mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2024-11-28 09:08:44 +02:00
Merge pull request #110 from timothy-spencer/gcphealthcheck
added an option to enable GCP healthcheck endpoints
This commit is contained in:
commit
e9d4f6e0a1
@ -2,6 +2,7 @@
|
||||
|
||||
## Changes since v3.1.0
|
||||
|
||||
- [#110](https://github.com/pusher/oauth2_proxy/pull/110) Added GCP healthcheck option (@timothy-spencer)
|
||||
- [#112](https://github.com/pusher/oauth2_proxy/pull/112) Improve websocket support (@gyson)
|
||||
- [#63](https://github.com/pusher/oauth2_proxy/pull/63) Use encoding/json for SessionState serialization (@yaegashi)
|
||||
- Use JSON to encode session state to be stored in browser cookies
|
||||
|
@ -48,7 +48,7 @@ Valid providers are :
|
||||
- [GitHub](#github-auth-provider)
|
||||
- [GitLab](#gitlab-auth-provider)
|
||||
- [LinkedIn](#linkedin-auth-provider)
|
||||
- [login.gov](#login.gov-provider)
|
||||
- [login.gov](#logingov-provider)
|
||||
|
||||
The provider can be selected using the `provider` configuration value.
|
||||
|
||||
@ -272,6 +272,7 @@ Usage of oauth2_proxy:
|
||||
-email-domain value: authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email
|
||||
-flush-interval: period between flushing response buffers when streaming responses (default "1s")
|
||||
-footer string: custom footer string. Use "-" to disable default footer.
|
||||
-gcp-healthchecks: will enable /liveness_check, /readiness_check, and / (with the proper user-agent) endpoints that will make it work well with GCP App Engine and GKE Ingresses (default false)
|
||||
-github-org string: restrict logins to members of this organisation
|
||||
-github-team string: restrict logins to members of any of these teams (slug), separated by a comma
|
||||
-google-admin-email string: the google admin to impersonate for api calls
|
||||
|
39
http.go
39
http.go
@ -24,6 +24,45 @@ func (s *Server) ListenAndServe() {
|
||||
}
|
||||
}
|
||||
|
||||
// Used with gcpHealthcheck()
|
||||
const userAgentHeader = "User-Agent"
|
||||
const googleHealthCheckUserAgent = "GoogleHC/1.0"
|
||||
const rootPath = "/"
|
||||
|
||||
// gcpHealthcheck handles healthcheck queries from GCP.
|
||||
func gcpHealthcheck(h http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
// Check for liveness and readiness: used for Google App Engine
|
||||
if r.URL.EscapedPath() == "/liveness_check" {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
w.Write([]byte("OK"))
|
||||
return
|
||||
}
|
||||
if r.URL.EscapedPath() == "/readiness_check" {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
w.Write([]byte("OK"))
|
||||
return
|
||||
}
|
||||
|
||||
// Check for GKE ingress healthcheck: The ingress requires the root
|
||||
// path of the target to return a 200 (OK) to indicate the service's good health. This can be quite a challenging demand
|
||||
// depending on the application's path structure. This middleware filters out the requests from the health check by
|
||||
//
|
||||
// 1. checking that the request path is indeed the root path
|
||||
// 2. ensuring that the User-Agent is "GoogleHC/1.0", the health checker
|
||||
// 3. ensuring the request method is "GET"
|
||||
if r.URL.Path == rootPath &&
|
||||
r.Header.Get(userAgentHeader) == googleHealthCheckUserAgent &&
