go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-21 00:29:44 +02:00
Code Issues Releases Activity

Fixup main

Browse Source
This commit is contained in:
Joel Speed
2021-10-06 17:12:03 +01:00
parent c2acf47199
commit 8356d29fcd
5 changed files with 31 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
logger.go
View File

@ -6,7 +6,7 @@ import (
) )
var ( var (
infoLogger = klog.V(logger.CoreInfo) infoLogger = func() klog.Verbose { return klog.V(logger.CoreInfo) }
debugLogger = klog.V(logger.CoreDebug) debugLogger = func() klog.Verbose { return klog.V(logger.CoreDebug) }
traceLogger = klog.V(logger.CoreTrace) traceLogger = func() klog.Verbose { return klog.V(logger.CoreTrace) }
) )

13
main.go
View File

@ -52,12 +52,12 @@ func main() {
// When running with trace logging, start by logging the observed config. // When running with trace logging, start by logging the observed config.
// This will help users to determine if they have configured the proxy correctly. // This will help users to determine if they have configured the proxy correctly.
// NOTE: This data is not scrubbed and may contain secrets! // NOTE: This data is not scrubbed and may contain secrets!
if traceLogger.Enabled() { if traceLogger().Enabled() {
config, err := json.Marshal(opts) config, err := json.Marshal(opts)
if err != nil { if err != nil {
klog.Fatalf("ERROR: %v", err) klog.Fatalf("ERROR: %v", err)
} }
traceLogger.Infof("Observed configuration: %s", string(config)) traceLogger().Infof("Observed configuration: %s", string(config))
} }
if *convertConfig { if *convertConfig {
@ -199,4 +199,13 @@ func configureKlog(logLevel int) {
} }
klog.SetOutput(logger.StdKlogErrorLogger) klog.SetOutput(logger.StdKlogErrorLogger)
klog.SetOutputBySeverity("INFO", logger.StdKlogInfoLogger) klog.SetOutputBySeverity("INFO", logger.StdKlogInfoLogger)
klog.V(1).Infof("Klog level 1")
klog.V(2).Infof("Klog level 2")
klog.V(3).Infof("Klog level 3")
klog.V(4).Infof("Klog level 4")
klog.V(5).Infof("Klog level 5")
klog.V(6).Infof("Klog level 6")
klog.V(7).Infof("Klog level 7")
klog.V(8).Infof("Klog level 8")
} }

