* Unbreak oauth2-proxy for keycloak provider after 2c668a
With 2c668a, oauth2-proxy fails a request if the token validation fails.
Token validation always fails with the keycloak provider, due to the
valudation request passing the token via the URL, and keycloak not
parsing the url for tokens.
This is fixed by forcing the validation request to pass the token via a
header.
This code taken from the DigitalOcean provider, which presumably forcing
the token to be passed via header for the same reason.
Test plan: I was unable to build a docker image to test the fix, but I
believe it is relatively simple, and it passes the "looks good to me"
test plan.
* Add changelog entry for unbreak keycloak
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Change error type for redirect parsing errors
This changes the error type returned when the proxy fails to parse the
redirect target to be a 400 error instead of a 500 error.
As far as I can tell, the only way that this can fail is a failure to
parse the properties of the request to identity the redirect target.
This indicates that the user has sent a malformed request, and so should
result in a 400 rather than a 500.
I've added a test to exercise this, based on a real work example.
* Update changelog
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add allowed_emails option to the auth endpoint query string
* Don't return true from checkAllowedEmailsOrDomains only because domains field was empty
* Fix checkAllowedEmailsOrDomains logic
* Added tests for allowed_emails query parameter
* Updated CHANGELOG
* Remove checkAllowedEmailsOrDomains
Co-authored-by: Nick Meves <nicholas.meves@gmail.com>
* Build ARMv8 Docker Images
Fixes#1593
* Change platform to arm64/v8
* Drop separate tags for different architectures
* Mark the architecture image tags for deprecation
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Use distroless debian11 docker image
* Add `Dockerfile` to `.dockerignore`
* Replace `nonroot` with the matching UID/GID
Alpine does not have that user, and it cause issues when trying to start the container
* Use a build arg for setting the runtime image
* Explain why `ARG RUNTIME_IMAGE` is at the top
* Add entry to CHANGELOG
* Move build-arg to `DOCKER_BUILDX_ARGS`
* Add the allowed_email_domains and the allowed_groups on the auth_request endpoint + support standard wildcard char for validation with sub-domain and email-domain.
Signed-off-by: Valentin Pichard <github@w3st.fr>
* Fix provider data initialisation
* PKCE Support
Adds Code Challenge PKCE support (RFC-7636) and partial
Authorization Server Metadata (RFC-8414) for detecting PKCE support.
- Introduces new option `--force-code-challenge-method` to force a
specific code challenge method (either `S256` or `plain`) for instances
when the server has not implemented RFC-8414 in order to detect
PKCE support on the discovery document.
- In all other cases, if the PKCE support can be determined during discovery
then the `code_challenge_methods_supported` is used and S256 is always
preferred.
- The force command line argument is helpful with some providers like Azure
who supports PKCE but does not list it in their discovery document yet.
- Initial thought was given to just always attempt PKCE since according to spec
additional URL parameters should be dropped by servers which implemented
OAuth 2, however other projects found cases in the wild where this causes 500
errors by buggy implementations.
See: https://github.com/spring-projects/spring-security/pull/7804#issuecomment-578323810
- Due to the fact that the `code_verifier` must be saved between the redirect and
callback, sessions are now created when the redirect takes place with `Authenticated: false`.
The session will be recreated and marked as `Authenticated` on callback.
- Individual provider implementations can choose to include or ignore code_challenge
and code_verifier function parameters passed to them
Note: Technically speaking `plain` is not required to be implemented since
oauth2-proxy will always be able to handle S256 and servers MUST implement
S256 support.
> If the client is capable of using "S256", it MUST use "S256", as "S256"
> is Mandatory To Implement (MTI) on the server. Clients are permitted
> to use "plain" only if they cannot support "S256" for some technical
> reason and know via out-of-band configuration that the server supports
> "plain".
Ref: RFC-7636 Sec 4.2
oauth2-proxy will always use S256 unless the user explicitly forces `plain`.
