将x509证书复制进入容器中
This commit is contained in:
whjnbm
parent
b73e25a87b
commit
ff86d7a31e
|
|
@ -60,15 +60,18 @@ FROM ${RUNTIME_IMAGE}
|
|||
# Reload version
|
||||
ARG VERSION
|
||||
|
||||
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
|
||||
COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/oauth2-proxy /bin/oauth2-proxy
|
||||
COPY --from=builder /go/src/github.com/oauth2-proxy/oauth2-proxy/jwt_signing_key.pem /etc/ssl/private/jwt_signing_key.pem
|
||||
|
||||
LABEL org.opencontainers.image.licenses=MIT \
|
||||
org.opencontainers.image.description="A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers." \
|
||||
org.opencontainers.image.documentation=https://oauth2-proxy.github.io/oauth2-proxy/ \
|
||||
org.opencontainers.image.source=https://github.com/oauth2-proxy/oauth2-proxy \
|
||||
org.opencontainers.image.source=https://github.com/opensourceways/oauth2-proxy \
|
||||
org.opencontainers.image.url=https://quay.io/oauth2-proxy/oauth2-proxy \
|
||||
org.opencontainers.image.title=oauth2-proxy \
|
||||
org.opencontainers.image.version=${VERSION}
|
||||
|
||||
USER 2000:2000
|
||||
|
||||
ENTRYPOINT ["/bin/oauth2-proxy"]
|
||||
|
|
|
|||
|
|
@ -85,8 +85,8 @@ type OAuthProxy struct {
|
|||
|
||||
SignInPath string
|
||||
|
||||
enableAuthRouters bool
|
||||
authRouters []allowedRoute
|
||||
enableAuthRouters bool
|
||||
authRouters []allowedRoute
|
||||
allowedRoutes []allowedRoute
|
||||
apiRoutes []apiRoute
|
||||
redirectURL *url.URL // the url to receive requests at
|
||||
|
|
|
|||
|
|
@ -64,8 +64,8 @@ type Options struct {
|
|||
ForceJSONErrors bool `flag:"force-json-errors" cfg:"force_json_errors"`
|
||||
EncodeState bool `flag:"encode-state" cfg:"encode_state"`
|
||||
AllowQuerySemicolons bool `flag:"allow-query-semicolons" cfg:"allow_query_semicolons"`
|
||||
EnableAuthRouters bool `flag:"enable-auth-routers" cfg:"enable_auth_routers"`
|
||||
AuthRouters []string `flag:"auth-routers" cfg:"auth_routers"`
|
||||
EnableAuthRouters bool `flag:"enable-auth-routers" cfg:"enable_auth_routers"`
|
||||
AuthRouters []string `flag:"auth-routers" cfg:"auth_routers"`
|
||||
|
||||
SignatureKey string `flag:"signature-key" cfg:"signature_key"`
|
||||
GCPHealthChecks bool `flag:"gcp-healthchecks" cfg:"gcp_healthchecks"`
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@ package oidc
|
|||
import (
|
||||
"context"
|
||||
"fmt"
|
||||
"reflect"
|
||||
|
||||
"github.com/coreos/go-oidc/v3/oidc"
|
||||
)
|
||||
|
|
@ -53,57 +52,5 @@ func (v *idTokenVerifier) Verify(ctx context.Context, rawIDToken string) (*oidc.
|
|||
return nil, fmt.Errorf("failed to parse default id_token claims: %v", err)
|
||||
}
|
||||
|
||||
// if isValidAudience, err := v.verifyAudience(token, claims); !isValidAudience {
|
||||
// return nil, err
|
||||
// }
|
||||
|
||||
return token, err
|
||||
}
|
||||
|
||||
func (v *idTokenVerifier) verifyAudience(token *oidc.IDToken, claims map[string]interface{}) (bool, error) {
|
||||
for _, audienceClaim := range v.verificationOptions.AudienceClaims {
|
||||
if audienceClaimValue, audienceClaimExists := claims[audienceClaim]; audienceClaimExists {
|
||||
|
||||
// audience claim value can be either interface{} or []interface{},
|
||||
// as per spec `aud` can be either a string or a list of strings
|
||||
switch audienceClaimValueType := audienceClaimValue.(type) {
|
||||
case []interface{}:
|
||||
token.Audience = v.interfaceSliceToString(audienceClaimValue)
|
||||
case interface{}:
|
||||
token.Audience = []string{audienceClaimValue.(string)}
|
||||
default:
|
||||
return false, fmt.Errorf("audience claim %s holds unsupported type %T",
|
||||
audienceClaim, audienceClaimValueType)
|
||||
}
|
||||
|
||||
return v.isValidAudience(audienceClaim, token.Audience, v.allowedAudiences)
|
||||
}
|
||||
}
|
||||
|
||||
return false, fmt.Errorf("audience claims %v do not exist in claims: %v",
|
||||
v.verificationOptions.AudienceClaims, claims)
|
||||
}
|
||||
|
||||
func (v *idTokenVerifier) isValidAudience(claim string, audience []string, allowedAudiences map[string]struct{}) (bool, error) {
|
||||
for _, aud := range audience {
|
||||
if _, allowedAudienceExists := allowedAudiences[aud]; allowedAudienceExists {
|
||||
return true, nil
|
||||
}
|
||||
}
|
||||
|
||||
return false, fmt.Errorf(
|
||||
"audience from claim %s with value %s does not match with any of allowed audiences %v",
|
||||
claim, audience, allowedAudiences)
|
||||
}
|
||||
|
||||
func (v *idTokenVerifier) interfaceSliceToString(slice interface{}) []string {
|
||||
s := reflect.ValueOf(slice)
|
||||
if s.Kind() != reflect.Slice {
|
||||
panic(fmt.Sprintf("given a non-slice type %s", s.Kind()))
|
||||
}
|
||||
var strings []string
|
||||
for i := 0; i < s.Len(); i++ {
|
||||
strings = append(strings, s.Index(i).Interface().(string))
|
||||
}
|
||||
return strings
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue