go/oauth2-proxy
1
0
Fork 0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-05-27 23:08:10 +02:00
Code Issues Releases Activity

Convert legacy request authorization to structured

Browse Source
This commit is contained in:
Joel Speed 2022-04-24 18:44:13 +01:00
parent f403c696de
commit 96d5daaf4f
No known key found for this signature in database
GPG Key ID: 6E80578D6751DEFB
4 changed files with 96 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
pkg/apis/options/legacy_authorization.go Normal file
View File

@ -0,0 +1,83 @@
package options
import (
"strings"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
"github.com/spf13/pflag"
)
type LegacyAuthorization struct {
SkipAuthRegex []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
SkipAuthRoutes []string `flag:"skip-auth-route" cfg:"skip_auth_routes"`
SkipAuthPreflight bool `flag:"skip-auth-preflight" cfg:"skip_auth_preflight"`
TrustedIPs []string `flag:"trusted-ip" cfg:"trusted_ips"`
}
func legacyAuthorizationFlagSet() *pflag.FlagSet {
flagSet := pflag.NewFlagSet("authorization", pflag.ExitOnError)
return flagSet
}
func (l *LegacyAuthorization) convert() Authorization {
auth := Authorization{}
if l.SkipAuthPreflight {
auth.RequestRules = append(auth.RequestRules, AuthorizationRule{
ID: "skip-auth-preflight",
Methods: []string{"OPTIONS"},
})
}
auth.RequestRules = append(auth.RequestRules, convertSkipAuthRegex(l.SkipAuthRegex)...)
auth.RequestRules = append(auth.RequestRules, convertSkipAuthRoutes(l.SkipAuthRoutes)...)
if len(l.TrustedIPs) > 0 {
auth.RequestRules = append(auth.RequestRules, AuthorizationRule{
ID: "trusted-ips",
Policy: AllowPolicy,
IPs: l.TrustedIPs,
})
}
return auth
}
func convertSkipAuthRegex(regexes []string) []AuthorizationRule {
rules := []AuthorizationRule{}
for _, regex := range regexes {
logger.Printf("Skipping auth - Method: ALL | Path: %s", regex)
rules = append(rules, AuthorizationRule{
ID: regex,
Path: regex,
})
}
return rules
}
func convertSkipAuthRoutes(routes []string) []AuthorizationRule {
rules := []AuthorizationRule{}
for _, route := range routes {
method, path := splitMethodPath(route)
logger.Printf("Skipping auth - Method: %s | Path: %s", method, path)
rules = append(rules, AuthorizationRule{
ID: route,
Path: path,
Methods: []string{method},
})
}
return rules
}
func splitMethodPath(methodPath string) (string, string) {
parts := strings.SplitN(methodPath, "=", 2)
if len(parts) == 1 {
return "", parts[0]
}
return strings.ToUpper(parts[0]), parts[1]
}

6
pkg/apis/options/legacy_options.go
View File

@ -12,6 +12,9 @@ import (
)
type LegacyOptions struct {
// LegacyAuthorization options related to authorization
LegacyAuthorization LegacyAuthorization `cfg:",squash"`
// Legacy options related to upstream servers
LegacyUpstreams LegacyUpstreams `cfg:",squash"`
@ -65,6 +68,7 @@ func NewLegacyOptions() *LegacyOptions {
func NewLegacyFlagSet() *pflag.FlagSet {
flagSet := NewFlagSet()
flagSet.AddFlagSet(legacyAuthorizationFlagSet())
flagSet.AddFlagSet(legacyUpstreamsFlagSet())
flagSet.AddFlagSet(legacyHeadersFlagSet())
flagSet.AddFlagSet(legacyServerFlagset())
@ -74,6 +78,8 @@ func NewLegacyFlagSet() *pflag.FlagSet {
}
func (l *LegacyOptions) ToOptions() (*Options, error) {
l.Options.Authorization = l.LegacyAuthorization.convert()
upstreams, err := l.LegacyUpstreams.convert()
if err != nil {
return nil, fmt.Errorf("error converting upstreams: %v", err)

1
pkg/apis/options/load_test.go
View File

@ -54,7 +54,6 @@ var _ = Describe("Load", func() {
Cookie: cookieDefaults(),
Session: sessionOptionsDefaults(),
Templates: templatesDefaults(),
SkipAuthPreflight: false,
Logging: loggingDefaults(),
},
}

19
pkg/apis/options/options.go
View File

@ -18,14 +18,13 @@ type SignatureData struct {
// Options holds Configuration Options that can be set by Command Line Flag,
// or Config File
type Options struct {
ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy_prefix"`
PingPath string `flag:"ping-path" cfg:"ping_path"`
PingUserAgent string `flag:"ping-user-agent" cfg:"ping_user_agent"`
ReverseProxy bool `flag:"reverse-proxy" cfg:"reverse_proxy"`
RealClientIPHeader string `flag:"real-client-ip-header" cfg:"real_client_ip_header"`
TrustedIPs []string `flag:"trusted-ip" cfg:"trusted_ips"`
ForceHTTPS bool `flag:"force-https" cfg:"force_https"`
RawRedirectURL string `flag:"redirect-url" cfg:"redirect_url"`
ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy_prefix"`
PingPath string `flag:"ping-path" cfg:"ping_path"`
PingUserAgent string `flag:"ping-user-agent" cfg:"ping_user_agent"`
ReverseProxy bool `flag:"reverse-proxy" cfg:"reverse_proxy"`
RealClientIPHeader string `flag:"real-client-ip-header" cfg:"real_client_ip_header"`
ForceHTTPS bool `flag:"force-https" cfg:"force_https"`
RawRedirectURL string `flag:"redirect-url" cfg:"redirect_url"`
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
EmailDomains []string `flag:"email-domain" cfg:"email_domains"`
@ -51,13 +50,10 @@ type Options struct {
Authorization Authorization `cfg:",internal"`
Providers Providers `cfg:",internal"`
SkipAuthRegex []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
SkipAuthRoutes []string `flag:"skip-auth-route" cfg:"skip_auth_routes"`
SkipJwtBearerTokens bool `flag:"skip-jwt-bearer-tokens" cfg:"skip_jwt_bearer_tokens"`
ExtraJwtIssuers []string `flag:"extra-jwt-issuers" cfg:"extra_jwt_issuers"`
SkipProviderButton bool `flag:"skip-provider-button" cfg:"skip_provider_button"`
SSLInsecureSkipVerify bool `flag:"ssl-insecure-skip-verify" cfg:"ssl_insecure_skip_verify"`
SkipAuthPreflight bool `flag:"skip-auth-preflight" cfg:"skip_auth_preflight"`
ForceJSONErrors bool `flag:"force-json-errors" cfg:"force_json_errors"`
SignatureKey string `flag:"signature-key" cfg:"signature_key"`
@ -101,7 +97,6 @@ func NewOptions() *Options {
Cookie: cookieDefaults(),
Session: sessionOptionsDefaults(),
Templates: templatesDefaults(),
SkipAuthPreflight: false,
Logging: loggingDefaults(),
}
}