From 65bb3f8e860ad3f50d9534de10ae491fc6fd40b9 Mon Sep 17 00:00:00 2001 From: Paco Guzman Date: Tue, 29 Oct 2019 15:06:44 +0100 Subject: [PATCH 1/4] Setting created_by/updated_by via header --- pkg/config/env.go | 4 +++ pkg/handler/jwt.go | 26 ---------------- pkg/handler/subject.go | 32 ++++++++++++++++++++ pkg/handler/{jwt_test.go => subject_test.go} | 18 ++++++++++- 4 files changed, 53 insertions(+), 27 deletions(-) delete mode 100644 pkg/handler/jwt.go create mode 100644 pkg/handler/subject.go rename pkg/handler/{jwt_test.go => subject_test.go} (63%) diff --git a/pkg/config/env.go b/pkg/config/env.go index 913b4701..b24f6324 100644 --- a/pkg/config/env.go +++ b/pkg/config/env.go @@ -184,6 +184,10 @@ var Config = struct { // "HS256" and "RS256" supported JWTAuthSigningMethod string `env:"FLAGR_JWT_AUTH_SIGNING_METHOD" envDefault:"HS256"` + // auth proxy in front of flagr to identify user + AuthProxyEnabled bool `env:"FLAGR_AUTH_PROXY_ENABLED" envDefault:"false"` + AuthProxyHeader string `env:"FLAGR_AUTH_PROXY_HEADER" envDefault:"X-Email"` + // WebPrefix - base path for web and API // e.g. FLAGR_WEB_PREFIX=/foo // UI path => localhost:18000/foo" diff --git a/pkg/handler/jwt.go b/pkg/handler/jwt.go deleted file mode 100644 index de5c35df..00000000 --- a/pkg/handler/jwt.go +++ /dev/null @@ -1,26 +0,0 @@ -package handler - -import ( - "net/http" - - "github.com/checkr/flagr/pkg/config" - "github.com/checkr/flagr/pkg/util" - - jwt "github.com/dgrijalva/jwt-go" -) - -func getSubjectFromRequest(r *http.Request) string { - if r == nil { - return "" - } - - token, ok := r.Context().Value(config.Config.JWTAuthUserProperty).(*jwt.Token) - if !ok { - return "" - } - - if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid { - return util.SafeString(claims[config.Config.JWTAuthUserClaim]) - } - return "" -} diff --git a/pkg/handler/subject.go b/pkg/handler/subject.go new file mode 100644 index 00000000..954e35fa --- /dev/null +++ b/pkg/handler/subject.go @@ -0,0 +1,32 @@ +package handler + +import ( + "net/http" + + "github.com/checkr/flagr/pkg/config" + "github.com/checkr/flagr/pkg/util" + + jwt "github.com/dgrijalva/jwt-go" +) + +func getSubjectFromRequest(r *http.Request) string { + if r == nil { + return "" + } + + if config.Config.JWTAuthEnabled { + token, ok := r.Context().Value(config.Config.JWTAuthUserProperty).(*jwt.Token) + if !ok { + return "" + } + + if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid { + return util.SafeString(claims[config.Config.JWTAuthUserClaim]) + } + + } else if config.Config.AuthProxyEnabled { + return r.Header.Get(config.Config.AuthProxyHeader) + } + + return "" +} diff --git a/pkg/handler/jwt_test.go b/pkg/handler/subject_test.go similarity index 63% rename from pkg/handler/jwt_test.go rename to pkg/handler/subject_test.go index ef692f60..f151e782 100644 --- a/pkg/handler/jwt_test.go +++ b/pkg/handler/subject_test.go @@ -1,3 +1,4 @@ + package handler import ( @@ -10,9 +11,11 @@ import ( "github.com/stretchr/testify/assert" ) -func TestGetSubjectFromRequest(t *testing.T) { +func TestGetSubjectFromJWT(t *testing.T) { var ctx context.Context + config.Config.JWTAuthEnabled = true + r, _ := http.NewRequest("GET", "", nil) assert.Equal(t, getSubjectFromRequest(r), "") @@ -30,3 +33,16 @@ func TestGetSubjectFromRequest(t *testing.T) { }) assert.Equal(t, getSubjectFromRequest(r.WithContext(ctx)), "foo@example.com") } + +func TestGetSubjectFromOauthProxy(t *testing.T) { + var ctx = context.Background() + + config.Config.JWTAuthEnabled = false + config.Config.AuthProxyEnabled = true + + r, _ := http.NewRequest("GET", "", nil) + assert.Equal(t, getSubjectFromRequest(r), "") + + r.Header.Set("X-Email", "foo@example.com") + assert.Equal(t, getSubjectFromRequest(r.WithContext(ctx)), "foo@example.com") +} From 48b8721dba251f18cd73fb1e38313e02fc018013 Mon Sep 17 00:00:00 2001 From: Paco Guzman Date: Thu, 31 Oct 2019 19:43:37 +0100 Subject: [PATCH 2/4] Improve name for header authentication