = Describe("NewSessionStore", func() { _, err := rand.Read(secret) Expect(err).ToNot(HaveOccurred()) cookieOpts.CookieSecret = base64.URLEncoding.EncodeToString(secret) - cipher, err := cookie.NewCipher(utils.SecretBytes(cookieOpts.CookieSecret)) + cipher, err := encryption.NewCipher(utils.SecretBytes(cookieOpts.CookieSecret)) Expect(err).ToNot(HaveOccurred()) Expect(cipher).ToNot(BeNil()) opts.Cipher = cipher diff --git a/pkg/sessions/utils/utils.go b/pkg/sessions/utils/utils.go index 051e9cc6..1fb27f4d 100644 --- a/pkg/sessions/utils/utils.go +++ b/pkg/sessions/utils/utils.go @@ -3,17 +3,17 @@ package utils import ( "encoding/base64" - "github.com/pusher/oauth2_proxy/cookie" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/encryption" ) // CookieForSession serializes a session state for storage in a cookie -func CookieForSession(s *sessions.SessionState, c *cookie.Cipher) (string, error) { +func CookieForSession(s *sessions.SessionState, c *encryption.Cipher) (string, error) { return s.EncodeSessionState(c) } // SessionFromCookie deserializes a session from a cookie value -func SessionFromCookie(v string, c *cookie.Cipher) (s *sessions.SessionState, err error) { +func SessionFromCookie(v string, c *encryption.Cipher) (s *sessions.SessionState, err error) { return sessions.DecodeSessionState(v, c) } diff --git a/providers/provider_default.go b/providers/provider_default.go index 47160148..d87b939c 100644 --- a/providers/provider_default.go +++ b/providers/provider_default.go @@ -10,8 +10,8 @@ import ( "net/url" "time" - "github.com/pusher/oauth2_proxy/cookie" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/encryption" ) // Redeem provides a default implementation of the OAuth2 token redemption process @@ -96,12 +96,12 @@ func (p *ProviderData) GetLoginURL(redirectURI, state string) string { } // CookieForSession serializes a session state for storage in a cookie -func (p *ProviderData) CookieForSession(s *sessions.SessionState, c *cookie.Cipher) (string, error) { +func (p *ProviderData) CookieForSession(s *sessions.SessionState, c *encryption.Cipher) (string, error) { return s.EncodeSessionState(c) } // SessionFromCookie deserializes a session from a cookie value -func (p *ProviderData) SessionFromCookie(v string, c *cookie.Cipher) (s *sessions.SessionState, err error) { +func (p *ProviderData) SessionFromCookie(v string, c *encryption.Cipher) (s *sessions.SessionState, err error) { return sessions.DecodeSessionState(v, c) } diff --git a/providers/providers.go b/providers/providers.go index 57ace415..baf723d9 100644 --- a/providers/providers.go +++ b/providers/providers.go @@ -1,8 +1,8 @@ package providers import ( - "github.com/pusher/oauth2_proxy/cookie" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/encryption" ) // Provider represents an upstream identity provider implementation @@ -15,8 +15,8 @@ type Provider interface { ValidateSessionState(*sessions.SessionState) bool GetLoginURL(redirectURI, finalRedirect string) string RefreshSessionIfNeeded(*sessions.SessionState) (bool, error) - SessionFromCookie(string, *cookie.Cipher) (*sessions.SessionState, error) - CookieForSession(*sessions.SessionState, *cookie.Cipher) (string, error) + SessionFromCookie(string, *encryption.Cipher) (*sessions.SessionState, error) + CookieForSession(*sessions.SessionState, *encryption.Cipher) (string, error) } // New provides a new Provider based on the configured provider string From fb9616160e7406c804e60f08bd73223ce5d1e40f Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Fri, 24 May 2019 17:08:48 +0100 Subject: [PATCH 03/10] Move logger to