Fixes#1361
* Address PR comments by moving pkce generation
* Make PKCE opt-in, move to using the Nonce generater for code verifier
* Make PKCE opt-in, move to using the Nonce generater for code verifier
* Encrypt CodeVerifier in CSRF Token instead of Session
- Update Dex for PKCE support
- Expose HTTPBin for further use cases
* Correct the tests
* Move code challenges into extra params
* Correct typo in code challenge method
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Correct the extra space in docs
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Address changelog and new line nits
* Add generated docs
Co-authored-by: Valentin Pichard <github@w3st.fr>
Co-authored-by: Joel Speed <joel.speed@hotmail.co.uk>
* implementation draft
* add cfg options skip-au-when-missing && client-id-verification-claim; enhance the provider data verification logic for sake of the added options
* refactor configs, added logging and add additional claim verification
* simplify logic by just having one configuration similar to oidc-email-claim
* added internal oidc token verifier, so that aud check behavior can be managed with oauth2-proxy and is compatible with extra-jwt-issuers
* refactored verification to reduce complexity
* refactored verification to reduce complexity
* added docs
* adjust tests to support new OIDCAudienceClaim and OIDCExtraAudiences options
* extend unit tests and ensure that audience is set with the value of aud claim configuration
* revert filemodes and update docs
* update docs
* remove unneccesary logging, refactor audience existence check and added additional unit tests
* fix linting issues after rebase on origin/main
* cleanup: use new imports for migrated libraries after rebase on origin/main
* adapt mock in keycloak_oidc_test.go
* allow specifying multiple audience claims, fixed bug where jwt issuers client id was not the being considered and fixed bug where aud claims with multiple audiences has broken the whole validation
* fixed formatting issue
* do not pass the whole options struct to minimize complexity and dependency to the configuration structure
* added changelog entry
* update docs
Co-authored-by: Sofia Weiler <sofia.weiler@aoe.com>
Co-authored-by: Christian Zenker <christian.zenker@aoe.com>
* Add ValidateSession function to LoginGovProvder to include Auth Header
* Update CHANGELOG for PR 1509
* Update logingov_test to include ValidationURL
* Remove the information about `Microsoft Azure AD`
* Put `proxy_buffer_size` in a code tag
* Update `CHANGELOG.md`
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* init TLS.Config when connecting to Redis with TLS
* don't overwrite TLS config if it exists
* add tests for Redis with TLS
* remove hardcoded certs
* add GenerateCert func
* use GenerateCert util func
* fix issue reported by go fmt
* limit return statements in GenerateCert
* Use the httputil.NewSingleHostReverseProxy instad of yhat/wsutil for websocket proxying. This correctly handles 404 responses with keep-alive by terminating the tunnel rather than keeping it alive
* Tidy up dependencies - yhat/wsutil is no longer required
* Update changelog to include reference to 1348
Co-authored-by: Matt Lilley <matt.lilley@securitease.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Previously this was only done in the `EnrichSession` stage
which would've missed Bearer usages & `RefreshSession`
would've overriden the User to the Subject.
* extract email from id_token for azure provider (#914)
* extract email from id_token for azure provider
this change fixes a bug when --resource is specified with non-Graph
api and the access token destined to --resource is used to call Graph
api
* fixed typo
* refactor GetEmailAddress to EnrichSessionState
* make getting email from idtoken best effort and fall back to previous behavior when it's absent
* refactor to use jwt package to extract claims
* fix lint
* refactor unit tests to use test table
refactor the get email logic from profile api
* addressing feedback
* added oidc verifier to azure provider and extract email from id_token if present
* fix lint and codeclimate
* refactor to use oidc verifier to verify id_token if oidc is configured
* fixed UT
* addressed comments
* minor refactor
* addressed feedback
* extract email from id_token first and fallback to access token
* fallback to access token as well when id_token doesn't have email claim
* address feedbacks
* updated change log!
* switch to docker buildx for multiarch builds
* add setup docker buildx action
* update docker push to push the multiarch image
* make multiarch image have parity with currently produced images by adding linux/armv6
* triaging issue with arm v6
* incorporating feedback
* fixing rebase disaster
* reset Makefile to blessed state
Co-authored-by: Weinong Wang <weinong@outlook.com>
* switched to github.com/golang-jwt/jwt and updated golang.org/x/crypto to include CVE fixes
* added #1276 to changelog
Co-authored-by: Joshua Vécsei <git@vecsei.me>
* Extend email-domain validation with sub-domain capability
* Adding the CHANGELOG entry
* Fixing lint erros
* Fixing lint erros
* Renamed the emailDomains to allowedDomains, plus tests
* Bringing together all basic test-cases
* Fixing unit tests
* Add unit tests to validate additional vulnerability concerns
* Fix - Refresh Session not working for multiple cookies (#1209)
* added comments for flattenheaders fix
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Updated Changelog.md
Co-authored-by: Rishi Kambil <rishi.kambil@lntinfotech.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add sensible logging flag to default setup for logger
* Add Redis lock
* Fix default value flag for sensitive logging
* Split RefreshSessionIfNeeded in two methods and use Redis lock
* Small adjustments to doc and code
* Remove sensible logging
* Fix method names in ticket.go
* Revert "Fix method names in ticket.go"
This reverts commit 408ba1a1a5.
