1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2024-12-02 09:21:48 +02:00
Commit Graph

36 Commits

Author SHA1 Message Date
Nick Meves
b7b7ade7c4
Improve AllowedRoute test table formatting 2020-10-07 10:13:41 -07:00
Nick Meves
fa4ba5e7ea
Convert allowlist validation test to Ginkgo 2020-10-07 10:13:41 -07:00
Nick Meves
183cb124a4
Support HTTP method based allowlists 2020-10-07 10:13:40 -07:00
Mitsuo Heijo
fcb83c48f4
Update go-redis/redis to v8 (#801)
* update go-redis/redis to v8

testify, ginko and gomega have also been updated.

* update changelog

* Update pkg/sessions/redis/redis_store_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-10-07 11:49:27 +01:00
Mitsuo Heijo
3fa42edb73
Fix import path for v7 (#800)
* fix import path for v7

find ./ -name "*.go" | xargs sed -i -e 's|"github.com/oauth2-proxy/oauth2-proxy|"github.com/oauth2-proxy/oauth2-proxy/v7|'

* fix module path

* go mod tidy

* fix installation docs

* update CHANGELOG

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-09-29 17:44:42 +01:00
Nick Meves
6db1aeb9c6
Validate Redis session store health on startup 2020-09-24 10:41:43 -07:00
Stefan Sedich
9d59519a96
Add support to ensure user belongs in required groups when using the OIDC provider 2020-09-21 10:43:54 -07:00
Phil Taprogge
d69fd6af22
Allow Logging to stdout with separate Error Log Channel (#718)
* Add dedicated error logging writer

* Document new errors to stdout flag

* Update changelog

* Thread-safe the log buffer

* Address feedback

* Remove duplication by adding log level

* Clean up error formatting

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-08-10 11:44:08 +01:00
Nick Meves
ad52587ae6
Document GoSec nosec skip comments 2020-08-09 07:55:40 -07:00
Nick Meves
65c228394f
Address gosec findings
Mostly handling unhandled errors appropriately.
If logging to STDERR fails, we panic. Added #nosec
comments to findings we are OK with.
2020-08-09 07:55:39 -07:00
Joel Speed
d43b372ca9
Use bool pointers for upstream options that default to true 2020-07-19 14:01:36 +01:00
Joel Speed
e932381ba7
Add LegacyOptions and conversion to new Options
This will be temporary until we switch to structured config, then we can remove the LegacyOptions and conversions
2020-07-19 08:17:53 +01:00
Nick Meves
bb5977095f
Add option to remove tokens from cookie sessions (#673)
* Add option to remove tokens from cookie sessions

* Move Minimal to be an option on CookieSession

* Add sessionOptionsDefaults helper
2020-07-14 23:02:10 +01:00
Isabelle COWAN-BERGMAN
64ae31b5a0
Implements --trusted-ip option (#552)
* Implements --ip-whitelist option

* Included IPWhitelist option to allow one-or-more selected CIDR ranges
  to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.

* Renamed IPWhitelist ipCIDRSet

* Fixed unessesary pointer usage in ipCIDRSet

* Update CHANGELOG.md

* Update CHANGELOG.md

* Updated to not use err.Error() in printf statements

* Imrpoved language for --ip-whitelist descriptions.

* Improve IP whitelist options error messages

* Clarify options single-host normalization

* Wrote a book about ipCIDRSet

* Added comment to IsWhitelistedIP in oauthproxy.go

* Rewrite oauthproxy test case as table driven

* oops

* Support whitelisting by low-level remote address

* Added more test-cases, improved descriptions

* Move ip_cidr_set.go to pkg/ip/net_set.go

* Add more whitelist test use cases.

* Oops

* Use subtests for TestIPWhitelist

* Add minimal tests for ip.NetSet

* Use switch statment

* Renamed ip-whitelist to whitelist-ip

* Update documentation with a warning.

* Update pkg/apis/options/options.go

* Update CHANGELOG.md

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/ip/net_set_test.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Apply suggestions from code review

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix fmt

* Move ParseIPNet into abstraction

* Add warning in case of --reverse-proxy

* Update pkg/validation/options_test.go

* Rename --whitelist-ip to --trusted-ip

* Update oauthproxy.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* fix

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-11 11:10:58 +01:00
Joel Speed
de9e65a63a
Migrate all requests to result pattern 2020-07-06 20:38:00 +01:00
Joel Speed
53142455b6
Migrate all requests to new builder pattern 2020-07-06 18:31:09 +01:00
Joel Speed
b6b5194190
Add Upstreams options struct with validation 2020-07-05 10:21:05 +01:00
Joel Speed
3e13f3197f
Ensure that cookie names over 256 characters are rejected by validation 2020-07-05 09:18:48 +01:00
Joel Speed
211fd3a010
Rename CookieOptions to Cookie 2020-07-05 09:18:21 +01:00
Joel Speed
285c65a2d4
Add tests for cookie validation
This also removes the check for the decoded from the valid secret size
check. The code was unreachable because encryption.SecretBytes will only
return the decoded secret if it was the right length after decoding.
2020-07-05 09:17:28 +01:00
Joel Speed
900061b88a
Move CookieOptions validation to it's own file 2020-07-05 09:17:28 +01:00
k-wall
b0375e85fa
Fix #635: Support specifying alternative provider TLS trust source(s) (#645)
* Fix #635: Support specifying alternative provider TLS trust source(s)

* Update pkg/apis/options/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Update pkg/validation/options.go

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

* Address review comments

* upd CHANGELOG.md

* refactor test to assert textual subjects + add openssl gen cmd

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-07-03 16:09:17 +01:00
Joel Speed
5ce9e75c21
Initialise Session Storage in NewOAuthProxy instead of validation 2020-06-28 12:32:06 +01:00
Joel Speed
c8dbf1cf60
Move Cipher intialisation to session store initialisation 2020-06-28 12:03:03 +01:00
İlteriş Eroğlu
1b6c54cae1
Change how gitlab-group is parsed on options (#639)
* Changed how gitlab-group is parsed, from string to []string

See #637

* Point out that gitlab-group can be a list

See #637

* Reflect to the []string change on pkg/apis/options/options.go

See #637

* Move cfg option gitlab_group to gitlab_groups

See #637

* Renamed Group to Groups

See #637

* Reflect the change on gitlab.go as well

See #637

* Added #639

* Added the author of #639 to the CHANGELOG

* Add the gitlab_groups env change to CHANGELOG.md

See #639

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-26 23:26:07 +01:00
Nick Meves
788d8ecc1b
Verify main v extra JWT bearers differently
When using the configured provider JWT Verifier, it makes
sense to use the provider `CreateSessionStateFromBearerToken`
method. For any extra JWT Issuers, they should use a generic
default verifier.
2020-06-19 11:47:36 -07:00
Joel Speed
9bbd6adce9
Integrate HealthCheck middleware 2020-06-14 21:05:17 +01:00
Nick Meves
ce2e92bc57
Improve design of Base64Cipher wrapping other ciphers.
Have it take in a cipher init function as an argument.
Remove the confusing `newCipher` method that matched legacy behavior
and returns a Base64Cipher(CFBCipher) -- instead explicitly ask for
that in the uses.
2020-06-12 14:36:58 -07:00
Nick Meves
f7cca1d0b3
Refactor encryption.Cipher to be an Encrypt/Decrypt Interface
All Encrypt/Decrypt Cipher implementations will now take
and return []byte to set up usage in future binary compatible
encoding schemes to fix issues with bloat encrypting to strings
(which requires base64ing adding 33% size)
2020-06-12 14:36:58 -07:00
Yoshiki Nakagawa
d8d43bb51b
Support new option "github-user" (#421)
* feat(github): support new option "github-user"

* feat(github): rename github-user to github-users

* feat(github): update docs for github-users option

* feat(github): remove unneeded code

* feat(github): remove logging

* feat(github-user): use github-user as flagset options

* feat(github-user): remove optionns.go

* feat(github-user): add github-user flagset

* feat(github): improve readability in the docs

* feat(github-user): refactored SetUsers method

* Update flag description

Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
2020-06-01 20:02:07 +01:00
Joel Speed
94e31f8b65
Ensure exclude-logging-paths is consistent with other options 2020-05-31 14:09:28 +01:00
Joel Speed
3cbac6122d
Move configuration of logger to separate file 2020-05-31 14:08:00 +01:00
Joel Speed
3afcadae76
Move logging options to a struct 2020-05-31 14:08:00 +01:00
Timo Beckers
276d1c6f19
Always encrypt sessions regardless of configuration 2020-05-24 21:23:04 +01:00
Joel Speed
cce2c680d8
Move RealClientIP code to IP packages 2020-05-23 15:17:41 +01:00
Joel Speed
44b27e0208
Move Options and Validation to package 2020-05-21 22:43:42 +01:00