pkg/logger --- htpasswd.go | 2 +- http.go | 2 +- logging_handler.go | 2 +- logging_handler_test.go | 2 +- main.go | 2 +- oauthproxy.go | 2 +- oauthproxy_test.go | 2 +- options.go | 2 +- pkg/cookies/cookies.go | 2 +- {logger => pkg/logger}/logger.go | 0 pkg/requests/requests.go | 2 +- providers/azure.go | 2 +- providers/github.go | 2 +- providers/gitlab.go | 2 +- providers/google.go | 2 +- providers/internal_util.go | 2 +- templates.go | 2 +- validator.go | 2 +- watcher.go | 2 +- watcher_unsupported.go | 2 +- 20 files changed, 19 insertions(+), 19 deletions(-) rename {logger => pkg/logger}/logger.go (100%) diff --git a/htpasswd.go b/htpasswd.go index 0166e08e..b7c8d579 100644 --- a/htpasswd.go +++ b/htpasswd.go @@ -7,7 +7,7 @@ import ( "io" "os" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" "golang.org/x/crypto/bcrypt" ) diff --git a/http.go b/http.go index 8ccc6f63..2cee227b 100644 --- a/http.go +++ b/http.go @@ -7,7 +7,7 @@ import ( "strings" "time" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" ) // Server represents an HTTP server diff --git a/logging_handler.go b/logging_handler.go index 77c2fca1..b4f829d8 100644 --- a/logging_handler.go +++ b/logging_handler.go @@ -10,7 +10,7 @@ import ( "net/http" "time" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" ) // responseLogger is wrapper of http.ResponseWriter that keeps track of its HTTP status diff --git a/logging_handler_test.go b/logging_handler_test.go index f92c7e0d..fd77e0f5 100644 --- a/logging_handler_test.go +++ b/logging_handler_test.go @@ -9,7 +9,7 @@ import ( "testing" "time" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" ) func TestLoggingHandler_ServeHTTP(t *testing.T) { diff --git a/main.go b/main.go index a66c4fce..8af64614 100644 --- a/main.go +++ b/main.go @@ -12,7 +12,7 @@ import ( "github.com/BurntSushi/toml" options "github.com/mreiferson/go-options" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" ) func main() { diff --git a/oauthproxy.go b/oauthproxy.go index 62d1a18a..fc4bb43d 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -14,7 +14,7 @@ import ( "time" "github.com/mbland/hmacauth" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" sessionsapi "github.com/pusher/oauth2_proxy/pkg/apis/sessions" "github.com/pusher/oauth2_proxy/pkg/encryption" "github.com/pusher/oauth2_proxy/providers" diff --git a/oauthproxy_test.go b/oauthproxy_test.go index 1d09bbb9..2fa3e009 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -15,7 +15,7 @@ import ( "time" "github.com/mbland/hmacauth" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" "github.com/pusher/oauth2_proxy/pkg/sessions/cookie" "github.com/pusher/oauth2_proxy/providers" diff --git a/options.go b/options.go index 2b506e34..5053e943 100644 --- a/options.go +++ b/options.go @@ -17,7 +17,7 @@ import ( oidc "github.com/coreos/go-oidc" "github.com/dgrijalva/jwt-go" "github.com/mbland/hmacauth" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/options" sessionsapi "github.com/pusher/oauth2_proxy/pkg/apis/sessions" "github.com/pusher/oauth2_proxy/pkg/encryption" diff --git a/pkg/cookies/cookies.go b/pkg/cookies/cookies.go index 08e6a9bf..5a7343b6 100644 --- a/pkg/cookies/cookies.go +++ b/pkg/cookies/cookies.go @@ -6,7 +6,7 @@ import ( "strings" "time" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/options" ) diff --git a/logger/logger.go b/pkg/logger/logger.go similarity index 100% rename from logger/logger.go rename to pkg/logger/logger.go diff --git a/pkg/requests/requests.go b/pkg/requests/requests.go index aac22e47..82d1176a 100644 --- a/pkg/requests/requests.go +++ b/pkg/requests/requests.go @@ -7,7 +7,7 @@ import ( "net/http" "github.com/bitly/go-simplejson" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" ) // Request parses the request body into a simplejson.Json object diff --git a/providers/azure.go b/providers/azure.go index 31544328..12e23207 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -7,7 +7,7 @@ import ( "net/url" "github.com/bitly/go-simplejson" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" "github.com/pusher/oauth2_proxy/pkg/requests" ) diff --git a/providers/github.go b/providers/github.go index b60ffe1a..e1a7ed84 100644 --- a/providers/github.go +++ b/providers/github.go @@ -10,7 +10,7 @@ import ( "strconv" "strings" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" ) diff --git a/providers/gitlab.go b/providers/gitlab.go index c9a4a1fc..f8e6739e 100644 --- a/providers/gitlab.go +++ b/providers/gitlab.go @@ -4,7 +4,7 @@ import ( "net/http" "net/url" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" "github.com/pusher/oauth2_proxy/pkg/requests" ) diff --git a/providers/google.go b/providers/google.go index 6f29c2c5..e7821e24 100644 --- a/providers/google.go +++ b/providers/google.go @@ -13,7 +13,7 @@ import ( "strings" "time" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" "golang.org/x/oauth2" "golang.org/x/oauth2/google" diff --git a/providers/internal_util.go b/providers/internal_util.go index bb5f4f54..0cf2a122 100644 --- a/providers/internal_util.go +++ b/providers/internal_util.go @@ -5,7 +5,7 @@ import ( "net/http" "net/url" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/requests" ) diff --git a/templates.go b/templates.go index ec1ba873..99637ed3 100644 --- a/templates.go +++ b/templates.go @@ -4,7 +4,7 @@ import ( "html/template" "path" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" ) func loadTemplates(dir string) *template.Template { diff --git a/validator.go b/validator.go index 1a5c465b..a0dc5850 100644 --- a/validator.go +++ b/validator.go @@ -8,7 +8,7 @@ import ( "sync/atomic" "unsafe" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" ) // UserMap holds information from the authenticated emails file diff --git a/watcher.go b/watcher.go index 34e98d76..ed2bc0ed 100644 --- a/watcher.go +++ b/watcher.go @@ -7,7 +7,7 @@ import ( "path/filepath" "time" - "github.com/pusher/oauth2_proxy/logger" + "github.com/pusher/oauth2_proxy/pkg/logger" fsnotify "gopkg.in/fsnotify/fsnotify.v1" ) diff --git a/watcher_unsupported.go b/watcher_unsupported.go index 1f6e3fc6..ff708b72 100644 --- a/watcher_unsupported.go +++ b/watcher_unsupported.go @@ -2,7 +2,7 @@ package main -import "github.com/pusher/oauth2_proxy/logger" +import "github.com/pusher/oauth2_proxy/pkg/logger" func WatchForUpdates(filename string, done <-chan bool, action func()) { logger.Printf("file watching not implemented on this platform") From 417fde190cf719999cd8cf9d3aa6cb06a7c1ba30 Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Sat, 15 Jun 2019 11:22:41 +0200 Subject: [PATCH 04/10] Update changelog --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4f3fc3d8..634cbd0b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -14,6 +14,7 @@ ## Changes since v3.2.0 +- [#187](https://github.com/pusher/oauth2_proxy/pull/187) Move root packages to pkg folder (@JoelSpeed) - [#175](https://github.com/pusher/outh2_proxy/pull/175) Bump go-oidc to v2.0.0 (@aeijdenberg). - Includes fix for potential signature checking issue when OIDC discovery is skipped. - [#155](https://github.com/pusher/outh2_proxy/pull/155) Add RedisSessionStore implementation (@brianv0, @JoelSpeed) @@ -24,7 +25,7 @@ - `-redis-sentinel-master-name` Sets