* Fix methods name in ticket.go
* Remove block in Redis client get
* Increase lock time to 1 second
* Perform retries, if session store is locked
* Reverse if condition, because it should return if session does not have to be refreshed
* Update go.sum
* Update MockStore
* Return error if loading session fails
* Fix and update tests
* Change validSession to session in docs and strings
* Change validSession to session in docs and strings
* Fix docs
* Fix wrong field name
* Fix linting
* Fix imports for linting
* Revert changes except from locking functionality
* Add lock feature on session state
* Update from master
* Remove errors package, because it is not used
* Only pass context instead of request to lock
* Use lock key
* By default use NoOpLock
* Remove debug output
* Update ticket_test.go
* Map internal error to sessions error
* Add ErrLockNotObtained
* Enable lock peek for all redis clients
* Use lock key prefix consistent
* Fix imports
* Use exists method for peek lock
* Fix imports
* Fix imports
* Fix imports
* Remove own Dockerfile
* Fix imports
* Fix tests for ticket and session store
* Fix session store test
* Update pkg/apis/sessions/interfaces.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Do not wrap lock method
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Use errors package for lock constants
* Use better naming for initLock function
* Add comments
* Add session store lock test
* Fix tests
* Fix tests
* Fix tests
* Fix tests
* Add cookies after saving session
* Add mock lock
* Fix imports for mock_lock.go
* Store mock lock for key
* Apply elapsed time on mock lock
* Check if lock is initially applied
* Reuse existing lock
* Test all lock methods
* Update CHANGELOG.md
* Use redis client methods in redis.lock for release an refresh
* Use lock key suffix instead of prefix for lock key
* Add comments for Lock interface
* Update comment for Lock interface
* Update CHANGELOG.md
* Change LockSuffix to const
* Check lock on already loaded session
* Use global var for loadedSession in lock tests
* Use lock instance for refreshing and releasing of lock
* Update possible error type for Refresh
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Set and verify a nonce with OIDC
* Create a CSRF object to manage nonces & cookies
* Add missing generic cookie unit tests
* Add config flag to control OIDC SkipNonce
* Send hashed nonces in authentication requests
* Encrypt the CSRF cookie
* Add clarity to naming & add more helper methods
* Make CSRF an interface and keep underlying nonces private
* Add ReverseProxy scope to cookie tests
* Align to new 1.16 SameSite cookie default
* Perform SecretBytes conversion on CSRF cookie crypto
* Make state encoding signatures consistent
* Mock time in CSRF struct via Clock
* Improve InsecureSkipNonce docstring
* Add a clock package for better time mocking
* Make Clock a struct so it doesn't need initialization
* Test clock package
* Use atomic for live time tests
* Refer to same clock.Mock throughout methods
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.
* fixed lint issues
* additional lint fixes
* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options
* fixed typo
* removed weird : file
* small CR changes
* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG
* Update pkg/apis/options/providers.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/apis/options/providers.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/apis/options/providers.go
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Initial commit of multiple provider logic:
1. Created new provider options.
2. Created legacy provider options and conversion options.
3. Added Providers to alpha Options.
4. Started Validation migration of multiple providers
5. Tests.
* fixed lint issues
* additional lint fixes
* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options
* small CR changes
* auto generates alpha_config.md
* rebase (mainly service alpha options related conflicts)
* removed :
* Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options
* small CR changes
* Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG
* "cntd. rebase"
* ran make generate again
* last conflicts
* removed duplicate client id validation
* 1. Removed provider prefixes
2. altered optionsWithNilProvider logic
3. altered default provider logic
4. moved change in CHANELOG to 7.0.0
* fixed TestGoogleGroupOptions test
* ran make generate
* moved CHANGLOG line to 7.1.1
* moved changelog comment to 7.1.2 (additional rebase)
Co-authored-by: Yana Segal <yana.segal@nielsen.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Add example with traefik and keycloak
* Switch to dex
* Remove unneeded change in keycloak settings
* Taken into account review comments
* Add changelog entry
Co-authored-by: Frédéric Collonval <frederic.collonval@ariadnext.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add RequestID to the RequestScope
* Expose RequestID to auth & request loggers
* Use the RequestID in templated HTML pages
* Allow customizing the RequestID header
* Document new Request ID support
* Add more cases to scope/requestID tests
* Split Get vs Generate RequestID funtionality
* Add {{.RequestID}} to the request logger tests
* Move RequestID management to RequestScope
* Use HTML escape instead of sanitization for Request ID rendering
* extract email from id_token for azure provider
this change fixes a bug when --resource is specified with non-Graph
api and the access token destined to --resource is used to call Graph
api
* fixed typo
* refactor GetEmailAddress to EnrichSessionState
* make getting email from idtoken best effort and fall back to previous behavior when it's absent
* refactor to use jwt package to extract claims
* fix lint
* refactor unit tests to use test table
refactor the get email logic from profile api
* addressing feedback
* added oidc verifier to azure provider and extract email from id_token if present
* fix lint and codeclimate
* refactor to use oidc verifier to verify id_token if oidc is configured
* fixed UT
* addressed comments
* minor refactor
* addressed feedback
* extract email from id_token first and fallback to access token
* fallback to access token as well when id_token doesn't have email claim
* address feedbacks
* updated change log!
* Use a specialized ResponseWriter in middleware
* Track User & Upstream in RequestScope
* Wrap responses in our custom ResponseWriter
* Add tests for logging middleware
* Inject upstream metadata into request scope
* Use custom ResponseWriter only in logging middleware
* Assume RequestScope is never nil
This includes a fix for our samesite cookie parsing. The behaviour
changed in 1.16 so that the default value now leaves it empty, so it's
equivalent to not setting it (as per spec)
* GH-1015 Adds support for Traefik to OauthStart on '/oauth2/auth' endpoint
* Fix incorrect reference to signout path and point to signin path
- remove commented out alternative solutions and debug log statements
* Remove skip provider button check as SignIn method already does this
* Updated traefik example to match existing file configuration reference, updated tests
* Update doc and refactor nested conditional statements
* Revert code changes as static upstream provides the same functionality
- Add doc on using static upstream with Traefik ForwardAuth middleware
* update changelog
* Move the doc changes to 7.0.x versioned docs
* Re-add traefik docs update in the main docs overview.md
* add missing oauth2-proxy routing
Co-authored-by: Praveen Chinthala <PraveenChinthala@hollandandbarrett.com>
Add the Prometheus http.Handler to serve metrics at MetricsPath ("/metrics"
by default). This allows Prometheus to scrape metrics from OAuth2 Proxy.
Add a new middleware NewRequestMetrics and attach it to the preAuth
chain. This will collect metrics on all requests made to OAuth2 Proxy
Collapse some calls to Prinf() and os.Exit(1) to Fatalf as they are
equivalent. main() has a strict 50 lines limit so brevity in these
calls appreciated
* Use comma separated value for multiple claims
* Fix lint error
* Fix more tests
* Fix one more test
* Always flatten the headers
* Ensure we test the real multi-groups
* Only update map when necessary
* Update CHANGELOG
* Move to the right location of change log
* Fix blank line
* Add sensible logging flag to default setup for logger
* Use logger instead of fmt for info logging with sensible data
* Remove sensible logging flag
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* properly handle splitted cookies with names ending with _
* test update
* provide cookieName into joinCookies instead of processing the suffix
* changelog update
* test update
* Add support for gitlab projets
* Add group membership in state
* Use prefixed allowed groups everywhere
* Fix: remove unused function
* Fix: rename func that add data to session
* Simplify projects and groups session funcs
* Add project access level for gitlab projects
* Fix: default access level
* Add per project access level
* Add user email when missing access level
* Fix: harmonize errors
* Update docs and flags description for gitlab project
* Add test with both projects and groups
* Fix: log error message
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Fix: make doc a markdown link
* Add notes about read_api scope for projects
* Fix: Verifier override in Gitlab Provider
This commit fixes a bug caused by an override of the Verifier value from *ProviderData inside GitlabProvider struct
* Fix: ensure data in session before using it
* Update providers/gitlab.go
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Rename gitlab project initializer
* Improve return value readbility
* Use splitN
* Handle space delimiters in set project scope
* Reword comment for AddProjects
* Fix: typo
* Rework error handling in addProjectsToSession
* Reduce branching complexity in addProjectsToSession
* Fix: line returns
* Better comment for addProjectsToSession
* Fix: enrich session comment
* Fix: email domains is handled before provider mechanism
* Add archived project unit test
* Fix: emails handling in gitlab provider
Co-authored-by: Wilfried OLLIVIER <wollivier@bearstech.com>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* Support TLS 1.3
* Set TLS 1.3 explicitly to fix gosec warning.