24
oauthproxy.go
View File

@ -106,7 +106,7 @@ func NewOAuthProxy(opts *options.Options, validator func(string) bool) (*OAuthPr
var basicAuthValidator basic.Validator var basicAuthValidator basic.Validator
if opts.HtpasswdFile != "" { if opts.HtpasswdFile != "" {
infoLogger.Infof("using htpasswd file: %s", opts.HtpasswdFile) infoLogger().Infof("using htpasswd file: %s", opts.HtpasswdFile)
var err error var err error
basicAuthValidator, err = basic.NewHTPasswdValidator(opts.HtpasswdFile) basicAuthValidator, err = basic.NewHTPasswdValidator(opts.HtpasswdFile)
if err != nil { if err != nil {
@ -135,9 +135,9 @@ func NewOAuthProxy(opts *options.Options, validator func(string) bool) (*OAuthPr
} }
if opts.SkipJwtBearerTokens { if opts.SkipJwtBearerTokens {
infoLogger.Infof("Skipping JWT tokens from configured OIDC issuer: %q", opts.Providers[0].OIDCConfig.IssuerURL) infoLogger().Infof("Skipping JWT tokens from configured OIDC issuer: %q", opts.Providers[0].OIDCConfig.IssuerURL)
for _, issuer := range opts.ExtraJwtIssuers { for _, issuer := range opts.ExtraJwtIssuers {
infoLogger.Infof("Skipping JWT tokens from extra JWT issuer: %q", issuer) infoLogger().Infof("Skipping JWT tokens from extra JWT issuer: %q", issuer)
} }
} }
redirectURL := opts.GetRedirectURL() redirectURL := opts.GetRedirectURL()
@ -145,13 +145,13 @@ func NewOAuthProxy(opts *options.Options, validator func(string) bool) (*OAuthPr
redirectURL.Path = fmt.Sprintf("%s/callback", opts.ProxyPrefix) redirectURL.Path = fmt.Sprintf("%s/callback", opts.ProxyPrefix)
} }
infoLogger.Infof("OAuthProxy configured for %s Client ID: %s", opts.GetProvider().Data().ProviderName, opts.Providers[0].ClientID) infoLogger().Infof("OAuthProxy configured for %s Client ID: %s", opts.GetProvider().Data().ProviderName, opts.Providers[0].ClientID)
refresh := "disabled" refresh := "disabled"
if opts.Cookie.Refresh != time.Duration(0) { if opts.Cookie.Refresh != time.Duration(0) {
refresh = fmt.Sprintf("after %s", opts.Cookie.Refresh) refresh = fmt.Sprintf("after %s", opts.Cookie.Refresh)
} }
infoLogger.Infof("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domains:%s path:%s samesite:%s refresh:%s", opts.Cookie.Name, opts.Cookie.Secure, opts.Cookie.HTTPOnly, opts.Cookie.Expire, strings.Join(opts.Cookie.Domains, ","), opts.Cookie.Path, opts.Cookie.SameSite, refresh) infoLogger().Infof("Cookie settings: name:%s secure(https):%v httponly:%v expiry:%s domains:%s path:%s samesite:%s refresh:%s", opts.Cookie.Name, opts.Cookie.Secure, opts.Cookie.HTTPOnly, opts.Cookie.Expire, strings.Join(opts.Cookie.Domains, ","), opts.Cookie.Path, opts.Cookie.SameSite, refresh)
trustedIPs := ip.NewNetSet() trustedIPs := ip.NewNetSet()
for _, ipStr := range opts.TrustedIPs { for _, ipStr := range opts.TrustedIPs {
@ -425,7 +425,7 @@ func buildRoutesAllowlist(opts *options.Options) ([]allowedRoute, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
infoLogger.Infof("Skipping auth - Method: ALL | Path: %s", path) infoLogger().Infof("Skipping auth - Method: ALL | Path: %s", path)
routes = append(routes, allowedRoute{ routes = append(routes, allowedRoute{
method: "", method: "",
pathRegex: compiledRegex, pathRegex: compiledRegex,
@ -451,7 +451,7 @@ func buildRoutesAllowlist(opts *options.Options) ([]allowedRoute, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
infoLogger.Infof("Skipping auth - Method: %s | Path: %s", method, path) infoLogger().Infof("Skipping auth - Method: %s | Path: %s", method, path)
routes = append(routes, allowedRoute{ routes = append(routes, allowedRoute{
method: method, method: method,
pathRegex: compiledRegex, pathRegex: compiledRegex,
@ -491,7 +491,7 @@ func (p *OAuthProxy) ErrorPage(rw http.ResponseWriter, req *http.Request, code i
redirectURL = "/" redirectURL = "/"
} }
debugLogger.Infof("Rendering error page (status %d) for application error: %v", code, appError) debugLogger().Infof("Rendering error page (status %d) for application error: %v", code, appError)
scope := middlewareapi.GetRequestScope(req) scope := middlewareapi.GetRequestScope(req)
p.pageWriter.WriteErrorPage(rw, pagewriter.ErrorPageOpts{ p.pageWriter.WriteErrorPage(rw, pagewriter.ErrorPageOpts{
@ -507,7 +507,7 @@ func (p *OAuthProxy) ErrorPage(rw http.ResponseWriter, req *http.Request, code i
func (p *OAuthProxy) IsAllowedRequest(req *http.Request) bool { func (p *OAuthProxy) IsAllowedRequest(req *http.Request) bool {
isPreflightRequestAllowed := p.skipAuthPreflight && req.Method == "OPTIONS" isPreflightRequestAllowed := p.skipAuthPreflight && req.Method == "OPTIONS"
if isPreflightRequestAllowed { if isPreflightRequestAllowed {
traceLogger.Infof("Request %s: Allowed as preflight request", middlewareapi.GetRequestScope(req).RequestID) traceLogger().Infof("Request %s: Allowed as preflight request", middlewareapi.GetRequestScope(req).RequestID)
} }
return isPreflightRequestAllowed || p.isAllowedRoute(req) || p.isTrustedIP(req) return isPreflightRequestAllowed || p.isAllowedRoute(req) || p.isTrustedIP(req)
} }
@ -516,7 +516,7 @@ func (p *OAuthProxy) IsAllowedRequest(req *http.Request) bool {
func (p *OAuthProxy) isAllowedRoute(req *http.Request) bool { func (p *OAuthProxy) isAllowedRoute(req *http.Request) bool {
for _, route := range p.allowedRoutes { for _, route := range p.allowedRoutes {
if (route.method == "" || req.Method == route.method) && route.pathRegex.MatchString(req.URL.Path) { if (route.method == "" || req.Method == route.method) && route.pathRegex.MatchString(req.URL.Path) {
traceLogger.Infof("Request %s: Allowed by route match", middlewareapi.GetRequestScope(req).RequestID) traceLogger().Infof("Request %s: Allowed by route match", middlewareapi.GetRequestScope(req).RequestID)
return true return true
} }
} }
@ -541,7 +541,7 @@ func (p *OAuthProxy) isTrustedIP(req *http.Request) bool {
} }
if p.trustedIPs.Has(remoteAddr) { if p.trustedIPs.Has(remoteAddr) {
traceLogger.Infof("Request %s: allowed by trusted IP", middlewareapi.GetRequestScope(req).RequestID) traceLogger().Infof("Request %s: allowed by trusted IP", middlewareapi.GetRequestScope(req).RequestID)
return true return true
} }
return false return false
@ -767,7 +767,7 @@ func (p *OAuthProxy) OAuthCallback(rw http.ResponseWriter, req *http.Request) {
p.provider.ValidateSession(req.Context(), session) p.provider.ValidateSession(req.Context(), session)
if !p.redirectValidator.IsValidRedirect(appRedirect) { if !p.redirectValidator.IsValidRedirect(appRedirect) {
debugLogger.Infof("Request %s: Rejected invalid redirect: %s", middlewareapi.GetRequestScope(req).RequestID, appRedirect) debugLogger().Infof("Request %s: Rejected invalid redirect: %s", middlewareapi.GetRequestScope(req).RequestID, appRedirect)
appRedirect = "/" appRedirect = "/"
} }