the Sentinel master name, if sentinel is enabled - `-redis-sentinel-connection-urls` Defines the Redis Sentinel Connection URLs, if sentinel is enabled - Introduces the concept of a session ticket. Tickets are composed of the cookie name, a session ID, and a secret. - - Redis Sessions are stored encrypted with a per-session secret + - Redis Sessions are stored encrypted with a per-session secret - Added tests for server based session stores - [#168](https://github.com/pusher/outh2_proxy/pull/168) Drop Go 1.11 support in Travis (@JoelSpeed) - [#169](https://github.com/pusher/outh2_proxy/pull/169) Update Alpine to 3.9 (@kskewes) From 636669092744c0362dbec14471b8b7f59b88509c Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Sat, 15 Jun 2019 11:33:29 +0200 Subject: [PATCH 05/10] Fix gofmt for changed files --- oauthproxy.go | 2 +- oauthproxy_test.go | 2 +- options.go | 2 +- pkg/cookies/cookies.go | 2 +- providers/azure.go | 2 +- providers/github.go | 2 +- providers/gitlab.go | 2 +- providers/google.go | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/oauthproxy.go b/oauthproxy.go index fc4bb43d..b431d67f 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -14,9 +14,9 @@ import ( "time" "github.com/mbland/hmacauth" - "github.com/pusher/oauth2_proxy/pkg/logger" sessionsapi "github.com/pusher/oauth2_proxy/pkg/apis/sessions" "github.com/pusher/oauth2_proxy/pkg/encryption" + "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/providers" "github.com/yhat/wsutil" ) diff --git a/oauthproxy_test.go b/oauthproxy_test.go index 2fa3e009..b278fd49 100644 --- a/oauthproxy_test.go +++ b/oauthproxy_test.go @@ -15,8 +15,8 @@ import ( "time" "github.com/mbland/hmacauth" - "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/sessions/cookie" "github.com/pusher/oauth2_proxy/providers" "github.com/stretchr/testify/assert" diff --git a/options.go b/options.go index 5053e943..c7d5d520 100644 --- a/options.go +++ b/options.go @@ -17,10 +17,10 @@ import ( oidc "github.com/coreos/go-oidc" "github.com/dgrijalva/jwt-go" "github.com/mbland/hmacauth" - "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/options" sessionsapi "github.com/pusher/oauth2_proxy/pkg/apis/sessions" "github.com/pusher/oauth2_proxy/pkg/encryption" + "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/sessions" "github.com/pusher/oauth2_proxy/providers" "gopkg.in/natefinch/lumberjack.v2" diff --git a/pkg/cookies/cookies.go b/pkg/cookies/cookies.go index 5a7343b6..75b93e4d 100644 --- a/pkg/cookies/cookies.go +++ b/pkg/cookies/cookies.go @@ -6,8 +6,8 @@ import ( "strings" "time" - "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/options" + "github.com/pusher/oauth2_proxy/pkg/logger" ) // MakeCookie constructs a cookie from the given parameters, diff --git a/providers/azure.go b/providers/azure.go index 12e23207..653090b0 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -7,8 +7,8 @@ import ( "net/url" "github.com/bitly/go-simplejson" - "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/requests" ) diff --git a/providers/github.go b/providers/github.go index e1a7ed84..ba58bb1e 100644 --- a/providers/github.go +++ b/providers/github.go @@ -10,8 +10,8 @@ import ( "strconv" "strings" - "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/logger" ) // GitHubProvider represents an GitHub based Identity Provider diff --git a/providers/gitlab.go b/providers/gitlab.go index f8e6739e..663ebd45 100644 --- a/providers/gitlab.go +++ b/providers/gitlab.go @@ -4,8 +4,8 @@ import ( "net/http" "net/url" - "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/requests" ) diff --git