|
||||
r.Method == http.MethodGet {
|
||||
|
||||
w.WriteHeader(http.StatusOK)
|
||||
return
|
||||
}
|
||||
|
||||
h.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
// ServeHTTP constructs a net.Listener and starts handling HTTP requests
|
||||
func (s *Server) ServeHTTP() {
|
||||
HTTPAddress := s.Opts.HTTPAddress
|
||||
|
105
http_test.go
Normal file
105
http_test.go
Normal file
@ -0,0 +1,105 @@
|
||||
package main
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"testing"
|
||||
|
||||
"github.com/stretchr/testify/assert"
|
||||
)
|
||||
|
||||
func TestGCPHealthcheckLiveness(t *testing.T) {
|
||||
handler := func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("test"))
|
||||
}
|
||||
|
||||
h := gcpHealthcheck(http.HandlerFunc(handler))
|
||||
rw := httptest.NewRecorder()
|
||||
r, _ := http.NewRequest("GET", "/liveness_check", nil)
|
||||
r.RemoteAddr = "127.0.0.1"
|
||||
r.Host = "test-server"
|
||||
h.ServeHTTP(rw, r)
|
||||
|
||||
assert.Equal(t, 200, rw.Code)
|
||||
assert.Equal(t, "OK", rw.Body.String())
|
||||
}
|
||||
|
||||
func TestGCPHealthcheckReadiness(t *testing.T) {
|
||||
handler := func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("test"))
|
||||
}
|
||||
|
||||
h := gcpHealthcheck(http.HandlerFunc(handler))
|
||||
rw := httptest.NewRecorder()
|
||||
r, _ := http.NewRequest("GET", "/readiness_check", nil)
|
||||
r.RemoteAddr = "127.0.0.1"
|
||||
r.Host = "test-server"
|
||||
h.ServeHTTP(rw, r)
|
||||
|
||||
assert.Equal(t, 200, rw.Code)
|
||||
assert.Equal(t, "OK", rw.Body.String())
|
||||
}
|
||||
|
||||
func TestGCPHealthcheckNotHealthcheck(t *testing.T) {
|
||||
handler := func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("test"))
|
||||
}
|
||||
|
||||
h := gcpHealthcheck(http.HandlerFunc(handler))
|
||||
rw := httptest.NewRecorder()
|
||||
r, _ := http.NewRequest("GET", "/not_any_check", nil)
|
||||
r.RemoteAddr = "127.0.0.1"
|
||||
r.Host = "test-server"
|
||||
h.ServeHTTP(rw, r)
|
||||
|
||||
assert.Equal(t, "test", rw.Body.String())
|
||||
}
|
||||
|
||||
func TestGCPHealthcheckIngress(t *testing.T) {
|
||||
handler := func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("test"))
|
||||
}
|
||||
|
||||
h := gcpHealthcheck(http.HandlerFunc(handler))
|
||||
rw := httptest.NewRecorder()
|
||||
r, _ := http.NewRequest("GET", "/", nil)
|
||||
r.RemoteAddr = "127.0.0.1"
|
||||
r.Host = "test-server"
|
||||
r.Header.Set(userAgentHeader, googleHealthCheckUserAgent)
|
||||
h.ServeHTTP(rw, r)
|
||||
|
||||
assert.Equal(t, 200, rw.Code)
|
||||
assert.Equal(t, "", rw.Body.String())
|
||||
}
|
||||
|
||||
func TestGCPHealthcheckNotIngress(t *testing.T) {
|
||||
handler := func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("test"))
|
||||
}
|
||||
|
||||
h := gcpHealthcheck(http.HandlerFunc(handler))
|
||||
rw := httptest.NewRecorder()
|
||||
r, _ := http.NewRequest("GET", "/foo", nil)
|
||||
r.RemoteAddr = "127.0.0.1"
|
||||
r.Host = "test-server"
|
||||
r.Header.Set(userAgentHeader, googleHealthCheckUserAgent)
|
||||
h.ServeHTTP(rw, r)
|
||||
|
||||
assert.Equal(t, "test", rw.Body.String())
|
||||
}
|
||||
|
||||
func TestGCPHealthcheckNotIngressPut(t *testing.T) {
|
||||
handler := func(w http.ResponseWriter, req *http.Request) {
