1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-15 00:15:00 +02:00
Commit Graph

143 Commits

Author SHA1 Message Date
8d2fc409d8 Integrate new server implementation into main OAuth2 Proxy 2021-03-07 11:49:11 +00:00
a7c8a233ba Add Prometheus metrics endpoint
Add the Prometheus http.Handler to serve metrics at MetricsPath ("/metrics"
by default). This allows Prometheus to scrape metrics from OAuth2 Proxy.

Add a new middleware NewRequestMetrics and attach it to the preAuth
chain. This will collect metrics on all requests made to OAuth2 Proxy

Collapse some calls to Prinf() and os.Exit(1) to Fatalf as they are
equivalent. main() has a strict 50 lines limit so brevity in these
calls appreciated
2021-02-15 13:45:26 +00:00
ae17e38403 Ensure config flags get parsed correctly when other flags preceed them 2021-02-06 15:25:08 +00:00
b201dbb2d3 Add convert-config-to-alpha flag to convert existing configuration to alpha structure 2020-12-01 08:56:51 +00:00
f36dfbb494 Introduce alpha configuration loading 2020-12-01 08:56:49 +00:00
8059a812cd Integrate new header injectors with OAuth2 Proxy 2020-11-07 17:16:58 +00:00
3fa42edb73 Fix import path for v7 (#800)
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
d69fd6af22 Allow Logging to stdout with separate Error Log Channel (#718)
* Add dedicated error logging writer

* Document new errors to stdout flag

* Update changelog

* Thread-safe the log buffer

* Address feedback

* Remove duplication by adding log level

* Clean up error formatting

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-08-10 11:44:08 +01:00
e88d29f16a Refactor SignInMessage out of main 2020-08-09 07:55:41 -07:00
65c228394f Address gosec findings
Mostly handling unhandled errors appropriately.
If logging to STDERR fails, we panic. Added #nosec
comments to findings we are OK with.
2020-08-09 07:55:39 -07:00
5dbcd73722 Configure OAuth2 Proxy to use new upstreams package and LegacyConfig 2020-07-19 08:17:53 +01:00
2981a5ed1a Integrate HTPasswdValidator into OAuth2 Proxy 2020-07-18 11:01:49 +01:00
1c1106721e Move RedirectToHTTPS to middleware package
Moves the logic for redirecting to HTTPs to a middleware package and adds tests for this logic.
Also makes the functionality more useful, previously it always redirected to the HTTPS address of the proxy, which may not have been intended, now it will redirect based on if a port is provided in the URL (assume public facing 80 to 443 or 4180 to 8443 for example)
2020-07-03 17:19:09 +01:00
5ce9e75c21 Initialise Session Storage in NewOAuthProxy instead of validation 2020-06-28 12:32:06 +01:00
9bbd6adce9 Integrate HealthCheck middleware 2020-06-14 21:05:17 +01:00
189ed4de8f Move FlagSet to Options package 2020-05-21 22:43:42 +01:00
44b27e0208 Move Options and Validation to package 2020-05-21 22:43:42 +01:00
111d17efde Implements --real-client-ip-header option. (#503)
* Implements -real-client-ip-header option.

* The -real-client-ip-header determines what HTTP header is used for
  determining the "real client IP" of the remote client.
* The -real-client-ip-header option supports the following headers:
  X-Forwarded-For X-ProxyUser-IP and X-Real-IP (default).
* Introduces new realClientIPParser interface to allow for multiple
  polymorphic classes to decide how to determine the real client IP.
* TODO: implement the more standard, but more complex `Forwarded` HTTP
  header.

* Corrected order of expected/actual in test cases

* Improved error message in getRemoteIP

* Add tests for getRemoteIP and getClientString

* Add comment explaining splitting of header

* Update documentation on -real-client-ip-header w/o -reverse-proxy

* Add PR number in changelog.

