mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2025-04-23 12:18:50 +02:00
25371ea4af
* implementation draft * add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options * refactor configs, added logging and add additional claim verification * simplify logic by just having one configuration similar to oidc-email-claim * added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers * refactored verification to reduce complexity * refactored verification to reduce complexity * added docs * adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options * extend unit tests and ensure that audience is set with the value of aud claim configuration * revert filemodes and update docs * update docs * remove unneccesary logging, refactor audience existence check and added additional unit tests * fix linting issues after rebase on origin/main * cleanup: use new imports for migrated libraries after rebase on origin/main * adapt mock in keycloak_oidc_test.go * allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation * fixed formatting issue * do not pass the whole options struct to minimize complexity and dependency to the configuration structure * added changelog entry * update docs Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com> Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
716 lines
26 KiB
Go
716 lines
26 KiB
Go
package options
|
|
|
|
import (
|
|
"fmt"
|
|
"net/url"
|
|
"strconv"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/providers"
|
|
"github.com/spf13/pflag"
|
|
)
|
|
|
|
type LegacyOptions struct {
|
|
// Legacy options related to upstream servers
|
|
LegacyUpstreams LegacyUpstreams `cfg:",squash"`
|
|
|
|
// Legacy options for injecting request/response headers
|
|
LegacyHeaders LegacyHeaders `cfg:",squash"`
|
|
|
|
// Legacy options for the server address and TLS
|
|
LegacyServer LegacyServer `cfg:",squash"`
|
|
|
|
// Legacy options for single provider
|
|
LegacyProvider LegacyProvider `cfg:",squash"`
|
|
|
|
Options Options `cfg:",squash"`
|
|
}
|
|
|
|
func NewLegacyOptions() *LegacyOptions {
|
|
return &LegacyOptions{
|
|
LegacyUpstreams: LegacyUpstreams{
|
|
PassHostHeader: true,
|
|
ProxyWebSockets: true,
|
|
FlushInterval: DefaultUpstreamFlushInterval,
|
|
},
|
|
|
|
LegacyHeaders: LegacyHeaders{
|
|
PassBasicAuth: true,
|
|
PassUserHeaders: true,
|
|
SkipAuthStripHeaders: true,
|
|
},
|
|
|
|
LegacyServer: LegacyServer{
|
|
HTTPAddress: "127.0.0.1:4180",
|
|
HTTPSAddress: ":443",
|
|
},
|
|
|
|
LegacyProvider: LegacyProvider{
|
|
ProviderType: "google",
|
|
AzureTenant: "common",
|
|
ApprovalPrompt: "force",
|
|
UserIDClaim: "email",
|
|
OIDCEmailClaim: "email",
|
|
OIDCGroupsClaim: "groups",
|
|
OIDCAudienceClaims: []string{"aud"},
|
|
OIDCExtraAudiences: []string{},
|
|
InsecureOIDCSkipNonce: true,
|
|
},
|
|
|
|
Options: *NewOptions(),
|
|
}
|
|
}
|
|
|
|
func NewLegacyFlagSet() *pflag.FlagSet {
|
|
flagSet := NewFlagSet()
|
|
|
|
flagSet.AddFlagSet(legacyUpstreamsFlagSet())
|
|
flagSet.AddFlagSet(legacyHeadersFlagSet())
|
|
flagSet.AddFlagSet(legacyServerFlagset())
|
|
flagSet.AddFlagSet(legacyProviderFlagSet())
|
|
|
|
return flagSet
|
|
}
|
|
|
|
func (l *LegacyOptions) ToOptions() (*Options, error) {
|
|
upstreams, err := l.LegacyUpstreams.convert()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error converting upstreams: %v", err)
|
|
}
|
|
l.Options.UpstreamServers = upstreams
|
|
|
|
