1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-11-28 09:08:44 +02:00
Commit Graph

379 Commits

Author SHA1 Message Date
Joel Speed
e8e2af73df
Wrap templates and page rendering in PageWriter interface 2021-02-14 10:20:26 +00:00
Joel Speed
dba6989054
Move SignIn page rendering to app pkg 2021-02-13 11:35:38 +00:00
Joel Speed
6ecbc7bc4e
Allow users to choose detailed error messages on error pages 2021-02-12 21:12:28 +00:00
Joel Speed
a63ed0225c
Use ErrorPage to render proxy error page 2021-02-12 21:12:27 +00:00
Joel Speed
ef457b1765
Move Error page rendering to app package 2021-02-12 21:12:05 +00:00
Joel Speed
0151ca11f6
Move template loading to app package 2021-02-12 16:55:52 +00:00
Joel Speed
84f76c6060
Move template options to their own struct 2021-02-12 16:55:51 +00:00
Joel Speed
b6cca79cb9
Ensure errors in tests are logged to the GinkgoWriter 2021-02-10 19:50:04 +00:00
Nick Meves
c3f31b4dd5
Flatten array-based response headers 2021-02-03 16:48:26 -08:00
Lida Li
b541805dc1
Use comma separated multiple values for header (#799)
* Use comma separated value for multiple claims

* Fix lint error

* Fix more tests

* Fix one more test

* Always flatten the headers

* Ensure we test the real multi-groups

* Only update map when necessary

* Update CHANGELOG

* Move to the right location of change log

* Fix blank line
2021-01-22 08:48:34 +00:00
Joel Speed
5c64e236fb
Generate reference page in configuration 2021-01-18 09:57:44 +00:00
Nick Meves
f054682fb7
Make HTTPS Redirect middleware Reverse Proxy aware 2021-01-16 13:55:48 -08:00
Nick Meves
6fb3274ca3
Refactor organization of scope aware request utils
Reorganized the structure of the Request Utils due to their widespread use
resulting in circular imports issues (mostly because of middleware & logger).
2021-01-16 13:55:48 -08:00
Nick Meves
b625de9490
Track the ReverseProxy option in the request Scope
This allows for proper handling of reverse proxy based headers throughout
the lifecycle of a request.
2021-01-16 13:55:48 -08:00
Ilia Pertsev
597ffeb121
Fix joined cookie name for those containing underline in the suffix (#970)
* properly handle splitted cookies with names ending with _

* test update

* provide cookieName into joinCookies instead of processing the suffix

* changelog update

* test update
2021-01-04 17:21:17 -08:00
İlteriş Eroğlu
1d74a51cd7
Use X-Forwarded-{Proto,Host,Uri} on redirect as last resort (#957) 2021-01-01 15:23:11 -08:00
Nick Meves
3369799853
Migrate Keycloak to EnrichSession & support multiple groups 2020-12-24 14:04:19 -08:00
Nick Meves
d2ffef2c7e
Use global OIDC fields for Gitlab 2020-12-21 16:54:12 -08:00
Nick Meves
eb56f24d6d
Deprecate UserIDClaim in config and docs 2020-12-21 16:52:17 -08:00
Nick Meves
74ac4274c6
Move generic OIDC functionality to be available to all providers 2020-12-21 16:52:04 -08:00
Nick Meves
a1877434b2
Refactor OIDC to EnrichSession 2020-12-21 16:51:52 -08:00
TAGAMI Yukihiro
a5466bb96d
Fix typo and missing InjectResponseHeaders validation (#952) 2020-12-12 10:05:01 -08:00
Mathieu Lecarme
d67d6e3152
Add authorization support for Gitlab projects (#630)
* Add support for gitlab projets

* Add group membership in state

* Use prefixed allowed groups everywhere

* Fix: remove unused function

* Fix: rename func that add data to session

* Simplify projects and groups session funcs

* Add project access level for gitlab projects

* Fix: default access level

* Add per project access level

* Add user email when missing access level

* Fix: harmonize errors

* Update docs and flags description for gitlab project

* Add test with both projects and groups

* Fix: log error message

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Fix: make doc a markdown link

* Add notes about read_api scope for projects

* Fix: Verifier override in Gitlab Provider

This commit fixes a bug caused by an override of the Verifier value from *ProviderData inside GitlabProvider struct