* Fix typo repeated word: "it"

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update extended configuration language

* Simplify the language around dependance on -reverse-proxy

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Added completions

* Reorder real client IP header options

* Update CHANGELOG.md

* Apply suggestions from code review

Co-authored-by: Isabelle COWAN-BERGMAN <Izzette@users.noreply.github.com>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-12 18:41:25 +01:00
7cf685140b Restrict access using Github collaborators (#497)
* Allow access based on Github repository
2020-05-11 18:02:40 +01:00
f7c050e7ba Switch flags to PFlag to remove StringArray (#487) 2020-05-03 16:55:20 +01:00
c5be09ca48 Replace options loading with viper 2020-04-29 19:51:24 +01:00
1961424561 Feature/configurable userid claim minimal (#499)
* Add -user-id-claim to support other claims than email

Fix #431 - This is a minimal change to allow the user to configure which claim is
the source of the "user ID".

- Add the option `user-id-claim` (defaults to email)
- OIDC extracts this claim into session.Email (to be renamed later)
- providers: add `CreateSessionStateFromBearerToken` with a default impl taken from
  `GetJwtSession` and overridden by oidc to respect `user-id-claim`

Once #466 is merged, I can continue to rename SessionState.Email to .UserID
and add HTTP headers with a corresponding name.

* Apply suggestions from code review

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Review feedback: Don't extract claims manually

Instead, parse them twice - it might be sligtly slower but less bug-prone as the code evolves.

* Fix indentation

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-28 07:46:46 +01:00
c6294c40a3 Allow the OIDC issuer verification to be skipped if desired. (#467)
* Allow the OIDC issuer verification to be skipped if desired.

* Remove stale warning

* Add CHANGELOG entry

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
Co-authored-by: Dan Bond <pm@danbond.io>
2020-04-19 12:19:21 +01:00
581475feec Set-Basic-Auth should default to false 2020-04-13 14:57:24 +01:00
a659b9558e Allow multiple cookie domains to be specified (#412)
* Allow multiple cookie domains to be specified

* Use X-Forwarded-Host, if it exists, when selecting cookie domain

* Perform cookie domain sorting in config validation phase

* Extract get domain cookies to a single function

* Update pkg/cookies/cookies.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 12:00:44 +01:00
b0b87563dc Add set basic auth param (#413)
* addint redirect capability to sign_out

* updating changelog

* Add a new param to set the Authorization header to up-stream systems as Basic user:password

* Resolving code review

* mutual exclusiv changes for Basic and Bearer Authorization header

* Fixed the merge mixup and comment error

* Updated changelog and fixed typo

* Adding the new entry in changelog

Co-authored-by: Costel Moraru <costel.moraru-germany@ibm.com>
2020-04-10 14:41:28 +01:00
c7bfbdecef Implement graceful shutdown and propagate request context (#468)
* feature: Implement graceful shutdown

Propagate the request context to the Redis client.
It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client.
The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently.

Added handling of Unix signals to http server.

Upgrade go-redis/redis to v7.

* Update dependencies

- Upgrade golang/x/* and google-api-go
- Migrate fsnotify import from gopkg.in to github.com
- Replace bmizerany/assert with stretchr/testify/assert

* add doc for  wrapper interface

* Update CHANGELOG.md

* fix: upgrade fsnotify to v1.4.9

* fix: remove unnessary logging

* fix: wait until  all connections have been closed

* refactor: move chan to main for testing

* add assert to check if stop chan is empty

* add an idiomatic for sync.WaitGroup with timeout
2020-04-04 16:12:38 +01:00
802754caad Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:40:10 +01:00
3108f765a5 Fix #381, expose acr_values to all providers (#445) 2020-03-17 17:57:33 +00:00
b1c81e2abe Support prompt in addition to auth-prompt (#444)
Fix #380
2020-03-14 09:53:43 +00:00
4cd43ef397 Support the PreferEmailToUser option on PassUserHeaders
Previously in #401, an option was added to support forwarding the email
address as the username to the upstream service when the PassBasicAuth
option is used.

The PassBasicAuth option is not appropriate for all users, with PassUserHeaders
allowing very similar functionality without specifying a basic auth headers.

The PreferEmailToUser option has been expanded to support the PassUserHeaders
option.
2020-03-04 11:47:13 +13:00
51f4d88028 Add option to prefer an Email address to a Username (#401)
With some providers the Username is an upstream Unique ID, like fex. in the
case of Google.