l.Options.InjectRequestHeaders, l.Options.InjectResponseHeaders = l.LegacyHeaders.convert()
|
|
|
|
l.Options.Server, l.Options.MetricsServer = l.LegacyServer.convert()
|
|
|
|
l.Options.LegacyPreferEmailToUser = l.LegacyHeaders.PreferEmailToUser
|
|
|
|
providers, err := l.LegacyProvider.convert()
|
|
if err != nil {
|
|
return nil, fmt.Errorf("error converting provider: %v", err)
|
|
}
|
|
l.Options.Providers = providers
|
|
|
|
return &l.Options, nil
|
|
}
|
|
|
|
type LegacyUpstreams struct {
|
|
FlushInterval time.Duration `flag:"flush-interval" cfg:"flush_interval"`
|
|
PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header"`
|
|
ProxyWebSockets bool `flag:"proxy-websockets" cfg:"proxy_websockets"`
|
|
SSLUpstreamInsecureSkipVerify bool `flag:"ssl-upstream-insecure-skip-verify" cfg:"ssl_upstream_insecure_skip_verify"`
|
|
Upstreams []string `flag:"upstream" cfg:"upstreams"`
|
|
}
|
|
|
|
func legacyUpstreamsFlagSet() *pflag.FlagSet {
|
|
flagSet := pflag.NewFlagSet("upstreams", pflag.ExitOnError)
|
|
|
|
flagSet.Duration("flush-interval", DefaultUpstreamFlushInterval, "period between response flushing when streaming responses")
|
|
flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")
|
|
flagSet.Bool("proxy-websockets", true, "enables WebSocket proxying")
|
|
flagSet.Bool("ssl-upstream-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS upstreams")
|
|
flagSet.StringSlice("upstream", []string{}, "the http url(s) of the upstream endpoint, file:// paths for static files or static://<status_code> for static response. Routing is based on the path")
|
|
|
|
return flagSet
|
|
}
|
|
|
|
func (l *LegacyUpstreams) convert() (UpstreamConfig, error) {
|
|
upstreams := UpstreamConfig{}
|
|
|
|
for _, upstreamString := range l.Upstreams {
|
|
u, err := url.Parse(upstreamString)
|
|
if err != nil {
|
|
return UpstreamConfig{}, fmt.Errorf("could not parse upstream %q: %v", upstreamString, err)
|
|
}
|
|
|
|
if u.Path == "" {
|
|
u.Path = "/"
|
|
}
|
|
|
|
flushInterval := Duration(l.FlushInterval)
|
|
upstream := Upstream{
|
|
ID: u.Path,
|
|
Path: u.Path,
|
|
URI: upstreamString,
|
|
InsecureSkipTLSVerify: l.SSLUpstreamInsecureSkipVerify,
|
|
PassHostHeader: &l.PassHostHeader,
|
|
ProxyWebSockets: &l.ProxyWebSockets,
|
|
FlushInterval: &flushInterval,
|
|
}
|
|
|
|
switch u.Scheme {
|
|
case "file":
|
|
if u.Fragment != "" {
|
|
upstream.ID = u.Fragment
|
|
upstream.Path = u.Fragment
|
|
// Trim the fragment from the end of the URI
|
|
upstream.URI = strings.SplitN(upstreamString, "#", 2)[0]
|
|
}
|
|
case "static":
|
|
responseCode, err := strconv.Atoi(u.Host)
|
|
if err != nil {
|
|
logger.Errorf("unable to convert %q to int, use default \"200\"", u.Host)
|
|
responseCode = 200
|
|
}
|
|
upstream.Static = true
|
|
upstream.StaticCode = &responseCode
|
|
|
|
// This is not allowed to be empty and must be unique
|
|
upstream.ID = upstreamString
|
|
|
|
// We only support the root path in the legacy config
|
|
upstream.Path = "/"
|
|
|
|
// Force defaults compatible with static responses
|
|
upstream.URI = ""
|
|
upstream.InsecureSkipTLSVerify = false
|
|
upstream.PassHostHeader = nil
|
|
upstream.ProxyWebSockets = nil
|
|
upstream.FlushInterval = nil
|
|
}
|
|
|
|
upstreams.Upstreams = append(upstreams.Upstreams, upstream)
|
|
}
|
|
|
|
return upstreams, nil
|
|
}
|
|
|
|
type LegacyHeaders struct {
|
|
PassBasicAuth bool `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
|
|
PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token"`
