Skip to content

Commit

Permalink
rename a few config options for consistency
Browse files Browse the repository at this point in the history
config:
  * proxy-prefix -> proxy_prefix
  * google_group -> google_groups
  * github_team  -> github_teams

flags:
  * tls-cert -> tls-cert-file
  * tls-key -> tls-key-file

flags always use dashes, config options always use underscores

flags are singular if they can be specified multiple times,
config options are plural if they take a list

inspired by oauth2-proxy/oauth2-proxy#186

Co-authored-by: Joel Speed <[email protected]>
  • Loading branch information
ploxiln and JoelSpeed committed May 27, 2020
1 parent 434122a commit d3119e3
Show file tree
Hide file tree
Showing 4 changed files with 24 additions and 29 deletions.
6 changes: 3 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ The Azure AD auth provider uses `openid` as it default scope. It uses `https://g
The GitHub auth provider supports two additional parameters to restrict authentication to Organization or Team level access. Restricting by org and team is normally accompanied with `--email-domain=*`

-github-org="": restrict logins to members of this organisation
-github-team="": restrict logins to members of any of these teams (slug), separated by a comma
-github-team="": restrict logins to members of this team (slug) (or teams, if this flag is given multiple times)

If you are using GitHub enterprise, make sure you set the following to the appropriate url:

Expand Down Expand Up @@ -321,8 +321,8 @@ Usage of oauth2_proxy:
-skip-oidc-discovery: Skip OIDC discovery (login-url, redeem-url and oidc-jwks-url must be configured)
-skip-provider-button: will skip sign-in-page to directly reach the next step: oauth/start
-ssl-insecure-skip-verify: skip validation of certificates presented when using HTTPS
-tls-cert string: path to certificate file
-tls-key string: path to private key file
-tls-cert-file string: path to certificate file
-tls-key-file string: path to private key file
-upstream value: the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path
-validate-url string: Access token validation endpoint
-version: print version string
Expand Down
7 changes: 4 additions & 3 deletions main.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,12 +23,13 @@ func mainFlagSet() *flag.FlagSet {
skipAuthRegex := StringArray{}
googleGroups := StringArray{}
gitlabGroups := StringArray{}
githubTeams := StringArray{}

flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")
flagSet.String("https-address", ":443", "<addr>:<port> to listen on for HTTPS clients")
flagSet.Bool("force-https", false, "redirect http requests to https")
flagSet.String("tls-cert", "", "path to certificate file")
flagSet.String("tls-key", "", "path to private key file")
flagSet.String("tls-cert-file", "", "path to certificate file")
flagSet.String("tls-key-file", "", "path to private key file")
flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path")
flagSet.Bool("set-xauthrequest", false, "set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)")
Expand All @@ -48,7 +49,7 @@ func mainFlagSet() *flag.FlagSet {
flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
flagSet.String("bitbucket-team", "", "restrict logins to members of this team")
flagSet.String("github-org", "", "restrict logins to members of this organisation")
flagSet.String("github-team", "", "restrict logins to members of this team (slug) (may be given multiple times)")
flagSet.Var(&githubTeams, "github-team", "restrict logins to members of this team (slug) (may be given multiple times)")
flagSet.Var(&gitlabGroups, "gitlab-group", "restrict logins to members of this group (full path) (may be given multiple times)")
flagSet.Var(&googleGroups, "google-group", "restrict logins to members of this google group (may be given multiple times)")
flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls")
Expand Down
12 changes: 6 additions & 6 deletions options.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,26 +18,26 @@ import (

// Configuration Options that can be set by Command Line Flag, or Config File
type Options struct {
ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy-prefix"`
ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy_prefix"`
ProxyWebSockets bool `flag:"proxy-websockets" cfg:"proxy_websockets"`
HttpAddress string `flag:"http-address" cfg:"http_address"`
HttpsAddress string `flag:"https-address" cfg:"https_address"`
ForceHTTPS bool `flag:"force-https" cfg:"force_https"`
RedirectURL string `flag:"redirect-url" cfg:"redirect_url"`
ClientID string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"`
ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"`
TLSCertFile string `flag:"tls-cert" cfg:"tls_cert_file"`
TLSKeyFile string `flag:"tls-key" cfg:"tls_key_file"`
TLSCertFile string `flag:"tls-cert-file" cfg:"tls_cert_file"`
TLSKeyFile string `flag:"tls-key-file" cfg:"tls_key_file"`

AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
AzureTenant string `flag:"azure-tenant" cfg:"azure_tenant"`
BitbucketTeam string `flag:"bitbucket-team" cfg:"bitbucket_team"`
EmailDomains []string `flag:"email-domain" cfg:"email_domains"`
WhitelistDomains []string `flag:"whitelist-domain" cfg:"whitelist_domains" env:"OAUTH2_PROXY_WHITELIST_DOMAINS"`
GitHubOrg string `flag:"github-org" cfg:"github_org"`
GitHubTeam string `flag:"github-team" cfg:"github_team"`
GitHubTeams []string `flag:"github-team" cfg:"github_teams"`
GitLabGroups []string `flag:"gitlab-group" cfg:"gitlab_groups"`
GoogleGroups []string `flag:"google-group" cfg:"google_group"`
GoogleGroups []string `flag:"google-group" cfg:"google_groups"`
GoogleAdminEmail string `flag:"google-admin-email" cfg:"google_admin_email"`
GoogleServiceAccountJSON string `flag:"google-service-account-json" cfg:"google_service_account_json"`
HtpasswdFile string `flag:"htpasswd-file" cfg:"htpasswd_file"`
Expand Down Expand Up @@ -272,7 +272,7 @@ func parseProviderInfo(o *Options, msgs []string) []string {
case *providers.BitbucketProvider:
p.SetTeam(o.BitbucketTeam)
case *providers.GitHubProvider:
p.SetOrgTeam(o.GitHubOrg, o.GitHubTeam)
p.SetOrgTeam(o.GitHubOrg, o.GitHubTeams)
case *providers.GitLabProvider:
p.SetGroups(o.GitLabGroups)
case *providers.GoogleProvider:
Expand Down
28 changes: 11 additions & 17 deletions providers/github.go
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,12 @@ import (
"path"
"regexp"
"strconv"
"strings"
)

type GitHubProvider struct {
*ProviderData
Org string
Team string
Org string
Teams []string
}

func NewGitHubProvider(p *ProviderData) *GitHubProvider {
Expand Down Expand Up @@ -56,10 +55,10 @@ func getGitHubHeader(accessToken string) http.Header {
return header
}

func (p *GitHubProvider) SetOrgTeam(org, team string) {
func (p *GitHubProvider) SetOrgTeam(org string, teams []string) {
p.Org = org
p.Team = team
if org != "" || team != "" {
p.Teams = teams
if org != "" || len(teams) > 0 {
p.Scope += " read:org"
}
}
Expand Down Expand Up @@ -149,7 +148,7 @@ func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) {

pattern := regexp.MustCompile(`<([^>]+)>; rel="next"`)
var hasOrg bool
presentOrgs := make(map[string]bool)
var presentOrgs []string
var presentTeams []string

for i := 0; i < 10; i++ {
Expand All @@ -175,11 +174,10 @@ func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) {
}

for _, team := range teams {
presentOrgs[team.Org.Login] = true
presentOrgs = append(presentOrgs, team.Org.Login)
if p.Org == team.Org.Login {
hasOrg = true
ts := strings.Split(p.Team, ",")
for _, t := range ts {
for _, t := range p.Teams {
if t == team.Slug {
log.Printf("Found Github Organization:%q Team:%q (Name:%q)",
team.Org.Login, team.Slug, team.Name)
Expand All @@ -198,13 +196,9 @@ func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) {
}

if hasOrg {
log.Printf("Missing Team:%q from Org:%q in teams: %v", p.Team, p.Org, presentTeams)
log.Printf("Missing Team:%v from Org:%q in teams: %v", p.Teams, p.Org, presentTeams)
} else {
var allOrgs []string
for org, _ := range presentOrgs {
allOrgs = append(allOrgs, org)
}
log.Printf("Missing Organization:%q in %#v", p.Org, allOrgs)
log.Printf("Missing Organization:%q in %#v", p.Org, presentOrgs)
}
return false, nil
}
Expand All @@ -219,7 +213,7 @@ func (p *GitHubProvider) GetEmailAddress(s *SessionState) (string, error) {

// if we require an Org or Team, check that first
if p.Org != "" {
if p.Team != "" {
if len(p.Teams) > 0 {
if ok, err := p.hasOrgAndTeam(s.AccessToken); err != nil || !ok {
return "", err
}
Expand Down

0 comments on commit d3119e3

Please sign in to comment.