When matching this with downstream databases, it's sometimes preferred to use
the email address as the  known identifier.

However, when _mixing_ this with sometimes other sources, like htaccess, which
doesn't have a concept of an email address, it can turn difficult.

This change makes the headers _prefer_ to use the Email address, if such exists,
for the Username identifier when passing data to downstream services.

Defaults to Off.

Signed-off-by: D.S. Ljungmark <ljungmark@modio.se>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-29 17:38:32 +00:00
edd6ad6ae5 Add client-secret-file to main FlagSet (#399) 2020-02-17 14:21:04 +00:00
18d20364a8 Extension of Redis Session Store to Support Redis Cluster (#363)
* Extend the redis session store to support redis cluster

* rename function newRedisClient to newRedisCmdable

* update docs about redis cluster as session store

* update autocomplete script with redis cluster options

* add check about conflict between option redis-use-sentinel and redis-use-cluster

* update change log

* Update docs/configuration/sessions.md

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/sessions/redis/redis_store.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* add the dropped option back

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-06 17:59:12 +00:00
d9362d3bb9 Add reverse proxy setting (#331)
* Add reverse proxy setting (#321)
2020-01-24 17:54:13 +00:00
5d0827a028 Add configuration for cookie 'SameSite' value.
Values of 'lax' and 'strict' can improve and mitigate
some categories of cross-site traffic tampering.

Given that the nature of this proxy is often to proxy
private tools, this is useful to take advantage of.

See: https://www.owasp.org/index.php/SameSite
2020-01-06 12:21:52 -05:00
11205c7399 Allow to change provider's name (#296)
* Allow to change provider's name.

* Add changelog entry.

* Linting.

* provider-name -> provider-display-name.

* Add flag in main.go.

* Update CHANGELOG.md
2019-11-25 17:20:37 +00:00
6d74a42e57 Merge branch 'master' into feat/static-upstream 2019-11-19 12:23:42 +01:00
d7a51e4aab Update main.go
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
2019-11-12 11:34:14 +01:00
3f7ed36e46 Add support for Redis with custom CA. 2019-11-08 10:47:18 +01:00
9e4a7ee84e Merge branch 'master' into feat/static-upstream 2019-11-01 17:34:27 +01:00
fe9efba0c5 Documentation change
Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>
2019-10-22 14:19:39 +01:00
aae91b0ad6 Add new handler to redirect to HTTPS if flag is set
Signed-off-by: Josh Michielsen <github@mickey.dev>
2019-10-17 16:30:48 +01:00
e24e4ef880 Add force-https option and flag
Signed-off-by: Josh Michielsen <github@mickey.dev>
2019-10-17 16:30:18 +01:00
1295f87b33 Add static upstream 2019-10-10 10:14:00 +02:00
71dfd44149 Merge branch 'master' into keycloak-provider 2019-08-17 08:10:37 +01:00
fa6c4792a1 Add Bitbucket provider. (#201)
Add a new provider for Bitbucket,
can be configured from the options
specifying team and/or repository
that the user must be part/have access
to in order to grant login.
2019-08-16 14:53:22 +01:00
fb52bdb90c Fix some typos 2019-08-13 12:42:23 +02:00
7134d22bcc New flag "-ssl-upstream-insecure-skip-validation" (#234)
* New flag "-ssl-upstream-insecure-skip-validation" to skip SSL validation for upstreams with self generated / invalid SSL certificates.

* Fix tests for modified NewReverseProxy method.

* Added change to the changelog.

* Remove duplicate entries from changelog.
2019-08-07 17:48:53 +01:00
4de49983fb Rework GitLab provider (#231)
* Initial version of OIDC based GitLab provider

* Add support for email domain check to GitLab provider

* Add gitlab.com as default issuer for GitLab provider

* Update documentation for GitLab provider

* Update unit tests for new GitLab provider implementation

* Update CHANGELOG for GitLab provider

* Rename GitLab test access token as response to linter
2019-08-06 12:20:54 +01:00