mechanism --- pkg/config/env.go | 6 +++--- pkg/handler/subject.go | 6 +++--- pkg/handler/subject_test.go | 5 +++-- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/pkg/config/env.go b/pkg/config/env.go index b24f6324..cc7bfcfd 100644 --- a/pkg/config/env.go +++ b/pkg/config/env.go @@ -184,9 +184,9 @@ var Config = struct { // "HS256" and "RS256" supported JWTAuthSigningMethod string `env:"FLAGR_JWT_AUTH_SIGNING_METHOD" envDefault:"HS256"` - // auth proxy in front of flagr to identify user - AuthProxyEnabled bool `env:"FLAGR_AUTH_PROXY_ENABLED" envDefault:"false"` - AuthProxyHeader string `env:"FLAGR_AUTH_PROXY_HEADER" envDefault:"X-Email"` + // Identify users through headers + HeaderAuthEnabled bool `env:"FLAGR_AUTH_PROXY_ENABLED" envDefault:"false"` + HeaderAuthUserField string `env:"FLAGR_AUTH_PROXY_HEADER" envDefault:"X-Email"` // WebPrefix - base path for web and API // e.g. FLAGR_WEB_PREFIX=/foo diff --git a/pkg/handler/subject.go b/pkg/handler/subject.go index 954e35fa..1ff85ab8 100644 --- a/pkg/handler/subject.go +++ b/pkg/handler/subject.go @@ -24,9 +24,9 @@ func getSubjectFromRequest(r *http.Request) string { return util.SafeString(claims[config.Config.JWTAuthUserClaim]) } - } else if config.Config.AuthProxyEnabled { - return r.Header.Get(config.Config.AuthProxyHeader) - } + } else if config.Config.HeaderAuthEnabled { + return r.Header.Get(config.Config.HeaderAuthUserField) + } return "" } diff --git a/pkg/handler/subject_test.go b/pkg/handler/subject_test.go index f151e782..99efc4c7 100644 --- a/pkg/handler/subject_test.go +++ b/pkg/handler/subject_test.go @@ -14,6 +14,7 @@ import ( func TestGetSubjectFromJWT(t *testing.T) { var ctx context.Context + defer func() { config.Config.JWTAuthEnabled = false }() config.Config.JWTAuthEnabled = true r, _ := http.NewRequest("GET", "", nil) @@ -37,8 +38,8 @@ func TestGetSubjectFromJWT(t *testing.T) { func TestGetSubjectFromOauthProxy(t *testing.T) { var ctx = context.Background() - config.Config.JWTAuthEnabled = false - config.Config.AuthProxyEnabled = true + defer func() { config.Config.HeaderAuthEnabled = false }() + config.Config.HeaderAuthEnabled = true r, _ := http.NewRequest("GET", "", nil) assert.Equal(t, getSubjectFromRequest(r), "") From 942ba8eaf0ffaf635b834300abcb0c7991c2d221 Mon Sep 17 00:00:00 2001 From: Paco Guzman Date: Fri, 1 Nov 2019 08:17:38 +0100 Subject: [PATCH 3/4] Amend header auth env var names --- pkg/config/env.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/config/env.go b/pkg/config/env.go index cc7bfcfd..ba10dde1 100644 --- a/pkg/config/env.go +++ b/pkg/config/env.go @@ -185,8 +185,8 @@ var Config = struct { JWTAuthSigningMethod string `env:"FLAGR_JWT_AUTH_SIGNING_METHOD" envDefault:"HS256"` // Identify users through headers - HeaderAuthEnabled bool `env:"FLAGR_AUTH_PROXY_ENABLED" envDefault:"false"` - HeaderAuthUserField string `env:"FLAGR_AUTH_PROXY_HEADER" envDefault:"X-Email"` + HeaderAuthEnabled bool `env:"FLAGR_HEADER_AUTH_ENABLED" envDefault:"false"` + HeaderAuthUserField string `env:"FLAGR_HEADER_AUTH_USER_FIELD" envDefault:"X-Email"` // WebPrefix - base path for web and API // e.g. FLAGR_WEB_PREFIX=/foo From f805e13492d673df3828a333bd9f496e5c2e6236 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Paco=20Guzm=C3=A1n?= Date: Fri, 1 Nov 2019 18:55:48 +0100 Subject: [PATCH 4/4] Update pkg/handler/subject_test.go Co-Authored-By: Zhuojie Zhou --- pkg/handler/subject_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/handler/subject_test.go b/pkg/handler/subject_test.go index 99efc4c7..5b3ff621 100644 --- a/pkg/handler/subject_test.go +++ b/pkg/handler/subject_test.go @@ -44,6 +44,6 @@ func TestGetSubjectFromOauthProxy(t *testing.T) { r, _ := http.NewRequest("GET", "", nil) assert.Equal(t, getSubjectFromRequest(r), "") - r.Header.Set("X-Email", "foo@example.com") + r.Header.Set(config.Config.HeaderAuthUserField, "foo@example.com") assert.Equal(t, getSubjectFromRequest(r.WithContext(ctx)), "foo@example.com") }