* Fix: ensure data in session before using it

* Update providers/gitlab.go

Co-authored-by: Nick Meves <nick.meves@greenhouse.io>

* Rename gitlab project initializer

* Improve return value readbility

* Use splitN

* Handle space delimiters in set project scope

* Reword comment for AddProjects

* Fix: typo

* Rework error handling in addProjectsToSession

* Reduce branching complexity in addProjectsToSession

* Fix: line returns

* Better comment for addProjectsToSession

* Fix: enrich session comment

* Fix: email domains is handled before provider mechanism

* Add archived project unit test

* Fix: emails handling in gitlab provider

Co-authored-by: Wilfried OLLIVIER <wollivier@bearstech.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
2020-12-05 10:57:33 -08:00
Joel Speed
b201dbb2d3
Add convert-config-to-alpha flag to convert existing configuration to alpha structure 2020-12-01 08:56:51 +00:00
Joel Speed
f36dfbb494
Introduce alpha configuration loading 2020-12-01 08:56:49 +00:00
Joel Speed
5b003a5657
SecretSource.Value should be plain text in memory 2020-12-01 08:56:46 +00:00
Nick Meves
5f8f856260
Remove failed bearer tokens from logs 2020-11-28 10:25:12 -08:00
Nick Meves
22f60e9b63
Generalize and extend default CreateSessionFromToken 2020-11-28 10:25:12 -08:00
Nick Meves
44fa8316a1
Aggregate error logging on JWT chain failures 2020-11-28 10:25:12 -08:00
Nick Meves
3e9717d489
Decouple TokenToSession from OIDC & add a generic VerifyFunc 2020-11-28 10:25:11 -08:00
Joel Speed
482cd32a17
Fix basic auth legacy header conversion 2020-11-19 20:07:59 +00:00
Joel Speed
aed43a54da
Add DefaultUpstreamFlushInterval to replace magic time.Second value 2020-11-19 10:39:21 +00:00
Joel Speed
d353d94631
Add AlphaOptions struct and ensure that all children have valid JSON tags 2020-11-19 10:35:31 +00:00
Joel Speed
b6d6f31ac1
Introduce Duration so that marshalling works for duration strings 2020-11-19 10:35:29 +00:00
Joel Speed
3a4660414a
Fix log calldepth 2020-11-15 18:52:59 +00:00
Nick Meves
b92fd4b0bb
Streamline Google to use default Authorize 2020-11-12 11:18:58 -08:00
Nick Meves
eb58ea2ed9
Move AllowedGroups to DefaultProvider for default Authorize usage 2020-11-12 11:18:15 -08:00
Arcadiy Ivanov
45ae87e4b7
Logs provider name on startup
If invalid provider is specified, stop and error out

fixes #895
2020-11-12 10:39:35 -05:00
Nick Meves
2b15ba0bcf
Remove v5 JSON session support 2020-11-08 08:52:55 -08:00
Nick Meves
7d6ff03d13
Fix X-Auth-Request-Preferred-Username in response headers 2020-11-07 12:47:42 -08:00
Nick Meves
1c26539ef0
Align tests to SkipAuthStripHeaders default 2020-11-07 12:33:37 -08:00
Nick Meves
14fd934b32
Flip --skip-auth-strip-headers to true by default 2020-11-07 11:43:45 -08:00
Joel Speed
92d09343d2
Add tests for legacy header conversion 2020-11-07 17:17:10 +00:00
Joel Speed
8d1bbf33b1
Add tests for headers validation 2020-11-07 17:17:06 +00:00
Joel Speed
1dac1419b3
Add tests for SecretSource validation 2020-11-07 17:17:02 +00:00
Joel Speed
8059a812cd
Integrate new header injectors with OAuth2 Proxy 2020-11-07 17:16:58 +00:00
Joel Speed
d26c65ba8d
Add validation for Headers struct 2020-11-07 17:16:54 +00:00
Joel Speed
2dc0d1e7ee
Create LegacyHeaders struct and conversion to new Headers 2020-11-07 17:16:49 +00:00
Nick Meves
4a54c9421c
Remove EmailDomain verification from GitLab provider
This is handled globally
2020-10-20 10:01:53 -07:00
Joel Speed
70990327d1
Make claims list of strings 2020-10-07 18:25:00 +01:00
Joel Speed
6743e3991d
Add header injector middlewares 2020-10-07 18:24:58 +01:00
Joel Speed
fc2ff19a19
Add header Injector 2020-10-07 18:24:57 +01:00
Joel Speed
eec7565c52
Add Header option structure 2020-10-07 18:24:56 +01:00
Nick Meves
b7b7ade7c4
Improve AllowedRoute test table formatting 2020-10-07 10:13:41 -07:00
Nick Meves
fa4ba5e7ea
Convert allowlist validation test to Ginkgo 2020-10-07 10:13:41 -07:00
Nick Meves
183cb124a4
Support HTTP method based allowlists 2020-10-07 10:13:40 -07:00
Mitsuo Heijo
fcb83c48f4
Update go-redis/redis to v8 (#801)
* update go-redis/redis to v8

testify, ginko and gomega have also been updated.

* update changelog

* Update pkg/sessions/redis/redis_store_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-10-07 11:49:27 +01:00
Mitsuo Heijo
3fa42edb73
Fix import path for v7 (#800)
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
Nick Meves
6db1aeb9c6
Validate Redis session store health on startup 2020-09-24 10:41:43 -07:00
Nick Meves
56f199a24f
Stop accepting legacy SHA1 signed cookies 2020-09-24 10:31:34 -07:00
Stefan Sedich
9d59519a96
Add support to ensure user belongs in required groups when using the OIDC provider 2020-09-21 10:43:54 -07:00
Lennart Jern
e14d6ab791 Document bcrypt encryption for htpasswd
Remove mention of (insecure) SHA option for encryption.
2020-09-11 13:32:00 +03:00
Joel Speed
bd619ab63e
Fix conversion of file upstreams 2020-08-31 16:54:13 +01:00
Joel Speed
b40517bbe3
Fix conversion of static responses in upstreams 2020-08-31 16:54:01 +01:00
Nick Meves
29b24793e3
Use X-Forwarded-Host consistently 2020-08-31 08:31:45 -07:00
Joel Speed
105d5acb7b
Only log no cookie match if cookie domains specified 2020-08-27 14:48:00 +01:00
Joel Speed
16a30002df
Ensure session times are not nil before printing them 2020-08-16 19:53:52 +01:00
Nick Meves
51a9062044
Support Password & SentinelPassword in Redis session store 2020-08-11 12:22:05 -07:00
Nick Meves
b6e78efc1e
Add x-oauth-basic nosec annotation & address gosec unhandled errors 2020-08-10 15:15:16 -07:00
Phil Taprogge
d69fd6af22
Allow Logging to stdout with separate Error Log Channel (#718)
* Add dedicated error logging writer

* Document new errors to stdout flag

* Update changelog

* Thread-safe the log buffer

* Address feedback

* Remove duplication by adding log level

* Clean up error formatting

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-08-10 11:44:08 +01:00
Nick Meves
a1358d2070
Panic on any logger errors
Any template errors instead of IO
errors are caught in validation.
2020-08-09 07:55:41 -07:00
Nick Meves
45222395e0
Attempt to log still on template errors 2020-08-09 07:55:40 -07:00
Nick Meves
ad52587ae6
Document GoSec nosec skip comments 2020-08-09 07:55:40 -07:00
Nick Meves
1c8c5b08d7
Handle cookie signing errors 2020-08-09 07:55:40 -07:00
Nick Meves
65c228394f
Address gosec findings
Mostly handling unhandled errors appropriately.
If logging to STDERR fails, we panic. Added #nosec
comments to findings we are OK with.
2020-08-09 07:55:39 -07:00
Nick Meves
19836f85ac
Align persistence ginkgo tests to conventions 2020-07-21 22:13:17 -07:00
Nick Meves
9643a0b10c
Centralize Ticket management of persistent stores (#682)
* Centralize Ticket management of persistent stores

persistence package with Manager & Ticket will handle
all the details about keys, secrets, ticket into cookies,
etc. Persistent stores just need to pass Save, Load &
Clear function handles to the persistent manager now.

* Shift to persistence.Manager wrapping a persistence.Store

* Break up the Redis client builder logic

* Move error messages to Store from Manager

* Convert ticket to private for Manager use only

* Add persistence Manager & ticket tests

* Make a custom MockStore that handles time FastForwards
2020-07-19 21:25:13 +01:00
Joel Speed
034f057b60
Add session loader from session storage 2020-07-19 17:21:42 +01:00
Joel Speed
7d6f2a3f45
Add Basic Auth session loader middleware 2020-07-19 17:21:42 +01:00
Joel Speed
c81a7ed197
Add JWT session loader middleware 2020-07-19 17:21:42 +01:00
Joel Speed
2768321929
Add request scope middleware 2020-07-19 17:21:42 +01:00
Joel Speed
d43b372ca9
Use bool pointers for upstream options that default to true 2020-07-19 14:01:36 +01:00
Joel Speed
71dc70222b
Break legacy upstream options into LegacyUpstreams struct 2020-07-19 14:01:36 +01:00
Joel Speed
e932381ba7
Add LegacyOptions and conversion to new Options
This will be temporary until we switch to structured config, then we can remove the LegacyOptions and conversions
2020-07-19 08:17:53 +01:00
Joel Speed
7d8ee61254
Add HTPasswdValidator to basic authentication package 2020-07-18 11:01:49 +01:00
Nick Meves
abeb0236d8
Strip X-Forwarded auth headers from whitelisted paths (#624)
* Strip X-Forwarded auth headers from whitelisted paths

For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).

Only x-Forwarded headers stripped, left the Authorization header
untouched.

* Strip authorization header if it would be set

* Improve TestStripAuthHeaders test table

* Improve --skip-auth-strip-headers flag documentation
2020-07-14 23:46:44 +01:00
Nick Meves
bb5977095f
Add option to remove tokens from cookie sessions (#673)
* Add option to remove tokens from cookie sessions

* Move Minimal to be an option on CookieSession

* Add sessionOptionsDefaults helper
2020-07-14 23:02:10 +01:00
Nick Meves
a09eecc6a2
Reduce SessionState size better with MessagePack + LZ4 (#632)
* Encode sessions with MsgPack + LZ4

Assumes ciphers are now mandatory per #414. Cookie & Redis sessions
can fallback to V5 style JSON in error cases. TODO: session_state.go
unit tests & new unit tests for Legacy fallback scenarios.

* Only compress encoded sessions with Cookie Store

* Cleanup msgpack + lz4 error handling

* Change NewBase64Cipher to take in an existing Cipher

* Add msgpack & lz4 session state tests

* Add required options for oauthproxy tests

More aggressively assert.NoError on all
validation.Validate(opts) calls to enforce legal
options in all our tests.
Add additional NoError checks wherever error return
values were ignored.

* Remove support for uncompressed session state fields

* Improve error verbosity & add session state tests

* Ensure all marshalled sessions are valid

Invalid CFB decryptions can result in garbage data
that 1/100 times might cause message pack unmarshal
to not fail and instead return an empty session.
This adds more rigor to make sure legacy sessions
cause appropriate errors.

* Add tests for legacy V5 session decoding

Refactor common legacy JSON test cases to a
legacy helpers area under session store tests.