|
|
PassUserHeaders bool `flag:"pass-user-headers" cfg:"pass_user_headers"`
|
|
PassAuthorization bool `flag:"pass-authorization-header" cfg:"pass_authorization_header"`
|
|
|
|
SetBasicAuth bool `flag:"set-basic-auth" cfg:"set_basic_auth"`
|
|
SetXAuthRequest bool `flag:"set-xauthrequest" cfg:"set_xauthrequest"`
|
|
SetAuthorization bool `flag:"set-authorization-header" cfg:"set_authorization_header"`
|
|
|
|
PreferEmailToUser bool `flag:"prefer-email-to-user" cfg:"prefer_email_to_user"`
|
|
BasicAuthPassword string `flag:"basic-auth-password" cfg:"basic_auth_password"`
|
|
SkipAuthStripHeaders bool `flag:"skip-auth-strip-headers" cfg:"skip_auth_strip_headers"`
|
|
}
|
|
|
|
func legacyHeadersFlagSet() *pflag.FlagSet {
|
|
flagSet := pflag.NewFlagSet("headers", pflag.ExitOnError)
|
|
|
|
flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
|
|
flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
|
|
flagSet.Bool("pass-user-headers", true, "pass X-Forwarded-User and X-Forwarded-Email information to upstream")
|
|
flagSet.Bool("pass-authorization-header", false, "pass the Authorization Header to upstream")
|
|
|
|
flagSet.Bool("set-basic-auth", false, "set HTTP Basic Auth information in response (useful in Nginx auth_request mode)")
|
|
flagSet.Bool("set-xauthrequest", false, "set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)")
|
|
flagSet.Bool("set-authorization-header", false, "set Authorization response headers (useful in Nginx auth_request mode)")
|
|
|
|
flagSet.Bool("prefer-email-to-user", false, "Prefer to use the Email address as the Username when passing information to upstream. Will only use Username if Email is unavailable, eg. htaccess authentication. Used in conjunction with -pass-basic-auth and -pass-user-headers")
|
|
flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
|
|
flagSet.Bool("skip-auth-strip-headers", true, "strips X-Forwarded-* style authentication headers & Authorization header if they would be set by oauth2-proxy")
|
|
|
|
return flagSet
|
|
}
|
|
|
|
// convert takes the legacy request/response headers and converts them to
|
|
// the new format for InjectRequestHeaders and InjectResponseHeaders
|
|
func (l *LegacyHeaders) convert() ([]Header, []Header) {
|
|
return l.getRequestHeaders(), l.getResponseHeaders()
|
|
}
|
|
|
|
func (l *LegacyHeaders) getRequestHeaders() []Header {
|
|
requestHeaders := []Header{}
|
|
|
|
if l.PassBasicAuth && l.BasicAuthPassword != "" {
|
|
requestHeaders = append(requestHeaders, getBasicAuthHeader(l.PreferEmailToUser, l.BasicAuthPassword))
|
|
}
|
|
|
|
// In the old implementation, PassUserHeaders is a subset of PassBasicAuth
|
|
if l.PassBasicAuth || l.PassUserHeaders {
|
|
requestHeaders = append(requestHeaders, getPassUserHeaders(l.PreferEmailToUser)...)
|
|
requestHeaders = append(requestHeaders, getPreferredUsernameHeader())
|
|
}
|
|
|
|
if l.PassAccessToken {
|
|
requestHeaders = append(requestHeaders, getPassAccessTokenHeader())
|
|
}
|
|
|
|
if l.PassAuthorization {
|
|
requestHeaders = append(requestHeaders, getAuthorizationHeader())
|
|
}
|
|
|
|
for i := range requestHeaders {
|
|
requestHeaders[i].PreserveRequestValue = !l.SkipAuthStripHeaders
|
|
}
|
|
|
|
return requestHeaders
|
|
}
|
|
|
|
func (l *LegacyHeaders) getResponseHeaders() []Header {
|
|
responseHeaders := []Header{}
|
|
|
|
if l.SetXAuthRequest {
|
|
responseHeaders = append(responseHeaders, getXAuthRequestHeaders()...)
