Convert legacy request authorization to structured

pkg/apis/options/legacy_authorization.go

@@ -0,0 +1,83 @@
+package options
+
+import (
+	"strings"
+
+	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
+	"github.com/spf13/pflag"
+)
+
+type LegacyAuthorization struct {
+	SkipAuthRegex     []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
+	SkipAuthRoutes    []string `flag:"skip-auth-route" cfg:"skip_auth_routes"`
+	SkipAuthPreflight bool     `flag:"skip-auth-preflight" cfg:"skip_auth_preflight"`
+	TrustedIPs        []string `flag:"trusted-ip" cfg:"trusted_ips"`
+}
+
+func legacyAuthorizationFlagSet() *pflag.FlagSet {
+	flagSet := pflag.NewFlagSet("authorization", pflag.ExitOnError)
+
+	return flagSet
+}
+
+func (l *LegacyAuthorization) convert() Authorization {
+	auth := Authorization{}
+
+	if l.SkipAuthPreflight {
+		auth.RequestRules = append(auth.RequestRules, AuthorizationRule{
+			ID:      "skip-auth-preflight",
+			Methods: []string{"OPTIONS"},
+		})
+	}
+
+	auth.RequestRules = append(auth.RequestRules, convertSkipAuthRegex(l.SkipAuthRegex)...)
+	auth.RequestRules = append(auth.RequestRules, convertSkipAuthRoutes(l.SkipAuthRoutes)...)
+
+	if len(l.TrustedIPs) > 0 {
+		auth.RequestRules = append(auth.RequestRules, AuthorizationRule{
+			ID:     "trusted-ips",
+			Policy: AllowPolicy,
+			IPs:    l.TrustedIPs,
+		})
+	}
+
+	return auth
+}
+
+func convertSkipAuthRegex(regexes []string) []AuthorizationRule {
+	rules := []AuthorizationRule{}
+
+	for _, regex := range regexes {
+		logger.Printf("Skipping auth - Method: ALL | Path: %s", regex)
+		rules = append(rules, AuthorizationRule{
+			ID:   regex,
+			Path: regex,
+		})
+	}
+
+	return rules
+}
+
+func convertSkipAuthRoutes(routes []string) []AuthorizationRule {
+	rules := []AuthorizationRule{}
+
+	for _, route := range routes {
+		method, path := splitMethodPath(route)
+		logger.Printf("Skipping auth - Method: %s | Path: %s", method, path)
+		rules = append(rules, AuthorizationRule{
+			ID:      route,
+			Path:    path,
+			Methods: []string{method},
+		})
+	}
+
+	return rules
+}
+
+func splitMethodPath(methodPath string) (string, string) {
+	parts := strings.SplitN(methodPath, "=", 2)
+	if len(parts) == 1 {
+		return "", parts[0]
+	}
+	return strings.ToUpper(parts[0]), parts[1]
+}

pkg/apis/options/legacy_options.go

@@ -12,6 +12,9 @@ import (
 )
 
 type LegacyOptions struct {
+	// LegacyAuthorization options related to authorization
+	LegacyAuthorization LegacyAuthorization `cfg:",squash"`
+
 	// Legacy options related to upstream servers
 	LegacyUpstreams LegacyUpstreams `cfg:",squash"`
 
@@ -65,6 +68,7 @@ func NewLegacyOptions() *LegacyOptions {
 func NewLegacyFlagSet() *pflag.FlagSet {
 	flagSet := NewFlagSet()
 