* Make ValidateSession a struct method & add CHANGELOG entry

* Improve SessionState error & comments verbosity

* Move legacy session test helpers to sessions pkg

Placing these helpers under the sessions pkg removed
all the circular import uses in housing it under the
session store area.

* Improve SignatureAuthenticator test helper formatting

* Make redis.legacyV5DecodeSession internal

* Make LegacyV5TestCase test table public for linter
2020-07-13 20:56:05 +01:00
Isabelle COWAN-BERGMAN
64ae31b5a0
Implements --trusted-ip option (#552)
* Implements --ip-whitelist option

* Included IPWhitelist option to allow one-or-more selected CIDR ranges
  to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.

* Renamed IPWhitelist ipCIDRSet

* Fixed unessesary pointer usage in ipCIDRSet

* Update CHANGELOG.md

* Update CHANGELOG.md

* Updated to not use err.Error() in printf statements

* Imrpoved language for --ip-whitelist descriptions.

* Improve IP whitelist options error messages

* Clarify options single-host normalization

* Wrote a book about ipCIDRSet

* Added comment to IsWhitelistedIP in oauthproxy.go

* Rewrite oauthproxy test case as table driven

* oops

* Support whitelisting by low-level remote address

* Added more test-cases, improved descriptions

* Move ip_cidr_set.go to pkg/ip/net_set.go

* Add more whitelist test use cases.

* Oops

* Use subtests for TestIPWhitelist

* Add minimal tests for ip.NetSet

* Use switch statment

* Renamed ip-whitelist to whitelist-ip

* Update documentation with a warning.

* Update pkg/apis/options/options.go

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix fmt

* Move ParseIPNet into abstraction

* Add warning in case of --reverse-proxy

* Update pkg/validation/options_test.go

* Rename --whitelist-ip to --trusted-ip

* Update oauthproxy.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-11 11:10:58 +01:00
Mariano Vallés
a999270cf3
Add req.host to targetURL when redirecting to https (#668)
* Add req.host to targetURL when redirecting to https

The req.URL.Host might not be present when redirecting to https if the
given req.URL is something like "/". In such scenario, the req.Host is
still present and valid.

This commit adds the original req.Host to the targetURL before returning
the 308 status, to avoid having a `Location: https:///` in the response.

* Bring back empty line

* Wrap the setting of targetURL.Host in a condition

* Add a comment to the test explaining why the redirectURL includes example.com

* Add changelog entry
2020-07-07 09:55:38 +01:00
Joel Speed
de9e65a63a
Migrate all requests to result pattern 2020-07-06 20:38:00 +01:00
Joel Speed
d0b6c04960
Add tests for request result 2020-07-06 20:37:36 +01:00
Joel Speed
fbf4063245
Switch Builder.Do() to return a Result 2020-07-06 18:31:31 +01:00
Joel Speed
028a0ed62e
Remove old requests code 2020-07-06 18:31:11 +01:00
Joel Speed
53142455b6
Migrate all requests to new builder pattern 2020-07-06 18:31:09 +01:00
Joel Speed
21ef86b594
Add tests for the request builder 2020-07-06 18:29:58 +01:00
Joel Speed
0bc0feb4bb
Add request builder to simplify request handling 2020-07-06 18:29:57 +01:00
Jordan Crawford
6346dafc1e (#649) Remove blank helthcheck user agents and paths when setting up the healthcheck middleware
A blank user agent is considered == to an empty string. When no -ping-user-agent option is specified, this is considered to be an empty string.

This reveals two problems:
- When no ping-user-agent is specified, main.go sets up a health check user agent of ""
- When no user agent is specified, the empty string is still checked against the health check user agents.

Now the health check middleware ignores blank user agents and paths in order to sanitise it's input to avoid this issue.

Additional tests have been added to verify these situations.
2020-07-06 14:07:38 +12:00
Joel Speed
5b95ed3033
Add tests for upstream package 2020-07-05 10:21:05 +01:00
Joel Speed
fa8e1ee033
Allow file server to handle windows filesystems 2020-07-05 10:21:05 +01:00
Joel Speed
e1c3e938cc
Add upstream package with Proxy server implementation 2020-07-05 10:21:05 +01:00
Joel Speed
b6b5194190
Add Upstreams options struct with validation 2020-07-05 10:21:05 +01:00
Joel Speed
3e13f3197f
Ensure that cookie names over 256 characters are rejected by validation 2020-07-05 09:18:48 +01:00
Joel Speed
211fd3a010
Rename CookieOptions to Cookie 2020-07-05 09:18:21 +01:00
Joel Speed
285c65a2d4
Add tests for cookie validation
This also removes the check for the decoded from the valid secret size
check. The code was unreachable because encryption.SecretBytes will only
return the decoded secret if it was the right length after decoding.
2020-07-05 09:17:28 +01:00
Joel Speed
900061b88a
Move CookieOptions validation to it's own file 2020-07-05 09:17:28 +01:00
Joel Speed
b3ba2594c6
Create Cookie FlagSet and Defaults 2020-07-05 09:17:28 +01:00
Nick Meves
48a2aaadc1
Count complete cookie content in byte splitting 2020-07-03 23:41:08 -07:00
Nick Meves
c6f1daba2f
Split cookies more precisely at 4096 bytes 2020-07-03 20:38:04 -07:00
Joel Speed
1c1106721e
Move RedirectToHTTPS to middleware package
Moves the logic for redirecting to HTTPs to a middleware package and adds tests for this logic.
Also makes the functionality more useful, previously it always redirected to the HTTPS address of the proxy, which may not have been intended, now it will redirect based on if a port is provided in the URL (assume public facing 80 to 443 or 4180 to 8443 for example)
2020-07-03 17:19:09 +01:00
Joel Speed
5c8a66bcc9
Close client connections after each redis test 2020-07-03 16:24:47 +01:00
k-wall
b0375e85fa
Fix #635: Support specifying alternative provider TLS trust source(s) (#645)
* Fix #635: Support specifying alternative provider TLS trust source(s)

* Update pkg/apis/options/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/validation/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address review comments

* upd CHANGELOG.md

* refactor test to assert textual subjects + add openssl gen cmd

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-03 16:09:17 +01:00
Joel Speed
34137f7305
Move SessionStore tests to independent package 2020-07-01 06:41:35 +01:00
Joel Speed
6e1b3b9660
Switch to in session store initialisation 2020-06-28 12:50:55 +01:00
Joel Speed
5ce9e75c21
Initialise Session Storage in NewOAuthProxy instead of validation 2020-06-28 12:32:06 +01:00
Joel Speed
c8dbf1cf60
Move Cipher intialisation to session store initialisation 2020-06-28 12:03:03 +01:00
İlteriş Eroğlu
1b6c54cae1
Change how gitlab-group is parsed on options (#639)
* Changed how gitlab-group is parsed, from string to []string

See #637

* Point out that gitlab-group can be a list

See #637

* Reflect to the []string change on pkg/apis/options/options.go

See #637

* Move cfg option gitlab_group to gitlab_groups

See #637

* Renamed Group to Groups

See #637

* Reflect the change on gitlab.go as well

See #637

* Added #639

* Added the author of #639 to the CHANGELOG

* Add the gitlab_groups env change to CHANGELOG.md

See #639

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-26 23:26:07 +01:00
Nick Meves
788d8ecc1b
Verify main v extra JWT bearers differently
When using the configured provider JWT Verifier, it makes
sense to use the provider `CreateSessionStateFromBearerToken`
method. For any extra JWT Issuers, they should use a generic
default verifier.
2020-06-19 11:47:36 -07:00
Joel Speed
9bbd6adce9
Integrate HealthCheck middleware 2020-06-14 21:05:17 +01:00
Joel Speed
ca416a2ebb
Add HealthCheck middleware 2020-06-14 21:05:17 +01:00
Nick Meves
1979627534
Move Encrypt/Decrypt Into helper to session_state.go
This helper method is only applicable for Base64 wrapped
encryption since it operated on string -> string primarily.
It wouldn't be used for pure CFB/GCM ciphers. After a messagePack
session refactor, this method would further only be used for
legacy session compatibility - making its placement in cipher.go
not ideal.
2020-06-12 14:46:35 -07:00
Nick Meves
014fa682be
Add EncryptInto/DecryptInto Unit Tests 2020-06-12 14:42:42 -07:00
Nick Meves
e43c65cc76
Fix SessionOptions struct spacing 2020-06-12 14:37:00 -07:00
Nick Meves
c6939a40c5
Move nested Encrypt/Decrypt test to helper function 2020-06-12 14:36:59 -07:00
Nick Meves
9382293b0b
Ensure Cipher.Encrypt doesn't mangle input data []byte 2020-06-12 14:36:59 -07:00
Nick Meves
7bb5fc0a81
Ensure Cipher.Decrypt doesn't mangle input ciphertext []byte 2020-06-12 14:36:59 -07:00
Nick Meves
e823d874b0
Improve cipher_test.go organization with subtests 2020-06-12 14:36:59 -07:00
Nick Meves
559152a10f
Add subtests inside of encryption unit test loops 2020-06-12 14:36:59 -07:00
Nick Meves
f60e24d9c3
Split non-cipher code to utils.go out of ciphers.go 2020-06-12 14:36:58 -07:00
Nick Meves
ce2e92bc57
Improve design of Base64Cipher wrapping other ciphers.
Have it take in a cipher init function as an argument.
Remove the confusing `newCipher` method that matched legacy behavior
and returns a Base64Cipher(CFBCipher) -- instead explicitly ask for
that in the uses.
2020-06-12 14:36:58 -07:00
Nick Meves
b6931aa4ea
Add GCM Cipher support
During the upcoming encoded session refactor, AES GCM is ideal
to use as the Redis (and other DB like stores) encryption wrapper
around the session because each session is encrypted with a
distinct secret that is passed by the session ticket.
2020-06-12 14:36:58 -07:00
Nick Meves
f7cca1d0b3
Refactor encryption.Cipher to be an Encrypt/Decrypt Interface
All Encrypt/Decrypt Cipher implementations will now take
and return []byte to set up usage in future binary compatible
encoding schemes to fix issues with bloat encrypting to strings
(which requires base64ing adding 33% size)
2020-06-12 14:36:58 -07:00
Nick Meves
b4530b9292
Allow binary values in signed cookies
Make signedValue & Validate operate on []byte
by default and not assume/cast string. Any casting
will be done from callers.
2020-06-12 14:36:58 -07:00
Nick Meves
f9025a8f8f
Add binary native AES CFB encryption helpers.
These will take in []byte and not automatically
Base64 encode/decode.
2020-06-12 14:36:56 -07:00
Joel Speed
808084b744
Ensure decrypted user/email are valid UTF8 2020-06-12 15:36:55 +01:00
Christopher Kohnert
2c851fcd4f
Allow a health/ping request to be identified by User-Agent (#567)
* Add an option to allow health checks based on User-Agent.

