211 lines
12 KiB
Go
211 lines
12 KiB
Go
package options
|
|
|
|
import (
|
|
"crypto"
|
|
"net/url"
|
|
"regexp"
|
|
"time"
|
|
|
|
oidc "github.com/coreos/go-oidc"
|
|
"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/logging"
|
|
sessionsapi "github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"
|
|
"github.com/oauth2-proxy/oauth2-proxy/pkg/logger"
|
|
"github.com/oauth2-proxy/oauth2-proxy/providers"
|
|
)
|
|
|
|
// SignatureData holds hmacauth signature hash and key
|
|
type SignatureData struct {
|
|
Hash crypto.Hash
|
|
Key string
|
|
}
|
|
|
|
// Options holds Configuration Options that can be set by Command Line Flag,
|
|
// or Config File
|
|
type Options struct {
|
|
ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy_prefix"`
|
|
PingPath string `flag:"ping-path" cfg:"ping_path"`
|
|
ProxyWebSockets bool `flag:"proxy-websockets" cfg:"proxy_websockets"`
|
|
HTTPAddress string `flag:"http-address" cfg:"http_address"`
|
|
HTTPSAddress string `flag:"https-address" cfg:"https_address"`
|
|
ReverseProxy bool `flag:"reverse-proxy" cfg:"reverse_proxy"`
|
|
RealClientIPHeader string `flag:"real-client-ip-header" cfg:"real_client_ip_header"`
|
|
ForceHTTPS bool `flag:"force-https" cfg:"force_https"`
|
|
RawRedirectURL string `flag:"redirect-url" cfg:"redirect_url"`
|
|
ClientID string `flag:"client-id" cfg:"client_id"`
|
|
ClientSecret string `flag:"client-secret" cfg:"client_secret"`
|
|
ClientSecretFile string `flag:"client-secret-file" cfg:"client_secret_file"`
|
|
TLSCertFile string `flag:"tls-cert-file" cfg:"tls_cert_file"`
|
|
TLSKeyFile string `flag:"tls-key-file" cfg:"tls_key_file"`
|
|
|
|
AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
|
|
KeycloakGroup string `flag:"keycloak-group" cfg:"keycloak_group"`
|
|
AzureTenant string `flag:"azure-tenant" cfg:"azure_tenant"`
|
|
BitbucketTeam string `flag:"bitbucket-team" cfg:"bitbucket_team"`
|
|
BitbucketRepository string `flag:"bitbucket-repository" cfg:"bitbucket_repository"`
|
|
EmailDomains []string `flag:"email-domain" cfg:"email_domains"`
|
|
WhitelistDomains []string `flag:"whitelist-domain" cfg:"whitelist_domains"`
|
|
GitHubOrg string `flag:"github-org" cfg:"github_org"`
|
|
GitHubTeam string `flag:"github-team" cfg:"github_team"`
|
|
GitHubRepo string `flag:"github-repo" cfg:"github_repo"`
|
|
GitHubToken string `flag:"github-token" cfg:"github_token"`
|
|
GitLabGroup string `flag:"gitlab-group" cfg:"gitlab_group"`
|
|
GoogleGroups []string `flag:"google-group" cfg:"google_group"`
|
|
GoogleAdminEmail string `flag:"google-admin-email" cfg:"google_admin_email"`
|
|
GoogleServiceAccountJSON string `flag:"google-service-account-json" cfg:"google_service_account_json"`
|
|
HtpasswdFile string `flag:"htpasswd-file" cfg:"htpasswd_file"`
|
|
DisplayHtpasswdForm bool `flag:"display-htpasswd-form" cfg:"display_htpasswd_form"`
|
|
CustomTemplatesDir string `flag:"custom-templates-dir" cfg:"custom_templates_dir"`
|
|
Banner string `flag:"banner" cfg:"banner"`
|
|
Footer string `flag:"footer" cfg:"footer"`
|
|
|
|
Cookie CookieOptions `cfg:",squash"`
|
|
Session SessionOptions `cfg:",squash"`
|
|
|
|
Upstreams []string `flag:"upstream" cfg:"upstreams"`
|
|
SkipAuthRegex []string `flag:"skip-auth-regex" cfg:"skip_auth_regex"`
|
|
SkipJwtBearerTokens bool `flag:"skip-jwt-bearer-tokens" cfg:"skip_jwt_bearer_tokens"`
|
|
ExtraJwtIssuers []string `flag:"extra-jwt-issuers" cfg:"extra_jwt_issuers"`
|
|
PassBasicAuth bool `flag:"pass-basic-auth" cfg:"pass_basic_auth"`
|
|
SetBasicAuth bool `flag:"set-basic-auth" cfg:"set_basic_auth"`
|
|
PreferEmailToUser bool `flag:"prefer-email-to-user" cfg:"prefer_email_to_user"`
|
|
BasicAuthPassword string `flag:"basic-auth-password" cfg:"basic_auth_password"`
|
|
PassAccessToken bool `flag:"pass-access-token" cfg:"pass_access_token"`
|
|
PassHostHeader bool `flag:"pass-host-header" cfg:"pass_host_header"`
|
|
SkipProviderButton bool `flag:"skip-provider-button" cfg:"skip_provider_button"`
|
|
PassUserHeaders bool `flag:"pass-user-headers" cfg:"pass_user_headers"`
|
|
SSLInsecureSkipVerify bool `flag:"ssl-insecure-skip-verify" cfg:"ssl_insecure_skip_verify"`
|
|
SSLUpstreamInsecureSkipVerify bool `flag:"ssl-upstream-insecure-skip-verify" cfg:"ssl_upstream_insecure_skip_verify"`
|
|
SetXAuthRequest bool `flag:"set-xauthrequest" cfg:"set_xauthrequest"`
|
|
SetAuthorization bool `flag:"set-authorization-header" cfg:"set_authorization_header"`
|
|
PassAuthorization bool `flag:"pass-authorization-header" cfg:"pass_authorization_header"`
|
|
SkipAuthPreflight bool `flag:"skip-auth-preflight" cfg:"skip_auth_preflight"`
|
|
FlushInterval time.Duration `flag:"flush-interval" cfg:"flush_interval"`
|
|
|
|
// These options allow for other providers besides Google, with
|
|
// potential overrides.
