1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-06-15 00:15:00 +02:00
Commit Graph

45 Commits

Author SHA1 Message Date
d43b372ca9 Use bool pointers for upstream options that default to true 2020-07-19 14:01:36 +01:00
71dc70222b Break legacy upstream options into LegacyUpstreams struct 2020-07-19 14:01:36 +01:00
e932381ba7 Add LegacyOptions and conversion to new Options
This will be temporary until we switch to structured config, then we can remove the LegacyOptions and conversions
2020-07-19 08:17:53 +01:00
abeb0236d8 Strip X-Forwarded auth headers from whitelisted paths (#624)
* Strip X-Forwarded auth headers from whitelisted paths

For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).

Only x-Forwarded headers stripped, left the Authorization header
untouched.

* Strip authorization header if it would be set

* Improve TestStripAuthHeaders test table

* Improve --skip-auth-strip-headers flag documentation
2020-07-14 23:46:44 +01:00
bb5977095f Add option to remove tokens from cookie sessions (#673)
* Add option to remove tokens from cookie sessions

* Move Minimal to be an option on CookieSession

* Add sessionOptionsDefaults helper
2020-07-14 23:02:10 +01:00
64ae31b5a0 Implements --trusted-ip option (#552)
* Implements --ip-whitelist option

* Included IPWhitelist option to allow one-or-more selected CIDR ranges
  to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.

* Renamed IPWhitelist ipCIDRSet

* Fixed unessesary pointer usage in ipCIDRSet

* Update CHANGELOG.md

* Update CHANGELOG.md

* Updated to not use err.Error() in printf statements

* Imrpoved language for --ip-whitelist descriptions.

* Improve IP whitelist options error messages

* Clarify options single-host normalization

* Wrote a book about ipCIDRSet

* Added comment to IsWhitelistedIP in oauthproxy.go

* Rewrite oauthproxy test case as table driven

* oops

* Support whitelisting by low-level remote address

* Added more test-cases, improved descriptions

* Move ip_cidr_set.go to pkg/ip/net_set.go

* Add more whitelist test use cases.

* Oops

* Use subtests for TestIPWhitelist

* Add minimal tests for ip.NetSet

* Use switch statment

* Renamed ip-whitelist to whitelist-ip

* Update documentation with a warning.

* Update pkg/apis/options/options.go

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix fmt

* Move ParseIPNet into abstraction

* Add warning in case of --reverse-proxy

* Update pkg/validation/options_test.go

* Rename --whitelist-ip to --trusted-ip

* Update oauthproxy.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-11 11:10:58 +01:00
b6b5194190 Add Upstreams options struct with validation 2020-07-05 10:21:05 +01:00
211fd3a010 Rename CookieOptions to Cookie 2020-07-05 09:18:21 +01:00
b3ba2594c6 Create Cookie FlagSet and Defaults 2020-07-05 09:17:28 +01:00
b0375e85fa Fix #635: Support specifying alternative provider TLS trust source(s) (#645)
* Fix #635: Support specifying alternative provider TLS trust source(s)

* Update pkg/apis/options/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/validation/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address review comments

* upd CHANGELOG.md

* refactor test to assert textual subjects + add openssl gen cmd

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-03 16:09:17 +01:00
5ce9e75c21 Initialise Session Storage in NewOAuthProxy instead of validation 2020-06-28 12:32:06 +01:00
c8dbf1cf60 Move Cipher intialisation to session store initialisation 2020-06-28 12:03:03 +01:00
1b6c54cae1 Change how gitlab-group is parsed on options (#639)
* Changed how gitlab-group is parsed, from string to []string

See #637

* Point out that gitlab-group can be a list

See #637

* Reflect to the []string change on pkg/apis/options/options.go

See #637

* Move cfg option gitlab_group to gitlab_groups

See #637

* Renamed Group to Groups

See #637

* Reflect the change on gitlab.go as well

See #637

* Added #639

* Added the author of #639 to the CHANGELOG

* Add the gitlab_groups env change to CHANGELOG.md

See #639

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-26 23:26:07 +01:00
e43c65cc76 Fix SessionOptions struct spacing 2020-06-12 14:37:00 -07:00
f7cca1d0b3 Refactor encryption.Cipher to be an Encrypt/Decrypt Interface
All Encrypt/Decrypt Cipher implementations will now take
and return []byte to set up usage in future binary compatible
encoding schemes to fix issues with bloat encrypting to strings
(which requires base64ing adding 33% size)
2020-06-12 14:36:58 -07:00
2c851fcd4f Allow a health/ping request to be identified by User-Agent (#567)
* Add an option to allow health checks based on User-Agent.

* Formatting fix

* Rename field and avoid unnecessary interface.