|
|
if l.PassAccessToken {
|
|
responseHeaders = append(responseHeaders, getXAuthRequestAccessTokenHeader())
|
|
}
|
|
}
|
|
|
|
if l.SetBasicAuth {
|
|
responseHeaders = append(responseHeaders, getBasicAuthHeader(l.PreferEmailToUser, l.BasicAuthPassword))
|
|
}
|
|
|
|
if l.SetAuthorization {
|
|
responseHeaders = append(responseHeaders, getAuthorizationHeader())
|
|
}
|
|
|
|
return responseHeaders
|
|
}
|
|
|
|
func getBasicAuthHeader(preferEmailToUser bool, basicAuthPassword string) Header {
|
|
claim := "user"
|
|
if preferEmailToUser {
|
|
claim = "email"
|
|
}
|
|
|
|
return Header{
|
|
Name: "Authorization",
|
|
Values: []HeaderValue{
|
|
{
|
|
ClaimSource: &ClaimSource{
|
|
Claim: claim,
|
|
Prefix: "Basic ",
|
|
BasicAuthPassword: &SecretSource{
|
|
Value: []byte(basicAuthPassword),
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func getPassUserHeaders(preferEmailToUser bool) []Header {
|
|
headers := []Header{
|
|
{
|
|
Name: "X-Forwarded-Groups",
|
|
Values: []HeaderValue{
|
|
{
|
|
ClaimSource: &ClaimSource{
|
|
Claim: "groups",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
if preferEmailToUser {
|
|
return append(headers,
|
|
Header{
|
|
Name: "X-Forwarded-User",
|
|
Values: []HeaderValue{
|
|
{
|
|
ClaimSource: &ClaimSource{
|
|
Claim: "email",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
)
|
|
}
|
|
|
|
return append(headers,
|
|
Header{
|
|
Name: "X-Forwarded-User",
|
|
Values: []HeaderValue{
|
|
{
|
|
ClaimSource: &ClaimSource{
|
|
Claim: "user",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
Header{
|
|
Name: "X-Forwarded-Email",
|
|
Values: []HeaderValue{
|
|
{
|
|
ClaimSource: &ClaimSource{
|
|
Claim: "email",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
)
|
|
}
|
|
|
|
func getPassAccessTokenHeader() Header {
|
|
return Header{
|
|
Name: "X-Forwarded-Access-Token",
|
|
Values: []HeaderValue{
|
|
{
|
|
ClaimSource: &ClaimSource{
|
|
Claim: "access_token",
|
|
},
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func getAuthorizationHeader() Header {
|
|
return Header{
|
|
Name: "Authorization",
|
|
Values: []HeaderValue{
|
|
{
|
|
ClaimSource: &ClaimSource{
|
|
Claim: "id_token",
|
|
Prefix: "Bearer ",
|
|
},
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func getPreferredUsernameHeader() Header {
|
|
return Header{
|
|
Name: "X-Forwarded-Preferred-Username",
|
|
Values: []HeaderValue{
|
|
{
|
|
ClaimSource: &ClaimSource{
|
|
Claim: "preferred_username",
|
|
},
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
func getXAuthRequestHeaders() []Header {
|
|
headers := []Header{
|
|
{
|
|
Name: "X-Auth-Request-User",
|
|
Values: []HeaderValue{
|
|
{
|
|
ClaimSource: &ClaimSource{
|
|
Claim: "user",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: "X-Auth-Request-Email",
|
|
Values: []HeaderValue{
|
|
{
|
|
ClaimSource: &ClaimSource{
|
|
Claim: "email",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: "X-Auth-Request-Preferred-Username",
|
|
Values: []HeaderValue{
|
|
{
|
|
ClaimSource: &ClaimSource{
|
|
Claim: "preferred_username",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
{
|
|
Name: "X-Auth-Request-Groups",
|
|
Values: []HeaderValue{
|
|
{
|
|
ClaimSource: &ClaimSource{
|
|
Claim: "groups",
|
|
},
|
|
},
|
|
},
|
|
},
|
|
}
|
|
|
|
return headers
|
|
}
|
|
|
|
func getXAuthRequestAccessTokenHeader() Header {
|
|
return Header{
|
|
Name: "X-Auth-Request-Access-Token",
|
|
Values: []HeaderValue{
|
|
{
|
|
ClaimSource: &ClaimSource{
|
|
Claim: "access_token",
|
|
},
|
|
},
|
|
},
|
|
}
|
|
}
|
|
|
|
type LegacyServer struct {
|
|
MetricsAddress string `flag:"metrics-address" cfg:"metrics_address"`
|
|
MetricsSecureAddress string `flag:"metrics-secure-address" cfg:"metrics_secure_address"`
|
|
MetricsTLSCertFile string `flag:"metrics-tls-cert-file" cfg:"metrics_tls_cert_file"`
|
|
MetricsTLSKeyFile string `flag:"metrics-tls-key-file" cfg:"metrics_tls_key_file"`
|
|
HTTPAddress string `flag:"http-address" cfg:"http_address"`
|
|
HTTPSAddress string `flag:"https-address" cfg:"https_address"`
|
|
TLSCertFile string `flag:"tls-cert-file" cfg:"tls_cert_file"`
|
|
TLSKeyFile string `flag:"tls-key-file" cfg:"tls_key_file"`
|
|
TLSMinVersion string `flag:"tls-min-version" cfg:"tls_min_version"`
|
|
}
|
|
|
|
func legacyServerFlagset() *pflag.FlagSet {
|
|
flagSet := pflag.NewFlagSet("server", pflag.ExitOnError)
|
|
|
|
flagSet.String("metrics-address", "", "the address /metrics will be served on (e.g. \":9100\")")
|
|
flagSet.String("metrics-secure-address", "", "the address /metrics will be served on for HTTPS clients (e.g. \":9100\")")
|
|
flagSet.String("metrics-tls-cert-file", "", "path to certificate file for secure metrics server")
|
|
flagSet.String("metrics-tls-key-file", "", "path to private key file for secure metrics server")
|
|
flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")
|
|
flagSet.String("https-address", ":443", "<addr>:<port> to listen on for HTTPS clients")
|
|
flagSet.String("tls-cert-file", "", "path to certificate file")
|
|
flagSet.String("tls-key-file", "", "path to private key file")
|
|
flagSet.String("tls-min-version", "", "minimal TLS version for HTTPS clients (either \"TLS1.2\" or \"TLS1.3\")")
|
|
|
|
return flagSet
|
|
}
|
|
|
|
type LegacyProvider struct {
|
|
ClientID string `flag:"client-id" cfg:"client_id"`
|
|
ClientSecret string `flag:"client-secret" cfg:"client_secret"`
|
|
ClientSecretFile string `flag:"client-secret-file" cfg:"client_secret_file"`
|
|
|
|
KeycloakGroups []string `flag:"keycloak-group" cfg:"keycloak_groups"`
|
|
AzureTenant string `flag:"azure-tenant" cfg:"azure_tenant"`
|
|
BitbucketTeam string `flag:"bitbucket-team" cfg:"bitbucket_team"`
|
|
BitbucketRepository string `flag:"bitbucket-repository" cfg:"bitbucket_repository"`
|
|
GitHubOrg string `flag:"github-org" cfg:"github_org"`
|
|
GitHubTeam string `flag:"github-team" cfg:"github_team"`
|
|
GitHubRepo string `flag:"github-repo" cfg:"github_repo"`
|
|
GitHubToken string `flag:"github-token" cfg:"github_token"`
|
|
GitHubUsers []string `flag:"github-user" cfg:"github_users"`
|
|
GitLabGroup []string `flag:"gitlab-group" cfg:"gitlab_groups"`
|
|
GitLabProjects []string `flag:"gitlab-project" cfg:"gitlab_projects"`
|
|
GoogleGroups []string `flag:"google-group" cfg:"google_group"`
|
|
GoogleAdminEmail string `flag:"google-admin-email" cfg:"google_admin_email"`
|
|
GoogleServiceAccountJSON string `flag:"google-service-account-json" cfg:"google_service_account_json"`
|
|
|
|
// These options allow for other providers besides Google, with
|
|
// potential overrides.
|
|
ProviderType string `flag:"provider" cfg:"provider"`
|
|
ProviderName string `flag:"provider-display-name" cfg:"provider_display_name"`
|
|
ProviderCAFiles []string `flag:"provider-ca-file" cfg:"provider_ca_files"`
|
|
OIDCIssuerURL string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url"`
|
|
InsecureOIDCAllowUnverifiedEmail bool `flag:"insecure-oidc-allow-unverified-email" cfg:"insecure_oidc_allow_unverified_email"`
|
|
InsecureOIDCSkipIssuerVerification bool `flag:"insecure-oidc-skip-issuer-verification" cfg:"insecure_oidc_skip_issuer_verification"`
|
|
InsecureOIDCSkipNonce bool `flag:"insecure-oidc-skip-nonce" cfg:"insecure_oidc_skip_nonce"`
|
|
SkipOIDCDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery"`
|
|
OIDCJwksURL string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url"`
|
|
OIDCEmailClaim string `flag:"oidc-email-claim" cfg:"oidc_email_claim"`
|
|
OIDCGroupsClaim string `flag:"oidc-groups-claim" cfg:"oidc_groups_claim"`
|
|
OIDCAudienceClaims []string `flag:"oidc-audience-claim" cfg:"oidc_audience_claims"`
|
|
OIDCExtraAudiences []string `flag:"oidc-extra-audience" cfg:"oidc_extra_audiences"`
|
|
LoginURL string `flag:"login-url" cfg:"login_url"`
|
|
RedeemURL string `flag:"redeem-url" cfg:"redeem_url"`
|
|
ProfileURL string `flag:"profile-url" cfg:"profile_url"`
|
|
ProtectedResource string `flag:"resource" cfg:"resource"`
|
|
ValidateURL string `flag:"validate-url" cfg:"validate_url"`
|
|
Scope string `flag:"scope" cfg:"scope"`
|
|
Prompt string `flag:"prompt" cfg:"prompt"`
|
|
ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt"` // Deprecated by OIDC 1.0
|
|
UserIDClaim string `flag:"user-id-claim" cfg:"user_id_claim"`
|
|
AllowedGroups []string `flag:"allowed-group" cfg:"allowed_groups"`
|
|
AllowedRoles []string `flag:"allowed-role" cfg:"allowed_roles"`
|
|
|
|
AcrValues string `flag:"acr-values" cfg:"acr_values"`
|
|
JWTKey string `flag:"jwt-key" cfg:"jwt_key"`
|
|
JWTKeyFile string `flag:"jwt-key-file" cfg:"jwt_key_file"`
|
|
PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url"`
|
|
}
|
|
|
|
func legacyProviderFlagSet() *pflag.FlagSet {
|
|
flagSet := pflag.NewFlagSet("provider", pflag.ExitOnError)
|
|
|
|
flagSet.StringSlice("keycloak-group", []string{}, "restrict logins to members of these groups (may be given multiple times)")
|
|
flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
|
|
flagSet.String("bitbucket-team", "", "restrict logins to members of this team")
|
|
flagSet.String("bitbucket-repository", "", "restrict logins to user with access to this repository")
|
|
flagSet.String("github-org", "", "restrict logins to members of this organisation")
|
|
flagSet.String("github-team", "", "restrict logins to members of this team")
|
|
flagSet.String("github-repo", "", "restrict logins to collaborators of this repository")
|
|
flagSet.String("github-token", "", "the token to use when verifying repository collaborators (must have push access to the repository)")
|
|
flagSet.StringSlice("github-user", []string{}, "allow users with these usernames to login even if they do not belong to the specified org and team or collaborators (may be given multiple times)")
|
|
flagSet.StringSlice("gitlab-group", []string{}, "restrict logins to members of this group (may be given multiple times)")
|
|
flagSet.StringSlice("gitlab-project", []string{}, "restrict logins to members of this project (may be given multiple times) (eg `group/project=accesslevel`). Access level should be a value matching Gitlab access levels (see https://docs.gitlab.com/ee/api/members.html#valid-access-levels), defaulted to 20 if absent")
|
|
flagSet.StringSlice("google-group", []string{}, "restrict logins to members of this google group (may be given multiple times).")
|
|
flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls")
|
|
flagSet.String("google-service-account-json", "", "the path to the service account json credentials")
|
|
flagSet.String("client-id", "", "the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")
|
|
flagSet.String("client-secret", "", "the OAuth Client Secret")
|
|
flagSet.String("client-secret-file", "", "the file with OAuth Client Secret")
|
|
|
|
flagSet.String("provider", "google", "OAuth provider")
|
|
flagSet.String("provider-display-name", "", "Provider display name")
|
|
flagSet.StringSlice("provider-ca-file", []string{}, "One or more paths to CA certificates that should be used when connecting to the provider. If not specified, the default Go trust sources are used instead.")