* Formatting fix

* Rename field and avoid unnecessary interface.

* Skip the redirect fix so it can be put into a different PR.

* Add CHANGELOG entry

* Adding a couple tests for the PingUserAgent option.
2020-06-12 14:56:31 +01:00
Yoshiki Nakagawa
d8d43bb51b
Support new option "github-user" (#421)
* feat(github): support new option "github-user"

* feat(github): rename github-user to github-users

* feat(github): update docs for github-users option

* feat(github): remove unneeded code

* feat(github): remove logging

* feat(github-user): use github-user as flagset options

* feat(github-user): remove optionns.go

* feat(github-user): add github-user flagset

* feat(github): improve readability in the docs

* feat(github-user): refactored SetUsers method

* Update flag description

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-01 20:02:07 +01:00
Joel Speed
94e31f8b65
Ensure exclude-logging-paths is consistent with other options 2020-05-31 14:09:28 +01:00
Joel Speed
bbc4eee17e
Create Logging FlagSet and Default 2020-05-31 14:08:00 +01:00
Joel Speed
3cbac6122d
Move configuration of logger to separate file 2020-05-31 14:08:00 +01:00
Joel Speed
3afcadae76
Move logging options to a struct 2020-05-31 14:08:00 +01:00
Joel Speed
f7b28cb1d3
Improvements to Session State code (#536)
* Drop SessionStateJSON wrapper
* Use EncrpytInto/DecryptInto to reduce sessionstate

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-30 08:53:38 +01:00
Amnay
6a88da7f7a
Parse Redis cluster and sentinel urls (#573)
* Parse Redis cluster and sentinel urls

* Add changelog entry for #573

* Add unit tests for redis session store

* Use %v for error fmt

Co-authored-by: Amnay Mokhtari <amnay.mokhtari@adevinta.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-05-27 18:40:50 +01:00
Timo Beckers
276d1c6f19
Always encrypt sessions regardless of configuration 2020-05-24 21:23:04 +01:00
Joel Speed
810a9e9967
Rename cookie-domain config to cookie-domains (#559)
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-24 20:19:56 +01:00
Joel Speed
cce2c680d8
Move RealClientIP code to IP packages 2020-05-23 15:17:41 +01:00
Joel Speed
c3f9cbeb3d
Remove Env tags from Cookie and Session Options 2020-05-21 22:43:42 +01:00
Joel Speed
189ed4de8f
Move FlagSet to Options package 2020-05-21 22:43:42 +01:00
Joel Speed
1fd4ebe546
Remove Env tags from Options 2020-05-21 22:43:42 +01:00
Joel Speed
44b27e0208
Move Options and Validation to package 2020-05-21 22:43:42 +01:00
Nick Meves
7e5c8bb579
Fix secretBytes adding unintended padding (#556)
* Fix secretBytes adding unintended padding

* Add more SecretBytes test scenarios

* Add CHANGELOG entry about breaking secret padding change

* Add SecretBytes tests explanation comments
2020-05-21 19:29:45 +01:00
Nick Meves
d228d5a928
Refactor the utils package to other areas (#538)
* Refactor the utils package to other areas

Move cookieSession functions to cookie session store
& align the double implementation of SecretBytes to be
united and housed under encryption

* Remove unused Provider SessionFromCookie/CookieForSession

These implementations aren't used, these are handled in the cookie store.

* Add changelog entry for session/utils refactor
2020-05-14 10:16:35 +01:00
Isabelle COWAN-BERGMAN
111d17efde
Implements --real-client-ip-header option. (#503)
* Implements -real-client-ip-header option.

* The -real-client-ip-header determines what HTTP header is used for
  determining the "real client IP" of the remote client.
* The -real-client-ip-header option supports the following headers:
  X-Forwarded-For X-ProxyUser-IP and X-Real-IP (default).
* Introduces new realClientIPParser interface to allow for multiple
  polymorphic classes to decide how to determine the real client IP.
* TODO: implement the more standard, but more complex `Forwarded` HTTP
  header.

* Corrected order of expected/actual in test cases

* Improved error message in getRemoteIP

* Add tests for getRemoteIP and getClientString

* Add comment explaining splitting of header

* Update documentation on -real-client-ip-header w/o -reverse-proxy

* Add PR number in changelog.

* Fix typo repeated word: "it"

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update extended configuration language

* Simplify the language around dependance on -reverse-proxy

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Added completions

* Reorder real client IP header options

* Update CHANGELOG.md

* Apply suggestions from code review

Co-authored-by: Isabelle COWAN-BERGMAN <Izzette@users.noreply.github.com>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-12 18:41:25 +01:00
Joel Speed
4e3dd09cf2
Drop fallback to email when user is empty (#537) 2020-05-12 16:04:51 +01:00
Mitsuo Heijo
e642daef4e Support context in providers (#519)
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-10 13:34:59 +01:00
Joel Speed
de280824de
Drop support for pre v3.1 cookies (#535)
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-10 10:09:53 +01:00
Nick Meves
9d626265e8 Migrate cookie signing to SHA256 from SHA1 (#524)
Also, cleanup the code & make the specific
hashing algorithm chosen a function variable.

Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-09 16:14:19 +01:00
Joel Speed
00fed1a31f
Return an error when unknown options are found in the config file 2020-04-29 20:00:16 +01:00
Joel Speed
c5be09ca48
Replace options loading with viper 2020-04-29 19:51:24 +01:00
Joel Speed
8749cbb424
Add Viper based config loader 2020-04-29 19:51:24 +01:00
Joel Speed
e49f8542bc
Rename Session Options to improve structure 2020-04-29 19:51:24 +01:00
Joel Speed
458710149c
Rename Cookie Options to remove extra 'Cookie' 2020-04-29 19:51:24 +01:00
Mitsuo Heijo
dd05e7ff0b
Add new linters (#486)
* add new linters and fix issues

* fix deprecated warnings

* simplify return

* update CHANGELOG

* fix staticcheck issues

* remove a deprecated linter, minor fixes of variable initialization
2020-04-14 09:36:44 +01:00
Joel Speed
fcd52e042e
Warn users when session cookies are split 2020-04-12 12:01:38 +01:00
Eric Dahlseng
a659b9558e
Allow multiple cookie domains to be specified (#412)
* Allow multiple cookie domains to be specified

* Use X-Forwarded-Host, if it exists, when selecting cookie domain

* Perform cookie domain sorting in config validation phase

* Extract get domain cookies to a single function

* Update pkg/cookies/cookies.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 12:00:44 +01:00
Mitsuo Heijo
c7bfbdecef
Implement graceful shutdown and propagate request context (#468)
* feature: Implement graceful shutdown

Propagate the request context to the Redis client.
It is possible to propagate a context cancel to Redis client if the connection is closed by the HTTP client.
The redis.Cmdable cannot use WithContext, so added the Client interface to handle redis.Client and redis.ClusterClient transparently.

Added handling of Unix signals to http server.

Upgrade go-redis/redis to v7.

* Update dependencies

- Upgrade golang/x/* and google-api-go
- Migrate fsnotify import from gopkg.in to github.com
- Replace bmizerany/assert with stretchr/testify/assert

* add doc for  wrapper interface

* Update CHANGELOG.md

* fix: upgrade fsnotify to v1.4.9

* fix: remove unnessary logging

* fix: wait until  all connections have been closed

* refactor: move chan to main for testing

* add assert to check if stop chan is empty

* add an idiomatic for sync.WaitGroup with timeout
2020-04-04 16:12:38 +01:00
Joel Speed
802754caad
Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:40:10 +01:00
Mitsuo Heijo
362cdf7713
Fix http.Cookie SameSite is not copied. (#450)
* fix: http.Cookie SameSite is not copied.

* Update CHANGELOG.md
2020-03-17 18:48:52 +00:00
Mitsuo Heijo
81b9a63e51
Support Go 1.14 (#419)
* Upgrade base image tags and golangci-lint

* Upgrade golang and golangci-lint in travis-ci

* fix:  tests, pointed out by golangci-lint and format files

* Upgrade dependencies

* update changelog

* fix: tests related to https://github.com/pusher/oauth2_proxy/pull/418

* Separate tests using go version build tags

* Update CHANGELOG

* Revert "Separate tests using go version build tags"

This reverts commit 9b7e65eb90cae954dc7b6316345d3207205d488a.

* fix test to support go1.14 and go1.13

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-03-14 10:14:15 +00:00
Felix Fontein
d934309b44
Add preferred_username support (OIDC provider) (#420)
* Add support for preferred username.

* Add missing TOC entries.

* Add note about preferred_username support.

* Adjust tests.

* Check on not implemented error for GetPreferredUsername() call.

Co-authored-by: Felix Fontein <felix@fontein.de>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-03-01 15:02:51 +00:00
Yan Yao
18d20364a8
Extension of Redis Session Store to Support Redis Cluster (#363)
* Extend the redis session store to support redis cluster

* rename function newRedisClient to newRedisCmdable

* update docs about redis cluster as session store

* update autocomplete script with redis cluster options

* add check about conflict between option redis-use-sentinel and redis-use-cluster

* update change log

* Update docs/configuration/sessions.md

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/sessions/redis/redis_store.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* add the dropped option back

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-06 17:59:12 +00:00
Martin Campbell
d9362d3bb9 Add reverse proxy setting (#331)
* Add reverse proxy setting (#321)
2020-01-24 17:54:13 +00:00
Paul Groudas
5d0827a028 Add configuration for cookie 'SameSite' value.
Values of 'lax' and 'strict' can improve and mitigate
some categories of cross-site traffic tampering.

Given that the nature of this proxy is often to proxy
private tools, this is useful to take advantage of.