|
|
ProviderType string `flag:"provider" cfg:"provider"`
|
|
ProviderName string `flag:"provider-display-name" cfg:"provider_display_name"`
|
|
OIDCIssuerURL string `flag:"oidc-issuer-url" cfg:"oidc_issuer_url"`
|
|
InsecureOIDCAllowUnverifiedEmail bool `flag:"insecure-oidc-allow-unverified-email" cfg:"insecure_oidc_allow_unverified_email"`
|
|
InsecureOIDCSkipIssuerVerification bool `flag:"insecure-oidc-skip-issuer-verification" cfg:"insecure_oidc_skip_issuer_verification"`
|
|
SkipOIDCDiscovery bool `flag:"skip-oidc-discovery" cfg:"skip_oidc_discovery"`
|
|
OIDCJwksURL string `flag:"oidc-jwks-url" cfg:"oidc_jwks_url"`
|
|
LoginURL string `flag:"login-url" cfg:"login_url"`
|
|
RedeemURL string `flag:"redeem-url" cfg:"redeem_url"`
|
|
ProfileURL string `flag:"profile-url" cfg:"profile_url"`
|
|
ProtectedResource string `flag:"resource" cfg:"resource"`
|
|
ValidateURL string `flag:"validate-url" cfg:"validate_url"`
|
|
Scope string `flag:"scope" cfg:"scope"`
|
|
Prompt string `flag:"prompt" cfg:"prompt"`
|
|
ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt"` // Deprecated by OIDC 1.0
|
|
UserIDClaim string `flag:"user-id-claim" cfg:"user_id_claim"`
|
|
|
|
// Configuration values for logging
|
|
LoggingFilename string `flag:"logging-filename" cfg:"logging_filename"`
|
|
LoggingMaxSize int `flag:"logging-max-size" cfg:"logging_max_size"`
|
|
LoggingMaxAge int `flag:"logging-max-age" cfg:"logging_max_age"`
|
|
LoggingMaxBackups int `flag:"logging-max-backups" cfg:"logging_max_backups"`
|
|
LoggingLocalTime bool `flag:"logging-local-time" cfg:"logging_local_time"`
|
|
LoggingCompress bool `flag:"logging-compress" cfg:"logging_compress"`
|
|
StandardLogging bool `flag:"standard-logging" cfg:"standard_logging"`
|
|
StandardLoggingFormat string `flag:"standard-logging-format" cfg:"standard_logging_format"`
|
|
RequestLogging bool `flag:"request-logging" cfg:"request_logging"`
|
|
RequestLoggingFormat string `flag:"request-logging-format" cfg:"request_logging_format"`
|
|
ExcludeLoggingPaths string `flag:"exclude-logging-paths" cfg:"exclude_logging_paths"`
|
|
SilencePingLogging bool `flag:"silence-ping-logging" cfg:"silence_ping_logging"`
|
|
AuthLogging bool `flag:"auth-logging" cfg:"auth_logging"`
|
|
AuthLoggingFormat string `flag:"auth-logging-format" cfg:"auth_logging_format"`
|
|
SignatureKey string `flag:"signature-key" cfg:"signature_key"`
|
|
AcrValues string `flag:"acr-values" cfg:"acr_values"`
|
|
JWTKey string `flag:"jwt-key" cfg:"jwt_key"`
|
|
JWTKeyFile string `flag:"jwt-key-file" cfg:"jwt_key_file"`
|
|
PubJWKURL string `flag:"pubjwk-url" cfg:"pubjwk_url"`
|
|
GCPHealthChecks bool `flag:"gcp-healthchecks" cfg:"gcp_healthchecks"`
|
|
|
|
// internal values that are set after config validation
|
|
redirectURL *url.URL
|
|
proxyURLs []*url.URL
|
|
compiledRegex []*regexp.Regexp
|
|
provider providers.Provider
|
|
sessionStore sessionsapi.SessionStore
|
|
signatureData *SignatureData
|
|
oidcVerifier *oidc.IDTokenVerifier
|
|
jwtBearerVerifiers []*oidc.IDTokenVerifier
|
|
realClientIPParser logging.RealClientIPParser
|
|
}
|
|
|
|
// Options for Getting internal values