|
|
flagSet.String("oidc-issuer-url", "", "OpenID Connect issuer URL (ie: https://accounts.google.com)")
|
|
flagSet.Bool("insecure-oidc-allow-unverified-email", false, "Don't fail if an email address in an id_token is not verified")
|
|
flagSet.Bool("insecure-oidc-skip-issuer-verification", false, "Do not verify if issuer matches OIDC discovery URL")
|
|
flagSet.Bool("insecure-oidc-skip-nonce", true, "skip verifying the OIDC ID Token's nonce claim")
|
|
flagSet.Bool("skip-oidc-discovery", false, "Skip OIDC discovery and use manually supplied Endpoints")
|
|
flagSet.String("oidc-jwks-url", "", "OpenID Connect JWKS URL (ie: https://www.googleapis.com/oauth2/v3/certs)")
|
|
flagSet.String("oidc-groups-claim", providers.OIDCGroupsClaim, "which OIDC claim contains the user groups")
|
|
flagSet.String("oidc-email-claim", providers.OIDCEmailClaim, "which OIDC claim contains the user's email")
|
|
flagSet.StringSlice("oidc-audience-claim", providers.OIDCAudienceClaims, "which OIDC claims are used as audience to verify against client id")
|
|
flagSet.StringSlice("oidc-extra-audience", []string{}, "additional audiences allowed to pass audience verification")
|
|
flagSet.String("login-url", "", "Authentication endpoint")
|
|
flagSet.String("redeem-url", "", "Token redemption endpoint")
|
|
flagSet.String("profile-url", "", "Profile access endpoint")
|
|
flagSet.String("resource", "", "The resource that is protected (Azure AD only)")
|
|
flagSet.String("validate-url", "", "Access token validation endpoint")
|
|
flagSet.String("scope", "", "OAuth scope specification")
|
|
flagSet.String("prompt", "", "OIDC prompt")
|
|
flagSet.String("approval-prompt", "force", "OAuth approval_prompt")
|
|
|
|
flagSet.String("acr-values", "", "acr values string: optional")
|
|
flagSet.String("jwt-key", "", "private key in PEM format used to sign JWT, so that you can say something like -jwt-key=\"${OAUTH2_PROXY_JWT_KEY}\": required by login.gov")
|
|
flagSet.String("jwt-key-file", "", "path to the private key file in PEM format used to sign the JWT so that you can say something like -jwt-key-file=/etc/ssl/private/jwt_signing_key.pem: required by login.gov")
|
|
flagSet.String("pubjwk-url", "", "JWK pubkey access endpoint: required by login.gov")
|
|
|
|
flagSet.String("user-id-claim", providers.OIDCEmailClaim, "(DEPRECATED for `oidc-email-claim`) which claim contains the user ID")
|
|
flagSet.StringSlice("allowed-group", []string{}, "restrict logins to members of this group (may be given multiple times)")
|
|
flagSet.StringSlice("allowed-role", []string{}, "(keycloak-oidc) restrict logins to members of these roles (may be given multiple times)")
|
|
|
|
return flagSet
|
|
}
|
|
|
|
func (l LegacyServer) convert() (Server, Server) {
|
|
appServer := Server{
|
|
BindAddress: l.HTTPAddress,
|
|
SecureBindAddress: l.HTTPSAddress,
|
|
}
|
|
if l.TLSKeyFile != "" || l.TLSCertFile != "" {
|
|
appServer.TLS = &TLS{
|
|
Key: &SecretSource{
|
|
FromFile: l.TLSKeyFile,
|
|
},
|
|
Cert: &SecretSource{
|
|
FromFile: l.TLSCertFile,
|
|
},
|
|
MinVersion: l.TLSMinVersion,
|
|
}
|
|
// Preserve backwards compatibility, only run one server
|
|
appServer.BindAddress = ""
|
|
} else {
|
|
// Disable the HTTPS server if there's no certificates.
|
|
// This preserves backwards compatibility.