* Add an entry to changelog.
* Fix typo in the changelog.
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Implement azure token refresh
Based on original PR https://github.com/oauth2-proxy/oauth2-proxy/pull/278
* Update CHANGELOG.md
* Apply suggestions from code review
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Set CreatedAt to Now() on token refresh
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Allow complex structure for groups in group claim.
* Remove unused constant
* Update variable name
* Fix linting
* Use helper method
* Log error if not possible to append group value
* Add missing import
* Use own logger
* Fix imports
* Remove Dockerfile for testing
* Add Changelog entry
* Use formatGroup helper method and update tests
* Return string instead of string array
* Remove groups variable
* Return error in format method.
* Reorder imports
Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
* simplify github actions workflow
no more GOPATH, update Go to 1.15.x
* add script to install golangci-lint
* drop support for Go 1.14
* check docker build in ci
* update alpine linux to 3.12
* update CHANGELOG
* fix golangci-lint installation
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* update go-redis/redis to v8
testify, ginko and gomega have also been updated.
* update changelog
* Update pkg/sessions/redis/redis_store_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* ci: migrate to Github Actions
* ci: optimize on feedback
* ci: run gocov in correct dir
* ci: running after-build script always
* ci: giving test script execute permission
* ci: correct error handling on test script
* ci: more verbose test script
* ci: configure CC_TEST_REPORTER_ID env
* ci: check existence of CC_TEST_REPORT_ID variable, skip if unset
* ci: check existence of CC_TEST_REPORT_ID variable, skip if unset
* update changelog
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
This reverts to functionality before #499 where an OIDC
provider could be used with `--skip-jwt-bearer-tokens` and
tokens without an email or profileURL would still be valid.
This logic mirrors `middleware.createSessionStateFromBearerToken`
which used to be the universal logic before #499.
* Centralize Ticket management of persistent stores
persistence package with Manager & Ticket will handle
all the details about keys, secrets, ticket into cookies,
etc. Persistent stores just need to pass Save, Load &
Clear function handles to the persistent manager now.
* Shift to persistence.Manager wrapping a persistence.Store
* Break up the Redis client builder logic
* Move error messages to Store from Manager
* Convert ticket to private for Manager use only
* Add persistence Manager & ticket tests
* Make a custom MockStore that handles time FastForwards
* Strip X-Forwarded auth headers from whitelisted paths
For any paths that match skip-auth-regex, strip normal
X-Forwarded headers that would be sent based on pass-user-headers
or pass-access-token settings. This prevents malicious injecting
of authentication headers through the skip-auth-regex paths in
cases where the regex might be misconfigured and too open.
Control this behavior with --skip-auth-strip-headers flag. This
flag is set to TRUE by default (this is secure by default, but
potentially breaks some legacy configurations).
Only x-Forwarded headers stripped, left the Authorization header
untouched.
* Strip authorization header if it would be set
* Improve TestStripAuthHeaders test table
* Improve --skip-auth-strip-headers flag documentation
* Encode sessions with MsgPack + LZ4
Assumes ciphers are now mandatory per #414. Cookie & Redis sessions
can fallback to V5 style JSON in error cases. TODO: session_state.go
unit tests & new unit tests for Legacy fallback scenarios.
* Only compress encoded sessions with Cookie Store
* Cleanup msgpack + lz4 error handling
* Change NewBase64Cipher to take in an existing Cipher
* Add msgpack & lz4 session state tests
* Add required options for oauthproxy tests
More aggressively assert.NoError on all
validation.Validate(opts) calls to enforce legal
options in all our tests.
Add additional NoError checks wherever error return
values were ignored.
* Remove support for uncompressed session state fields
* Improve error verbosity & add session state tests
* Ensure all marshalled sessions are valid
Invalid CFB decryptions can result in garbage data
that 1/100 times might cause message pack unmarshal
to not fail and instead return an empty session.
This adds more rigor to make sure legacy sessions
cause appropriate errors.
* Add tests for legacy V5 session decoding
Refactor common legacy JSON test cases to a
legacy helpers area under session store tests.