+	flagSet.AddFlagSet(legacyAuthorizationFlagSet())
 	flagSet.AddFlagSet(legacyUpstreamsFlagSet())
 	flagSet.AddFlagSet(legacyHeadersFlagSet())
 	flagSet.AddFlagSet(legacyServerFlagset())
@@ -74,6 +78,8 @@ func NewLegacyFlagSet() *pflag.FlagSet {
 }
 
 func (l *LegacyOptions) ToOptions() (*Options, error) {
+	l.Options.Authorization = l.LegacyAuthorization.convert()
+
 	upstreams, err := l.LegacyUpstreams.convert()
 	if err != nil {
 		return nil, fmt.Errorf("error converting upstreams: %v", err)

pkg/apis/options/load_test.go

@@ -54,7 +54,6 @@ var _ = Describe("Load", func() {
 			Cookie:             cookieDefaults(),
 			Session:            sessionOptionsDefaults(),
 			Templates:          templatesDefaults(),
-			SkipAuthPreflight:  false,
 			Logging:            loggingDefaults(),
 		},
 	}

pkg/apis/options/options.go

@@ -18,14 +18,13 @@ type SignatureData struct {
 // Options holds Configuration Options that can be set by Command Line Flag,
 // or Config File
 type Options struct {
-	ProxyPrefix        string   `flag:"proxy-prefix" cfg:"proxy_prefix"`
+	ProxyPrefix        string `flag:"proxy-prefix" cfg:"proxy_prefix"`
-	PingPath           string   `flag:"ping-path" cfg:"ping_path"`
+	PingPath           string `flag:"ping-path" cfg:"ping_path"`
-	PingUserAgent      string   `flag:"ping-user-agent" cfg:"ping_user_agent"`
+	PingUserAgent      string `flag:"ping-user-agent" cfg:"ping_user_agent"`
-	ReverseProxy       bool     `flag:"reverse-proxy" cfg:"reverse_proxy"`
+	ReverseProxy       bool   `flag:"reverse-proxy" cfg:"reverse_proxy"`
-	RealClientIPHeader string   `flag:"real-client-ip-header" cfg:"real_client_ip_header"`
+	RealClientIPHeader string `flag:"real-client-ip-header" cfg:"real_client_ip_header"`
-	TrustedIPs         []string `flag:"trusted-ip" cfg:"trusted_ips"`
+	ForceHTTPS         bool   `flag:"force-https" cfg:"force_https"`
-	ForceHTTPS         bool     `flag:"force-https" cfg:"force_https"`
+	RawRedirectURL     string `flag:"redirect-url" cfg:"redirect_url"`
-	RawRedirectURL     string   `flag:"redirect-url" cfg:"redirect_url"`
 
 	AuthenticatedEmailsFile string   `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
 	EmailDomains            []string `flag:"email-domain" cfg:"email_domains"`
@@ -51,13 +50,10 @@ type Options struct {
 	Authorization Authorization `cfg:",internal"`
 	Providers     Providers     `cfg:",internal"`
 
-	SkipAuthRegex         []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
-	SkipAuthRoutes        []string `flag:"skip-auth-route" cfg:"skip_auth_routes"`
 	SkipJwtBearerTokens   bool     `flag:"skip-jwt-bearer-tokens" cfg:"skip_jwt_bearer_tokens"`
 	ExtraJwtIssuers       []string `flag:"extra-jwt-issuers" cfg:"extra_jwt_issuers"`
 	SkipProviderButton    bool     `flag:"skip-provider-button" cfg:"skip_provider_button"`
 	SSLInsecureSkipVerify bool     `flag:"ssl-insecure-skip-verify" cfg:"ssl_insecure_skip_verify"`
-	SkipAuthPreflight     bool     `flag:"skip-auth-preflight" cfg:"skip_auth_preflight"`
 	ForceJSONErrors       bool     `flag:"force-json-errors" cfg:"force_json_errors"`
 
 	SignatureKey    string `flag:"signature-key" cfg:"signature_key"`
@@ -101,7 +97,6 @@ func NewOptions() *Options {
 		Cookie:             cookieDefaults(),
 		Session:            sessionOptionsDefaults(),
 		Templates:          templatesDefaults(),
-		SkipAuthPreflight:  false,
 		Logging:            loggingDefaults(),
 	}
 }