diff --git a/pkg/apis/options/cookie.go b/pkg/apis/options/cookie.go index e3e18e0e..6a9b1ca6 100644 --- a/pkg/apis/options/cookie.go +++ b/pkg/apis/options/cookie.go @@ -1,6 +1,10 @@ package options -import "time" +import ( + "time" + + "github.com/spf13/pflag" +) // CookieOptions contains configuration options relating to Cookie configuration type CookieOptions struct { @@ -14,3 +18,34 @@ type CookieOptions struct { HTTPOnly bool `flag:"cookie-httponly" cfg:"cookie_httponly"` SameSite string `flag:"cookie-samesite" cfg:"cookie_samesite"` } + +func cookieFlagSet() *pflag.FlagSet { + flagSet := pflag.NewFlagSet("cookie", pflag.ExitOnError) + + flagSet.String("cookie-name", "_oauth2_proxy", "the name of the cookie that the oauth_proxy creates") + flagSet.String("cookie-secret", "", "the seed string for secure cookies (optionally base64 encoded)") + flagSet.StringSlice("cookie-domain", []string{}, "Optional cookie domains to force cookies to (ie: `.yourcompany.com`). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match).") + flagSet.String("cookie-path", "/", "an optional cookie path to force cookies to (ie: /poc/)*") + flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie") + flagSet.Duration("cookie-refresh", time.Duration(0), "refresh the cookie after this duration; 0 to disable") + flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag") + flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag") + flagSet.String("cookie-samesite", "", "set SameSite cookie attribute (ie: \"lax\", \"strict\", \"none\", or \"\"). ") + + return flagSet +} + +// defaultCookieOptions creates a CookieOptions populating each field with its default value +func defaultCookieOptions() CookieOptions { + return CookieOptions{ + Name: "_oauth2_proxy", + Secret: "", + Domains: nil, + Path: "/", + Expire: time.Duration(168) * time.Hour, + Refresh: time.Duration(0), + Secure: true, + HTTPOnly: true, + SameSite: "", + } +} diff --git a/pkg/apis/options/options.go b/pkg/apis/options/options.go index 1f113757..e933ca16 100644 --- a/pkg/apis/options/options.go +++ b/pkg/apis/options/options.go @@ -153,14 +153,7 @@ func NewOptions() *Options { RealClientIPHeader: "X-Real-IP", ForceHTTPS: false, DisplayHtpasswdForm: true, - Cookie: CookieOptions{ - Name: "_oauth2_proxy", - Secure: true, - HTTPOnly: true, - Expire: time.Duration(168) * time.Hour, - Refresh: time.Duration(0), - Path: "/", - }, + Cookie: defaultCookieOptions(), Session: SessionOptions{ Type: "cookie", }, @@ -245,17 +238,6 @@ func NewFlagSet() *pflag.FlagSet { flagSet.String("ping-path", "/ping", "the ping endpoint that can be used for basic health checks") flagSet.String("ping-user-agent", "", "special User-Agent that will be used for basic health checks") flagSet.Bool("proxy-websockets", true, "enables WebSocket proxying") - - flagSet.String("cookie-name", "_oauth2_proxy", "the name of the cookie that the oauth_proxy creates") - flagSet.String("cookie-secret", "", "the seed string for secure cookies (optionally base64 encoded)") - flagSet.StringSlice("cookie-domain", []string{}, "Optional cookie domains to force cookies to (ie: `.yourcompany.com`). The longest domain matching the request's host will be used (or the shortest cookie domain if there is no match).") - flagSet.String("cookie-path", "/", "an optional cookie path to force cookies to (ie: /poc/)*") - flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie") - flagSet.Duration("cookie-refresh", time.Duration(0), "refresh the cookie after this duration; 0 to disable") - flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag") - flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag") - flagSet.String("cookie-samesite", "", "set SameSite cookie attribute (ie: \"lax\", \"strict\", \"none\", or \"\"). ") - flagSet.String("session-store-type", "cookie", "the session storage provider to use") flagSet.String("redis-connection-url", "", "URL of redis server for redis session storage (eg: redis://HOST[:PORT])") flagSet.Bool("redis-use-sentinel", false, "Connect to redis via sentinels. Must set --redis-sentinel-master-name and --redis-sentinel-connection-urls to use this feature") @@ -292,6 +274,7 @@ func NewFlagSet() *pflag.FlagSet { flagSet.String("user-id-claim", "email", "which claim contains the user ID") + flagSet.AddFlagSet(cookieFlagSet()) flagSet.AddFlagSet(loggingFlagSet()) return flagSet