2
validator.go
View File

@ -25,7 +25,7 @@ func NewUserMap(usersFile string, done <-chan bool, onUpdate func()) *UserMap {
m := make(map[string]bool) m := make(map[string]bool)
atomic.StorePointer(&um.m, unsafe.Pointer(&m)) // #nosec G103 atomic.StorePointer(&um.m, unsafe.Pointer(&m)) // #nosec G103
if usersFile != "" { if usersFile != "" {
infoLogger.Infof("Using authenticated emails file %s", usersFile) infoLogger().Infof("Using authenticated emails file %s", usersFile)
WatchForUpdates(usersFile, done, func() { WatchForUpdates(usersFile, done, func() {
um.LoadAuthenticatedEmailsFile() um.LoadAuthenticatedEmailsFile()
onUpdate() onUpdate()

8
watcher.go
View File

@ -26,7 +26,7 @@ func WaitForReplacement(filename string, op fsnotify.Op,
for { for {
if _, err := os.Stat(filename); err == nil { if _, err := os.Stat(filename); err == nil {
if err := watcher.Add(filename); err == nil { if err := watcher.Add(filename); err == nil {
infoLogger.Infof("watching resumed for %s", filename) infoLogger().Infof("watching resumed for %s", filename)
return return
} }
} }
@ -51,7 +51,7 @@ func WatchForUpdates(filename string, done <-chan bool, action func()) {
for { for {
select { select {
case <-done: case <-done:
infoLogger.Infof("Shutting down watcher for: %s", filename) infoLogger().Infof("Shutting down watcher for: %s", filename)
return return
case event := <-watcher.Events: case event := <-watcher.Events:
// On Arch Linux, it appears Chmod events precede Remove events, // On Arch Linux, it appears Chmod events precede Remove events,
@ -60,7 +60,7 @@ func WatchForUpdates(filename string, done <-chan bool, action func()) {
// UserMap.LoadAuthenticatedEmailsFile()) crashes when the file // UserMap.LoadAuthenticatedEmailsFile()) crashes when the file
// can't be opened. // can't be opened.
if event.Op&(fsnotify.Remove|fsnotify.Rename|fsnotify.Chmod) != 0 { if event.Op&(fsnotify.Remove|fsnotify.Rename|fsnotify.Chmod) != 0 {
infoLogger.Infof("Watching interrupted on event: %s", event) infoLogger().Infof("Watching interrupted on event: %s", event)
err = watcher.Remove(filename) err = watcher.Remove(filename)
if err != nil { if err != nil {
klog.Errorf("error removing watcher on %s: %v", filename, err) klog.Errorf("error removing watcher on %s: %v", filename, err)
@ -77,5 +77,5 @@ func WatchForUpdates(filename string, done <-chan bool, action func()) {
if err = watcher.Add(filename); err != nil { if err = watcher.Add(filename); err != nil {
klog.Fatalf("Failed to add %s to watcher: %v", filename, err) klog.Fatalf("Failed to add %s to watcher: %v", filename, err)
} }
infoLogger.Infof("Watching %s for updates", filename) infoLogger().Infof("Watching %s for updates", filename)
} }