Add the Prometheus http.Handler to serve metrics at MetricsPath ("/metrics"
by default). This allows Prometheus to scrape metrics from OAuth2 Proxy.
Add a new middleware NewRequestMetrics and attach it to the preAuth
chain. This will collect metrics on all requests made to OAuth2 Proxy
Collapse some calls to Prinf() and os.Exit(1) to Fatalf as they are
equivalent. main() has a strict 50 lines limit so brevity in these
calls appreciated
* Add support for gitlab projets
* Add group membership in state
* Use prefixed allowed groups everywhere
* Fix: remove unused function
* Fix: rename func that add data to session
* Simplify projects and groups session funcs
* Add project access level for gitlab projects
* Fix: default access level
* Add per project access level
* Add user email when missing access level
* Fix: harmonize errors
* Update docs and flags description for gitlab project
* Add test with both projects and groups
* Fix: log error message
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix: make doc a markdown link
* Add notes about read_api scope for projects
* Fix: Verifier override in Gitlab Provider
This commit fixes a bug caused by an override of the Verifier value from *ProviderData inside GitlabProvider struct
* Fix: ensure data in session before using it
* Update providers/gitlab.go
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Rename gitlab project initializer
* Improve return value readbility
* Use splitN
* Handle space delimiters in set project scope
* Reword comment for AddProjects
* Fix: typo
* Rework error handling in addProjectsToSession
* Reduce branching complexity in addProjectsToSession
* Fix: line returns
* Better comment for addProjectsToSession
* Fix: enrich session comment
* Fix: email domains is handled before provider mechanism
* Add archived project unit test
* Fix: emails handling in gitlab provider
Co-authored-by: Wilfried OLLIVIER <wollivier@bearstech.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Strip X-Forwarded auth headers from whitelisted paths
For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).
Only x-Forwarded headers stripped, left the Authorization header
untouched.
* Strip authorization header if it would be set
* Improve TestStripAuthHeaders test table
* Improve --skip-auth-strip-headers flag documentation
* Implements --ip-whitelist option
* Included IPWhitelist option to allow one-or-more selected CIDR ranges
to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.
* Renamed IPWhitelist ipCIDRSet
* Fixed unessesary pointer usage in ipCIDRSet
* Update CHANGELOG.md
* Update CHANGELOG.md
* Updated to not use err.Error() in printf statements
* Imrpoved language for --ip-whitelist descriptions.
* Improve IP whitelist options error messages
* Clarify options single-host normalization
* Wrote a book about ipCIDRSet
* Added comment to IsWhitelistedIP in oauthproxy.go
* Rewrite oauthproxy test case as table driven
* oops
* Support whitelisting by low-level remote address
* Added more test-cases, improved descriptions
* Move ip_cidr_set.go to pkg/ip/net_set.go
* Add more whitelist test use cases.
* Oops
* Use subtests for TestIPWhitelist
* Add minimal tests for ip.NetSet
* Use switch statment
* Renamed ip-whitelist to whitelist-ip
* Update documentation with a warning.
* Update pkg/apis/options/options.go
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Apply suggestions from code review
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* fix fmt
* Move ParseIPNet into abstraction
* Add warning in case of --reverse-proxy
* Update pkg/validation/options_test.go
* Rename --whitelist-ip to --trusted-ip
* Update oauthproxy.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* fix
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Changed how gitlab-group is parsed, from string to []string
See #637
* Point out that gitlab-group can be a list
See #637
* Reflect to the []string change on pkg/apis/options/options.go
See #637
* Move cfg option gitlab_group to gitlab_groups
See #637
* Renamed Group to Groups
See #637
* Reflect the change on gitlab.go as well
See #637
* Added #639
* Added the author of #639 to the CHANGELOG
* Add the gitlab_groups env change to CHANGELOG.md
See #639
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
All Encrypt/Decrypt Cipher implementations will now take
and return []byte to set up usage in future binary compatible
encoding schemes to fix issues with bloat encrypting to strings
(which requires base64ing adding 33% size)
* Add an option to allow health checks based on User-Agent.
* Formatting fix
* Rename field and avoid unnecessary interface.
* Skip the redirect fix so it can be put into a different PR.
* Add CHANGELOG entry
* Adding a couple tests for the PingUserAgent option.