* Skip the redirect fix so it can be put into a different PR.

* Add CHANGELOG entry

* Adding a couple tests for the PingUserAgent option.
2020-06-12 14:56:31 +01:00
d8d43bb51b Support new option "github-user" (#421)
* feat(github): support new option "github-user"

* feat(github): rename github-user to github-users

* feat(github): update docs for github-users option

* feat(github): remove unneeded code

* feat(github): remove logging

* feat(github-user): use github-user as flagset options

* feat(github-user): remove optionns.go

* feat(github-user): add github-user flagset

* feat(github): improve readability in the docs

* feat(github-user): refactored SetUsers method

* Update flag description

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-01 20:02:07 +01:00
94e31f8b65 Ensure exclude-logging-paths is consistent with other options 2020-05-31 14:09:28 +01:00
bbc4eee17e Create Logging FlagSet and Default 2020-05-31 14:08:00 +01:00
3afcadae76 Move logging options to a struct 2020-05-31 14:08:00 +01:00
810a9e9967 Rename cookie-domain config to cookie-domains (#559)
Co-authored-by: Henry Jenkins <henry@henryjenkins.name>
2020-05-24 20:19:56 +01:00
cce2c680d8 Move RealClientIP code to IP packages 2020-05-23 15:17:41 +01:00
c3f9cbeb3d Remove Env tags from Cookie and Session Options 2020-05-21 22:43:42 +01:00
189ed4de8f Move FlagSet to Options package 2020-05-21 22:43:42 +01:00
1fd4ebe546 Remove Env tags from Options 2020-05-21 22:43:42 +01:00
44b27e0208 Move Options and Validation to package 2020-05-21 22:43:42 +01:00
00fed1a31f Return an error when unknown options are found in the config file 2020-04-29 20:00:16 +01:00
c5be09ca48 Replace options loading with viper 2020-04-29 19:51:24 +01:00
8749cbb424 Add Viper based config loader 2020-04-29 19:51:24 +01:00
e49f8542bc Rename Session Options to improve structure 2020-04-29 19:51:24 +01:00
458710149c Rename Cookie Options to remove extra 'Cookie' 2020-04-29 19:51:24 +01:00
a659b9558e Allow multiple cookie domains to be specified (#412)
* Allow multiple cookie domains to be specified

* Use X-Forwarded-Host, if it exists, when selecting cookie domain

* Perform cookie domain sorting in config validation phase

* Extract get domain cookies to a single function

* Update pkg/cookies/cookies.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update changelog

Co-authored-by: Marcos Lilljedahl <marcosnils@gmail.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-04-12 12:00:44 +01:00
802754caad Migrate to oauth2-proxy/oauth2-proxy 2020-03-29 15:40:10 +01:00
18d20364a8 Extension of Redis Session Store to Support Redis Cluster (#363)
* Extend the redis session store to support redis cluster

* rename function newRedisClient to newRedisCmdable

* update docs about redis cluster as session store

* update autocomplete script with redis cluster options

* add check about conflict between option redis-use-sentinel and redis-use-cluster

* update change log

* Update docs/configuration/sessions.md

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/sessions/redis/redis_store.go

Co-Authored-By: Joel Speed <Joel.speed@hotmail.co.uk>

* add the dropped option back

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-02-06 17:59:12 +00:00
5d0827a028 Add configuration for cookie 'SameSite' value.
Values of 'lax' and 'strict' can improve and mitigate
some categories of cross-site traffic tampering.

Given that the nature of this proxy is often to proxy
private tools, this is useful to take advantage of.

See: https://www.owasp.org/index.php/SameSite
2020-01-06 12:21:52 -05:00
06a283e581 Fix settings naming 2019-11-12 16:11:27 +01:00
3f7ed36e46 Add support for Redis with custom CA. 2019-11-08 10:47:18 +01:00
d1ef14becc Move cookie to pkg/encryption 2019-06-15 11:33:57 +02:00
518c1d3e8e Add Redis sentinel compatibility
(cherry picked from commit ff36b61f8cee4ecf0b91a90b5e1b651b526bb6b6)
2019-06-05 00:11:42 -07:00
130d03758d Fix comments on Redis options 2019-06-05 00:10:51 -07:00
b1bd3280db Add support for a redis session store 2019-06-05 00:10:51 -07:00
093f9da881 Move cipher creation to options and away from oauth2_proxy.go 2019-05-20 11:26:13 +02:00
fbee5eae16 Initialise SessionStore in Options 2019-05-20 11:26:04 +02:00
6d162a1d78 Define session options and cookie session store types 2019-05-18 13:10:01 +02:00
fd6655411b Move cookie configuration to separate package 2019-05-18 13:09:59 +02:00