|
|
func (o *Options) GetRedirectURL() *url.URL { return o.redirectURL }
|
|
func (o *Options) GetProxyURLs() []*url.URL { return o.proxyURLs }
|
|
func (o *Options) GetCompiledRegex() []*regexp.Regexp { return o.compiledRegex }
|
|
func (o *Options) GetProvider() providers.Provider { return o.provider }
|
|
func (o *Options) GetSessionStore() sessionsapi.SessionStore { return o.sessionStore }
|
|
func (o *Options) GetSignatureData() *SignatureData { return o.signatureData }
|
|
func (o *Options) GetOIDCVerifier() *oidc.IDTokenVerifier { return o.oidcVerifier }
|
|
func (o *Options) GetJWTBearerVerifiers() []*oidc.IDTokenVerifier { return o.jwtBearerVerifiers }
|
|
func (o *Options) GetRealClientIPParser() logging.RealClientIPParser { return o.realClientIPParser }
|
|
|
|
// Options for Setting internal values
|
|
func (o *Options) SetRedirectURL(s *url.URL) { o.redirectURL = s }
|
|
func (o *Options) SetProxyURLs(s []*url.URL) { o.proxyURLs = s }
|
|
func (o *Options) SetCompiledRegex(s []*regexp.Regexp) { o.compiledRegex = s }
|
|
func (o *Options) SetProvider(s providers.Provider) { o.provider = s }
|
|
func (o *Options) SetSessionStore(s sessionsapi.SessionStore) { o.sessionStore = s }
|
|
func (o *Options) SetSignatureData(s *SignatureData) { o.signatureData = s }
|
|
func (o *Options) SetOIDCVerifier(s *oidc.IDTokenVerifier) { o.oidcVerifier = s }
|
|
func (o *Options) SetJWTBearerVerifiers(s []*oidc.IDTokenVerifier) { o.jwtBearerVerifiers = s }
|
|
func (o *Options) SetRealClientIPParser(s logging.RealClientIPParser) { o.realClientIPParser = s }
|
|
|
|
// NewOptions constructs a new Options with defaulted values
|
|
func NewOptions() *Options {
|
|
return &Options{
|
|
ProxyPrefix: "/oauth2",
|
|
PingPath: "/ping",
|
|
ProxyWebSockets: true,
|
|
HTTPAddress: "127.0.0.1:4180",
|
|
HTTPSAddress: ":443",
|
|
RealClientIPHeader: "X-Real-IP",
|
|
ForceHTTPS: false,
|
|
DisplayHtpasswdForm: true,
|
|
Cookie: CookieOptions{
|
|
Name: "_oauth2_proxy",
|
|
Secure: true,
|
|
HTTPOnly: true,
|
|
Expire: time.Duration(168) * time.Hour,
|
|
Refresh: time.Duration(0),
|
|
},
|
|
Session: SessionOptions{
|
|
Type: "cookie",
|
|
},
|
|
SetXAuthRequest: false,
|
|
SkipAuthPreflight: false,
|
|
PassBasicAuth: true,
|
|
SetBasicAuth: false,
|
|
PassUserHeaders: true,
|
|
PassAccessToken: false,
|
|
PassHostHeader: true,
|
|
SetAuthorization: false,
|
|
PassAuthorization: false,
|
|
PreferEmailToUser: false,
|
|
Prompt: "", // Change to "login" when ApprovalPrompt officially deprecated
|
|
ApprovalPrompt: "force",
|
|
UserIDClaim: "email",
|
|
InsecureOIDCAllowUnverifiedEmail: false,
|
|
SkipOIDCDiscovery: false,
|
|
LoggingFilename: "",
|
|
LoggingMaxSize: 100,
|
|
LoggingMaxAge: 7,
|
|
LoggingMaxBackups: 0,
|
|
LoggingLocalTime: true,
|
|
LoggingCompress: false,
|
|
ExcludeLoggingPaths: "",
|
|
SilencePingLogging: false,
|
|
StandardLogging: true,
|
|
StandardLoggingFormat: logger.DefaultStandardLoggingFormat,
|
|
RequestLogging: true,
|
|
RequestLoggingFormat: logger.DefaultRequestLoggingFormat,
|
|
AuthLogging: true,
|
|
AuthLoggingFormat: logger.DefaultAuthLoggingFormat,
|
|
}
|
|
}
|