* Make ValidateSession a struct method & add CHANGELOG entry
* Improve SessionState error & comments verbosity
* Move legacy session test helpers to sessions pkg
Placing these helpers under the sessions pkg removed
all the circular import uses in housing it under the
session store area.
* Improve SignatureAuthenticator test helper formatting
* Make redis.legacyV5DecodeSession internal
* Make LegacyV5TestCase test table public for linter
* Implements --ip-whitelist option
* Included IPWhitelist option to allow one-or-more selected CIDR ranges
to bypass OAuth2 authentication.
* Adds IPWhitelist, a fast lookup table for multiple CIDR ranges.
* Renamed IPWhitelist ipCIDRSet
* Fixed unessesary pointer usage in ipCIDRSet
* Update CHANGELOG.md
* Update CHANGELOG.md
* Updated to not use err.Error() in printf statements
* Imrpoved language for --ip-whitelist descriptions.
* Improve IP whitelist options error messages
* Clarify options single-host normalization
* Wrote a book about ipCIDRSet
* Added comment to IsWhitelistedIP in oauthproxy.go
* Rewrite oauthproxy test case as table driven
* oops
* Support whitelisting by low-level remote address
* Added more test-cases, improved descriptions
* Move ip_cidr_set.go to pkg/ip/net_set.go
* Add more whitelist test use cases.
* Oops
* Use subtests for TestIPWhitelist
* Add minimal tests for ip.NetSet
* Use switch statment
* Renamed ip-whitelist to whitelist-ip
* Update documentation with a warning.
* Update pkg/apis/options/options.go
* Update CHANGELOG.md
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Update pkg/ip/net_set_test.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Apply suggestions from code review
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* fix fmt
* Move ParseIPNet into abstraction
* Add warning in case of --reverse-proxy
* Update pkg/validation/options_test.go
* Rename --whitelist-ip to --trusted-ip
* Update oauthproxy.go
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* fix
Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk>
* Add req.host to targetURL when redirecting to https
The req.URL.Host might not be present when redirecting to https if the
given req.URL is something like "/". In such scenario, the req.Host is
still present and valid.
This commit adds the original req.Host to the targetURL before returning
the 308 status, to avoid having a `Location: https:///` in the response.
* Bring back empty line
* Wrap the setting of targetURL.Host in a condition
* Add a comment to the test explaining why the redirectURL includes example.com
* Add changelog entry
A blank user agent is considered == to an empty string. When no -ping-user-agent option is specified, this is considered to be an empty string.
This reveals two problems:
- When no ping-user-agent is specified, main.go sets up a health check user agent of ""
- When no user agent is specified, the empty string is still checked against the health check user agents.
Now the health check middleware ignores blank user agents and paths in order to sanitise it's input to avoid this issue.
Additional tests have been added to verify these situations.
Alexandru Ciobanu
Joel Speed
ckwalsh
adamsong
t-katsumura
Nik Skoufis
Jack Henschel
Rajesh Krishnamurthy
zv0n
Braunson
Ole-Martin Bratteng
Adrian Aneci
Ian Roberts
mgiessing
Kevin Schu
Valentin Pichard
Andy Thompson
polarctos
Preston Sheldon
Alex Babel
Nick Meves
Jeeva Kandasamy
Stephan Aßmus
Hiroyuki Wada
Maciej Strzelecki
Luka Zakrajšek
David Emanuel Buchmann
Matt Lilley
Jan Rotter
Ryan Hartje
Fabian Stelzer
Hedi Harzallah
Miks Kalnins
Philippe
Jordie
Peter Braun
JVecsei
Nick Meves
Moraru Costel
Anders Kiel Hovgaard
Sami Racho
Rishi Kambil
Kevin Kreitner
Tarvi Pillessaar
Itay Brandes
yanasega
Oliver
Frédéric Collonval
Weinong Wang
Stefan Sedich
Praveen Chinthala
Sean Jones
Nishanth Reddy
Lida Li
Nikolai Prokoschenko
Ilia Pertsev
İlteriş Eroğlu
Mathieu Lecarme
Akira Ajisaka
Arcadiy Ivanov
ofir-amir
Alexander Block
Kevin Kreitner
Mitsuo Heijo
Shinebayar G
Thiago Caiubi
Lennart Jern
Dan Bond
Phil Taprogge
Andy Voltz
mkontani
Isabelle COWAN-BERGMAN
Mariano Vallés
Jordan Crawford