a/providers/google.go b/providers/google.go index e7821e24..6f53887a 100644 --- a/providers/google.go +++ b/providers/google.go @@ -13,8 +13,8 @@ import ( "strings" "time" - "github.com/pusher/oauth2_proxy/pkg/logger" "github.com/pusher/oauth2_proxy/pkg/apis/sessions" + "github.com/pusher/oauth2_proxy/pkg/logger" "golang.org/x/oauth2" "golang.org/x/oauth2/google" admin "google.golang.org/api/admin/directory/v1" From 27bdb194b1ce7ad7e79ae47343d5c7d2794cfb31 Mon Sep 17 00:00:00 2001 From: Henry Jenkins Date: Sat, 13 Jul 2019 22:14:05 +0100 Subject: [PATCH 06/10] Update to Alpine 3.10 --- Dockerfile | 2 +- Dockerfile.arm64 | 2 +- Dockerfile.armv6 | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 757a1f5f..53fca885 100644 --- a/Dockerfile +++ b/Dockerfile @@ -21,7 +21,7 @@ RUN dep ensure --vendor-only RUN ./configure && make build && touch jwt_signing_key.pem # Copy binary to alpine -FROM alpine:3.9 +FROM alpine:3.10 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY --from=builder /go/src/github.com/pusher/oauth2_proxy/oauth2_proxy /bin/oauth2_proxy COPY --from=builder /go/src/github.com/pusher/oauth2_proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem diff --git a/Dockerfile.arm64 b/Dockerfile.arm64 index f4bf495a..1db90501 100644 --- a/Dockerfile.arm64 +++ b/Dockerfile.arm64 @@ -21,7 +21,7 @@ RUN dep ensure --vendor-only RUN ./configure && GOARCH=arm64 make build && touch jwt_signing_key.pem # Copy binary to alpine -FROM arm64v8/alpine:3.9 +FROM arm64v8/alpine:3.10 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY --from=builder /go/src/github.com/pusher/oauth2_proxy/oauth2_proxy /bin/oauth2_proxy COPY --from=builder /go/src/github.com/pusher/oauth2_proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem diff --git a/Dockerfile.armv6 b/Dockerfile.armv6 index 32bb1242..40cc5f5d 100644 --- a/Dockerfile.armv6 +++ b/Dockerfile.armv6 @@ -21,7 +21,7 @@ RUN dep ensure --vendor-only RUN ./configure && GOARCH=arm GOARM=6 make build && touch jwt_signing_key.pem # Copy binary to alpine -FROM arm32v6/alpine:3.9 +FROM arm32v6/alpine:3.10 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY --from=builder /go/src/github.com/pusher/oauth2_proxy/oauth2_proxy /bin/oauth2_proxy COPY --from=builder /go/src/github.com/pusher/oauth2_proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem From e92e2f0cb45ad34fd1c81bc84adec76c0c61ac18 Mon Sep 17 00:00:00 2001 From: Henry Jenkins Date: Sun, 14 Jul 2019 13:32:37 +0100 Subject: [PATCH 07/10] Update CHANGELOG --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index ed9d4dfc..839a7207 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -65,6 +65,7 @@ - [#195](https://github.com/pusher/outh2_proxy/pull/195) Add `-banner` flag for overriding the banner line that is displayed (@steakunderscore) - [#198](https://github.com/pusher/outh2_proxy/pull/198) Switch from gometalinter to golangci-lint (@steakunderscore) - [#159](https://github.com/pusher/oauth2_proxy/pull/159) Add option to skip the OIDC provider verified email check: `--insecure-oidc-allow-unverified-email` +- [#210](https://github.com/pusher/oauth2_proxy/pull/210) Update base image from Alpine 3.9 to 3.10 (@steakunderscore) # v3.2.0 From f0d006259ea302cf1d03d6fe1239a92181ba8511 Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Sun, 9 Jun 2019 23:47:18 +0200 Subject: [PATCH 08/10] Ensure all options use a consistent format for flag vs cfg vs env --- options.go | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/options.go b/options.go index 09416837..f1874f36 100644 --- a/options.go +++ b/options.go @@ -29,7 +29,7 @@ import ( // Options holds Configuration Options that can be set by Command Line Flag, // or Config File type Options struct { - ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy-prefix" env:"OAUTH2_PROXY_PROXY_PREFIX"` + ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy_prefix" env:"OAUTH2_PROXY_PROXY_PREFIX"` ProxyWebSockets bool `flag:"proxy-websockets" cfg:"proxy_websockets" env:"OAUTH2_PROXY_PROXY_WEBSOCKETS"` HTTPAddress string `flag:"http-address" cfg:"http_address" env:"OAUTH2_PROXY_HTTP_ADDRESS"` HTTPSAddress string `flag:"https-address" cfg:"https_address" env:"OAUTH2_PROXY_HTTPS_ADDRESS"` @@ -82,8 +82,8 @@ type Options struct { Provider string `flag:"provider" cfg:"provider" env:"OAUTH2_PROXY_PROVIDER"` OIDCIssuerURL string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url" env:"OAUTH2_PROXY_OIDC_ISSUER_URL"` InsecureOIDCAllowUnverifiedEmail bool `flag:"insecure-oidc-allow-unverified-email" cfg:"insecure_oidc_allow_unverified_email" env:"OAUTH2_PROXY_INSECURE_OIDC_ALLOW_UNVERIFIED_EMAIL"` - SkipOIDCDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery" env:"OAUTH2_SKIP_OIDC_DISCOVERY"` - OIDCJwksURL string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url" env:"OAUTH2_OIDC_JWKS_URL"` + SkipOIDCDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery" env:"OAUTH2_PROXY_SKIP_OIDC_DISCOVERY"` + OIDCJwksURL string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url" env:"OAUTH2_PROXY_OIDC_JWKS_URL"` LoginURL string `flag:"login-url" cfg:"login_url" env:"OAUTH2_PROXY_LOGIN_URL"` RedeemURL string `flag:"redeem-url" cfg:"redeem_url" env:"OAUTH2_PROXY_REDEEM_URL"` ProfileURL string `flag:"profile-url" cfg:"profile_url" env:"OAUTH2_PROXY_PROFILE_URL"` @@ -93,18 +93,18 @@ type Options struct { ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt" env:"OAUTH2_PROXY_APPROVAL_PROMPT"` // Configuration values for logging - LoggingFilename string `flag:"logging-filename" cfg:"logging_filename" env:"OAUTH2_LOGGING_FILENAME"` - LoggingMaxSize int `flag:"logging-max-size" cfg:"logging_max_size" env:"OAUTH2_LOGGING_MAX_SIZE"` - LoggingMaxAge int `flag:"logging-max-age" cfg:"logging_max_age" env:"OAUTH2_LOGGING_MAX_AGE"` - LoggingMaxBackups int `flag:"logging-max-backups" cfg:"logging_max_backups" env:"OAUTH2_LOGGING_MAX_BACKUPS"` - LoggingLocalTime bool `flag:"logging-local-time" cfg:"logging_local_time" env:"OAUTH2_LOGGING_LOCAL_TIME"` - LoggingCompress bool `flag:"logging-compress" cfg:"logging_compress" env:"OAUTH2_LOGGING_COMPRESS"` - StandardLogging bool `flag:"standard-logging" cfg:"standard_logging" env:"OAUTH2_STANDARD_LOGGING"` - StandardLoggingFormat string `flag:"standard-logging-format" cfg:"standard_logging_format" env:"OAUTH2_STANDARD_LOGGING_FORMAT"` - RequestLogging bool `flag:"request-logging" cfg:"request_logging" env:"OAUTH2_REQUEST_LOGGING"` - RequestLoggingFormat string `flag:"request-logging-format" cfg:"request_logging_format" env:"OAUTH2_REQUEST_LOGGING_FORMAT"` - AuthLogging bool `flag:"auth-logging" cfg:"auth_logging" env:"OAUTH2_LOGGING_AUTH_LOGGING"` - AuthLoggingFormat string `flag:"auth-logging-format" cfg:"auth_logging_format" env:"OAUTH2_AUTH_LOGGING_FORMAT"` + LoggingFilename string `flag:"logging-filename" cfg:"logging_filename" env:"OAUTH2_PROXY_LOGGING_FILENAME"` + LoggingMaxSize int `flag:"logging-max-size" cfg:"logging_max_size" env:"OAUTH2_PROXY_LOGGING_MAX_SIZE"` + LoggingMaxAge int `flag:"logging-max-age" cfg:"logging_max_age" env:"OAUTH2_PROXY_LOGGING_MAX_AGE"` + LoggingMaxBackups int `flag:"logging-max-backups" cfg:"logging_max_backups" env:"OAUTH2_PROXY_LOGGING_MAX_BACKUPS"` + LoggingLocalTime bool `flag:"logging-local-time" cfg:"logging_local_time" env:"OAUTH2_PROXY_LOGGING_LOCAL_TIME"` + LoggingCompress bool `flag:"logging-compress" cfg:"logging_compress" env:"OAUTH2_PROXY_LOGGING_COMPRESS"` + StandardLogging bool `flag:"standard-logging" cfg:"standard_logging" env:"OAUTH2_PROXY_STANDARD_LOGGING"` + StandardLoggingFormat string `flag:"standard-logging-format" cfg:"standard_logging_format" env:"OAUTH2_PROXY_STANDARD_LOGGING_FORMAT"` + RequestLogging bool `flag:"request-logging" cfg:"request_logging" env:"OAUTH2_PROXY_REQUEST_LOGGING"` + RequestLoggingFormat string `flag:"request-logging-format" cfg:"request_logging_format" env:"OAUTH2_PROXY_REQUEST_LOGGING_FORMAT"` + AuthLogging bool `flag:"auth-logging" cfg:"auth_logging" env:"OAUTH2_PROXY_LOGGING_AUTH_LOGGING"` + AuthLoggingFormat string `flag:"auth-logging-format" cfg:"auth_logging_format" env:"OAUTH2_PROXY_AUTH_LOGGING_FORMAT"` SignatureKey string `flag:"signature-key" cfg:"signature_key" env:"OAUTH2_PROXY_SIGNATURE_KEY"` AcrValues string `flag:"acr-values" cfg:"acr_values" env:"OAUTH2_PROXY_ACR_VALUES"` From bdcdfb74f97fe2341956315bc75951b03e387669 Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Sat, 15 Jun 2019 11:12:21 +0200 Subject: [PATCH 09/10] Update docs and changelog --- CHANGELOG.md | 17 +++++++++++++++-- docs/configuration/configuration.md | 17 +++++++---------- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 5c1bb1f7..27c20a9b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,18 @@ ## Breaking Changes +- [#186](https://github.com/pusher/oauth2_proxy/pull/186) Make config consistent + - This PR changes configuration options so that all flags have a config counterpart + of the same name but with underscores (`_`) in place of hyphens (`-`). + This change affects the following existing configuration options: + - The `proxy-prefix` option is now `proxy_prefix`. + - This PR changes environment variables so that all flags have an environment + counterpart of the same name but capitalised, with underscores (`_`) in place + of hyphens (`-`) and with the prefix `OAUTH2_PROXY_`. + This change affects the following existing environment variables: + - The `OAUTH2_SKIP_OIDC_DISCOVERY` environment variable is now `OAUTH2_PROXY_SKIP_OIDC_DISCOVERY`. + - The `OAUTH2_OIDC_JWKS_URL` environment variable is now `OAUTH2_PROXY_OIDC_JWKS_URL`. + - [#146](https://github.com/pusher/oauth2_proxy/pull/146) Use full email address as `User` if the auth response did not contain a `User` field (@gargath) - This change modifies the contents of the `X-Forwarded-User` header supplied by the proxy for users where the auth response from the IdP did not contain a username. @@ -14,10 +26,11 @@ ## Changes since v3.2.0 +- [#186](https://github.com/pusher/oauth2_proxy/pull/186) Make config consistent (@JoelSpeed) - [#187](https://github.com/pusher/oauth2_proxy/pull/187) Move root packages to pkg folder (@JoelSpeed) - [#65](https://github.com/pusher/oauth2_proxy/pull/65) Improvements to authenticate requests with a JWT bearer token in the `Authorization` header via - the `-skip-jwt-bearer-token` options. - - Additional verifiers can be configured via the `-extra-jwt-issuers` flag if the JWT issuers is either an OpenID provider or has a JWKS URL + the `-skip-jwt-bearer-token` options. + - Additional verifiers can be configured via the `-extra-jwt-issuers` flag if the JWT issuers is either an OpenID provider or has a JWKS URL (e.g. `https://example.com/.well-known/jwks.json`). - [#180](https://github.com/pusher/outh2_proxy/pull/180) Minor refactor of core proxying path (@aeijdenberg). - [#175](https://github.com/pusher/outh2_proxy/pull/175) Bump go-oidc to v2.0.0 (@aeijdenberg). diff --git a/docs/configuration/configuration.md b/docs/configuration/configuration.md index 016fe3a9..dad9ea10 100644 --- a/docs/configuration/configuration.md +++ b/docs/configuration/configuration.md @@ -120,17 +120,14 @@ Multiple upstreams can either be configured by supplying a comma separated list ### Environment variables -The following environment variables can be used in place of the corresponding command-line arguments: +Every command line argument can be specified as an environment variable by +prefixing it with `OAUTH2_PROXY_`, capitalising it, and replacing hypens (`-`) +with underscores (`_`). This is particularly useful for storing secrets outside +of a configuration file or the command line. + +For example, the `--cookie-secret` flag becomes `OAUTH2_PROXY_COOKIE_SECRET` and +the `--set-authorization-header` flag becomes `OAUTH2_PROXY_SET_AUTHORIZATION_HEADER`. -- `OAUTH2_PROXY_CLIENT_ID` -- `OAUTH2_PROXY_CLIENT_SECRET` -- `OAUTH2_PROXY_COOKIE_NAME` -- `OAUTH2_PROXY_COOKIE_SECRET` -- `OAUTH2_PROXY_COOKIE_DOMAIN` -- `OAUTH2_PROXY_COOKIE_PATH` -- `OAUTH2_PROXY_COOKIE_EXPIRE` -- `OAUTH2_PROXY_COOKIE_REFRESH` -- `OAUTH2_PROXY_SIGNATURE_KEY` ## Logging Configuration From 874c147e04210662f80c533fe09e22cea47498ad Mon Sep 17 00:00:00 2001 From: Joel Speed Date: Fri, 21 Jun 2019 15:44:06 +0100 Subject: [PATCH 10/10] Fix tls-key-file and tls-cert-file consistency --- CHANGELOG.md | 7 ++++++- options.go | 4 ++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 27c20a9b..e3e458d6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,9 +5,14 @@ - [#186](https://github.com/pusher/oauth2_proxy/pull/186) Make config consistent - This PR changes configuration options so that all flags have a config counterpart of the same name but with underscores (`_`) in place of hyphens (`-`). + This change affects the following flags: + - The `--tls-key` flag is now `--tls-key-file` to be consistent with existing + file flags and the existing config and environment settings + - The `--tls-cert` flag is now `--tls-cert-file` to be consistent with existing + file flags and the existing config and environment settings This change affects the following existing configuration options: - The `proxy-prefix` option is now `proxy_prefix`. - - This PR changes environment variables so that all flags have an environment + This PR changes environment variables so that all flags have an environment counterpart of the same name but capitalised, with underscores (`_`) in place of hyphens (`-`) and with the prefix `OAUTH2_PROXY_`. This change affects the following existing environment variables: diff --git a/options.go b/options.go index f1874f36..f1ca55d2 100644 --- a/options.go +++ b/options.go @@ -36,8 +36,8 @@ type Options struct { RedirectURL string `flag:"redirect-url" cfg:"redirect_url" env:"OAUTH2_PROXY_REDIRECT_URL"` ClientID string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"` ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"` - TLSCertFile string `flag:"tls-cert" cfg:"tls_cert_file" env:"OAUTH2_PROXY_TLS_CERT_FILE"` - TLSKeyFile string `flag:"tls-key" cfg:"tls_key_file" env:"OAUTH2_PROXY_TLS_KEY_FILE"` + TLSCertFile string `flag:"tls-cert-file" cfg:"tls_cert_file" env:"OAUTH2_PROXY_TLS_CERT_FILE"` + TLSKeyFile string `flag:"tls-key-file" cfg:"tls_key_file" env:"OAUTH2_PROXY_TLS_KEY_FILE"` AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file" env:"OAUTH2_PROXY_AUTHENTICATED_EMAILS_FILE"` AzureTenant string `flag:"azure-tenant" cfg:"azure_tenant" env:"OAUTH2_PROXY_AZURE_TENANT"`