|
||||
w.Write([]byte("test"))
|
||||
}
|
||||
|
||||
h := gcpHealthcheck(http.HandlerFunc(handler))
|
||||
rw := httptest.NewRecorder()
|
||||
r, _ := http.NewRequest("PUT", "/", nil)
|
||||
r.RemoteAddr = "127.0.0.1"
|
||||
r.Host = "test-server"
|
||||
r.Header.Set(userAgentHeader, googleHealthCheckUserAgent)
|
||||
h.ServeHTTP(rw, r)
|
||||
|
||||
assert.Equal(t, "test", rw.Body.String())
|
||||
}
|
10
main.go
10
main.go
@ -5,6 +5,7 @@ import (
|
||||
"fmt"
|
||||
"log"
|
||||
"math/rand"
|
||||
"net/http"
|
||||
"os"
|
||||
"runtime"
|
||||
"strings"
|
||||
@ -92,6 +93,7 @@ func main() {
|
||||
flagSet.String("acr-values", "http://idmanagement.gov/ns/assurance/loa/1", "acr values string: optional, used by login.gov")
|
||||
flagSet.String("jwt-key", "", "private key used to sign JWT: required by login.gov")
|
||||
flagSet.String("pubjwk-url", "", "JWK pubkey access endpoint: required by login.gov")
|
||||
flagSet.Bool("gcp-healthchecks", false, "Enable GCP/GKE healthcheck endpoints")
|
||||
|
||||
flagSet.Parse(os.Args[1:])
|
||||
|
||||
@ -139,8 +141,14 @@ func main() {
|
||||
|
||||
rand.Seed(time.Now().UnixNano())
|
||||
|
||||
var handler http.Handler
|
||||
if opts.GCPHealthChecks {
|
||||
handler = gcpHealthcheck(LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging, opts.RequestLoggingFormat))
|
||||
} else {
|
||||
handler = LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging, opts.RequestLoggingFormat)
|
||||
}
|
||||
s := &Server{
|
||||
Handler: LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging, opts.RequestLoggingFormat),
|
||||
Handler: handler,
|
||||
Opts: opts,
|
||||
}
|
||||
s.ListenAndServe()
|
||||
|
@ -86,10 +86,11 @@ type Options struct {
|
||||
RequestLogging bool `flag:"request-logging" cfg:"request_logging" env:"OAUTH2_PROXY_REQUEST_LOGGING"`
|
||||
RequestLoggingFormat string `flag:"request-logging-format" cfg:"request_logging_format" env:"OAUTH2_PROXY_REQUEST_LOGGING_FORMAT"`
|
||||
|
||||
SignatureKey string `flag:"signature-key" cfg:"signature_key" env:"OAUTH2_PROXY_SIGNATURE_KEY"`
|
||||
AcrValues string `flag:"acr-values" cfg:"acr_values" env:"OAUTH2_PROXY_ACR_VALUES"`
|
||||
JWTKey string `flag:"jwt-key" cfg:"jwt_key" env:"OAUTH2_PROXY_JWT_KEY"`
|
||||
PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url" env:"OAUTH2_PROXY_PUBJWK_URL"`
|
||||
SignatureKey string `flag:"signature-key" cfg:"signature_key" env:"OAUTH2_PROXY_SIGNATURE_KEY"`
|
||||
AcrValues string `flag:"acr-values" cfg:"acr_values" env:"OAUTH2_PROXY_ACR_VALUES"`
|
||||
JWTKey string `flag:"jwt-key" cfg:"jwt_key" env:"OAUTH2_PROXY_JWT_KEY"`
|
||||
PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url" env:"OAUTH2_PROXY_PUBJWK_URL"`
|
||||
GCPHealthChecks bool `flag:"gcp-healthchecks" cfg:"gcp_healthchecks" env:"OAUTH2_PROXY_GCP_HEALTHCHECKS"`
|
||||
|
||||
// internal values that are set after config validation
|
||||
redirectURL *url.URL
|
||||
|
@ -268,3 +268,9 @@ func TestSkipOIDCDiscovery(t *testing.T) {
|
||||
|
||||
assert.Equal(t, nil, o.Validate())
|
||||
}
|
||||
|
||||
func TestGCPHealthcheck(t *testing.T) {
|
||||
o := testOptions()
|
||||
o.GCPHealthChecks = true
|
||||
assert.Equal(t, nil, o.Validate())
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user