|
|
appServer.SecureBindAddress = ""
|
|
}
|
|
|
|
metricsServer := Server{
|
|
BindAddress: l.MetricsAddress,
|
|
SecureBindAddress: l.MetricsSecureAddress,
|
|
}
|
|
if l.MetricsTLSKeyFile != "" || l.MetricsTLSCertFile != "" {
|
|
metricsServer.TLS = &TLS{
|
|
Key: &SecretSource{
|
|
FromFile: l.MetricsTLSKeyFile,
|
|
},
|
|
Cert: &SecretSource{
|
|
FromFile: l.MetricsTLSCertFile,
|
|
},
|
|
}
|
|
}
|
|
|
|
return appServer, metricsServer
|
|
}
|
|
|
|
func (l *LegacyProvider) convert() (Providers, error) {
|
|
providers := Providers{}
|
|
|
|
provider := Provider{
|
|
ClientID: l.ClientID,
|
|
ClientSecret: l.ClientSecret,
|
|
ClientSecretFile: l.ClientSecretFile,
|
|
Type: l.ProviderType,
|
|
CAFiles: l.ProviderCAFiles,
|
|
LoginURL: l.LoginURL,
|
|
RedeemURL: l.RedeemURL,
|
|
ProfileURL: l.ProfileURL,
|
|
ProtectedResource: l.ProtectedResource,
|
|
ValidateURL: l.ValidateURL,
|
|
Scope: l.Scope,
|
|
Prompt: l.Prompt,
|
|
ApprovalPrompt: l.ApprovalPrompt,
|
|
AllowedGroups: l.AllowedGroups,
|
|
AcrValues: l.AcrValues,
|
|
}
|
|
|
|
// This part is out of the switch section for all providers that support OIDC
|
|
provider.OIDCConfig = OIDCOptions{
|
|
IssuerURL: l.OIDCIssuerURL,
|
|
InsecureAllowUnverifiedEmail: l.InsecureOIDCAllowUnverifiedEmail,
|
|
InsecureSkipIssuerVerification: l.InsecureOIDCSkipIssuerVerification,
|
|
InsecureSkipNonce: l.InsecureOIDCSkipNonce,
|
|
SkipDiscovery: l.SkipOIDCDiscovery,
|
|
JwksURL: l.OIDCJwksURL,
|
|
UserIDClaim: l.UserIDClaim,
|
|
EmailClaim: l.OIDCEmailClaim,
|
|
GroupsClaim: l.OIDCGroupsClaim,
|
|
AudienceClaims: l.OIDCAudienceClaims,
|
|
ExtraAudiences: l.OIDCExtraAudiences,
|
|
}
|
|
|
|
// This part is out of the switch section because azure has a default tenant
|
|
// that needs to be added from legacy options
|
|
provider.AzureConfig = AzureOptions{
|
|
Tenant: l.AzureTenant,
|
|
}
|
|
|
|
switch provider.Type {
|
|
case "github":
|
|
provider.GitHubConfig = GitHubOptions{
|
|
Org: l.GitHubOrg,
|
|
Team: l.GitHubTeam,
|
|
Repo: l.GitHubRepo,
|
|
Token: l.GitHubToken,
|
|
Users: l.GitHubUsers,
|
|
}
|
|
case "keycloak-oidc":
|
|
provider.KeycloakConfig = KeycloakOptions{
|
|
Groups: l.KeycloakGroups,
|
|
Roles: l.AllowedRoles,
|
|
}
|
|
case "keycloak":
|
|
provider.KeycloakConfig = KeycloakOptions{
|
|
Groups: l.KeycloakGroups,
|
|
}
|
|
case "gitlab":
|
|
provider.GitLabConfig = GitLabOptions{
|
|
Group: l.GitLabGroup,
|
|
Projects: l.GitLabProjects,
|
|
}
|
|
case "login.gov":
|
|
provider.LoginGovConfig = LoginGovOptions{
|
|
JWTKey: l.JWTKey,
|
|
JWTKeyFile: l.JWTKeyFile,
|
|
PubJWKURL: l.PubJWKURL,
|
|
}
|
|
case "bitbucket":
|
|
provider.BitbucketConfig = BitbucketOptions{
|
|
Team: l.BitbucketTeam,
|
|
Repository: l.BitbucketRepository,
|
|
}
|
|
case "google":
|
|
provider.GoogleConfig = GoogleOptions{
|
|
Groups: l.GoogleGroups,
|
|
AdminEmail: l.GoogleAdminEmail,
|
|
ServiceAccountJSON: l.GoogleServiceAccountJSON,
|
|
}
|
|
}
|
|
|
|
if l.ProviderName != "" {
|
|
provider.ID = l.ProviderName
|
|
provider.Name = l.ProviderName
|
|
} else {
|
|
provider.ID = l.ProviderType + "=" + l.ClientID
|
|
}
|
|
|
|
providers = append(providers, provider)
|
|
|
|
return providers, nil
|
|
}
|