See: https://www.owasp.org/index.php/SameSite
2020-01-06 12:21:52 -05:00
Paul Groudas
90f8117fba Fix typos in doc strings. 2019-12-20 11:27:10 -05:00
Lukasz Leszczuk
06a283e581 Fix settings naming 2019-11-12 16:11:27 +01:00
Lukasz Leszczuk
befab0521a log message in case of failure during loading system cert pool 2019-11-12 11:42:49 +01:00
Lukasz Leszczuk
3c10aee62c Code formatting. Add missing CHANGELOG entry. 2019-11-09 13:57:40 +01:00
Lukasz Leszczuk
3f7ed36e46 Add support for Redis with custom CA. 2019-11-08 10:47:18 +01:00
Tom Deadman
35f2ae9a36 Improved request errors (#286)
* worked on wrapping errors in requests.go, added defer statements

* removed .idea (generated by goland)

* added another require.NoError

* Update pkg/requests/requests.go

Co-Authored-By: Dan Bond <pm@danbond.io>

* fixed out-of-order imports

* changelog entry added

* swapped error definitions to use fmt.Errorf rather than Wrap()

* formatting changes, added new defers to requests_test.go

* suppot for go1.12 pipeline removed from travis pipeline, .idea/ added to gitignore

* Reorder changelog entry
2019-10-23 09:55:34 -07:00
Kirill Motkov
e64e6fa514 Some code improvements
* Remove shadowing of predeclared identifier: new.
* strings.ReplaceAll instead of strings.Replace with -1.
* Change strings.ToLower comparison to strings.EqualFold.
* Rewrite if-else-if-else chain as a switch.
2019-10-09 15:44:26 +03:00
Karl Skewes
b57d7f77e1 Use ok naming convention for map presence check 2019-07-16 10:06:29 +12:00
Karl Skewes
289dfce28a logger.go ExcludedPaths changed to slice of paths.
- `logger.go` convert slice of paths to map for quicker lookup
- `options.go` combines csv paths and pingpath into slice
2019-07-16 10:04:09 +12:00
Karl Skewes
08021429ea formatting and extra test
Can probably slim down the `ExcludePath` tests.
2019-07-16 09:43:48 +12:00
Karl Skewes
c4f20fff3d Add exclude logging path option
Useful for excluding /ping endpoint to reduce log volume.
This is somewhat more verbose than a simple bool to disable logging of
the `/ping` endpoint.

Perhaps better to add `-silence-ping-logging` bool flag to `options.go` and
pass in the `/ping` endpoint as part of `logger` declaration in `options.go`.

Could be extended into a slice of paths similar to go-gin's `SkipPaths`:
https://github.com/gin-gonic/gin/blob/master/logger.go#L46
2019-07-16 09:43:47 +12:00
Karl Skewes
ec97000169 Add silence ping logging flag
Add ability to silence logging of requests to /ping endpoint, reducing
log clutter

Pros:
- Don't have to change all handlers to set/not set silent ping logging
- Don't have to duplicate `loggingHandler` (this could be preferable yet)

Cons:
- Leaking oauth2proxy logic into `package logger`
- Defining default pingPath in two locations

Alternative:
- Add generic exclude path to `logger.go` and pass in `/ping`.
2019-07-16 09:42:24 +12:00
Joel Speed
6366690927
Fix gofmt for changed files 2019-06-15 11:34:00 +02:00
Joel Speed
fb9616160e
Move logger to pkg/logger 2019-06-15 11:33:58 +02:00
Joel Speed
d1ef14becc
Move cookie to pkg/encryption 2019-06-15 11:33:57 +02:00
Joel Speed
8027cc454e
Move api to pkg/requests 2019-06-08 07:40:43 +01:00
Joel Speed
4721da02f2 Ensure SessionStores can handle recieving cookies for the wrong implementation
(cherry picked from commit 131206cf41697543583751ac2714287898c19ad0)
2019-06-05 00:11:42 -07:00
Joel Speed
c1ae0ca807 Make sure the cookie exists before we clear the session in redis
(cherry picked from commit 6d7f0ab57d554706425f76aed4df60717dd63ece)
2019-06-05 00:11:42 -07:00
Joel Speed
22199fa417 Fix ticket retrieval with an invalid ticket
(cherry picked from commit 66bbf146ec45d127bdd374120743aeef936894a7)
2019-06-05 00:11:42 -07:00
Joel Speed
3155ada287 Ensure sessions are refreshable in redis session store
(cherry picked from commit 48edce3003d187a3eadc4ea96236845271dd9360)
2019-06-05 00:11:42 -07:00
Joel Speed
2e2327af6c Check SaveSession works when an existing session is present
(cherry picked from commit 9dc1a96d817741632cb476456755a645b732db7d)
2019-06-05 00:11:42 -07:00
Joel Speed
518c1d3e8e Add Redis sentinel compatibility
(cherry picked from commit ff36b61f8cee4ecf0b91a90b5e1b651b526bb6b6)
2019-06-05 00:11:42 -07:00
Joel Speed
4f5dbace9f Refactor persistent tests with more Context 2019-06-05 00:10:51 -07:00
Joel Speed
7e7bfb5daf Stop miniredis after each test 2019-06-05 00:10:51 -07:00
Joel Speed
bc3d75a2ed Run persistent tests with multiple option groups 2019-06-05 00:10:51 -07:00
Joel Speed
42f14a41d9 Clean up persistent SessionStore tests 2019-06-05 00:10:51 -07:00
Joel Speed
a7693cc72a Tranfser all cookies in tests 2019-06-05 00:10:51 -07:00