From b315d1bc8bb3e0ce469557dccf9a52eaf19561c5 Mon Sep 17 00:00:00 2001 From: Pierce Lopez Date: Tue, 26 May 2020 14:57:19 -0400 Subject: [PATCH] rename a few config options for consistency config: * proxy-prefix -> proxy_prefix * google_group -> google_groups * github_team -> github_teams flags: * tls-cert -> tls-cert-file * tls-key -> tls-key-file flags always use dashes, config options always use underscores flags are singular if they can be specified multiple times, config options are plural if they take a list inspired by https://github.com/oauth2-proxy/oauth2-proxy/pull/186 Co-authored-by: Joel Speed --- README.md | 4 ++-- main.go | 7 ++++--- options.go | 12 ++++++------ providers/github.go | 28 +++++++++++----------------- 4 files changed, 23 insertions(+), 28 deletions(-) diff --git a/README.md b/README.md index 1269d2b7d..65eb04dd5 100644 --- a/README.md +++ b/README.md @@ -321,8 +321,8 @@ Usage of oauth2_proxy: -skip-oidc-discovery: Skip OIDC discovery (login-url, redeem-url and oidc-jwks-url must be configured) -skip-provider-button: will skip sign-in-page to directly reach the next step: oauth/start -ssl-insecure-skip-verify: skip validation of certificates presented when using HTTPS - -tls-cert string: path to certificate file - -tls-key string: path to private key file + -tls-cert-file string: path to certificate file + -tls-key-file string: path to private key file -upstream value: the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path -validate-url string: Access token validation endpoint -version: print version string diff --git a/main.go b/main.go index 2a17a37c4..9cb8f9b31 100644 --- a/main.go +++ b/main.go @@ -23,12 +23,13 @@ func mainFlagSet() *flag.FlagSet { skipAuthRegex := StringArray{} googleGroups := StringArray{} gitlabGroups := StringArray{} + githubTeams := StringArray{} flagSet.String("http-address", "127.0.0.1:4180", "[http://]: or unix:// to listen on for HTTP clients") flagSet.String("https-address", ":443", ": to listen on for HTTPS clients") flagSet.Bool("force-https", false, "redirect http requests to https") - flagSet.String("tls-cert", "", "path to certificate file") - flagSet.String("tls-key", "", "path to private key file") + flagSet.String("tls-cert-file", "", "path to certificate file") + flagSet.String("tls-key-file", "", "path to private key file") flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"") flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path") flagSet.Bool("set-xauthrequest", false, "set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)") @@ -48,7 +49,7 @@ func mainFlagSet() *flag.FlagSet { flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.") flagSet.String("bitbucket-team", "", "restrict logins to members of this team") flagSet.String("github-org", "", "restrict logins to members of this organisation") - flagSet.String("github-team", "", "restrict logins to members of this team (slug) (may be given multiple times)") + flagSet.Var(&githubTeams, "github-team", "restrict logins to members of this team (slug) (may be given multiple times)") flagSet.Var(&gitlabGroups, "gitlab-group", "restrict logins to members of this group (full path) (may be given multiple times)") flagSet.Var(&googleGroups, "google-group", "restrict logins to members of this google group (may be given multiple times)") flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls") diff --git a/options.go b/options.go index 646e0b4b5..38e62ab17 100644 --- a/options.go +++ b/options.go @@ -18,7 +18,7 @@ import ( // Configuration Options that can be set by Command Line Flag, or Config File type Options struct { - ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy-prefix"` + ProxyPrefix string `flag:"proxy-prefix" cfg:"proxy_prefix"` ProxyWebSockets bool `flag:"proxy-websockets" cfg:"proxy_websockets"` HttpAddress string `flag:"http-address" cfg:"http_address"` HttpsAddress string `flag:"https-address" cfg:"https_address"` @@ -26,8 +26,8 @@ type Options struct { RedirectURL string `flag:"redirect-url" cfg:"redirect_url"` ClientID string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"` ClientSecret string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"` - TLSCertFile string `flag:"tls-cert" cfg:"tls_cert_file"` - TLSKeyFile string `flag:"tls-key" cfg:"tls_key_file"` + TLSCertFile string `flag:"tls-cert-file" cfg:"tls_cert_file"` + TLSKeyFile string `flag:"tls-key-file" cfg:"tls_key_file"` AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"` AzureTenant string `flag:"azure-tenant" cfg:"azure_tenant"` @@ -35,9 +35,9 @@ type Options struct { EmailDomains []string `flag:"email-domain" cfg:"email_domains"` WhitelistDomains []string `flag:"whitelist-domain" cfg:"whitelist_domains" env:"OAUTH2_PROXY_WHITELIST_DOMAINS"` GitHubOrg string `flag:"github-org" cfg:"github_org"` - GitHubTeam string `flag:"github-team" cfg:"github_team"` + GitHubTeams []string `flag:"github-team" cfg:"github_teams"` GitLabGroups []string `flag:"gitlab-group" cfg:"gitlab_groups"` - GoogleGroups []string `flag:"google-group" cfg:"google_group"` + GoogleGroups []string `flag:"google-group" cfg:"google_groups"` GoogleAdminEmail string `flag:"google-admin-email" cfg:"google_admin_email"` GoogleServiceAccountJSON string `flag:"google-service-account-json" cfg:"google_service_account_json"` HtpasswdFile string `flag:"htpasswd-file" cfg:"htpasswd_file"` @@ -272,7 +272,7 @@ func parseProviderInfo(o *Options, msgs []string) []string { case *providers.BitbucketProvider: p.SetTeam(o.BitbucketTeam) case *providers.GitHubProvider: - p.SetOrgTeam(o.GitHubOrg, o.GitHubTeam) + p.SetOrgTeam(o.GitHubOrg, o.GitHubTeams) case *providers.GitLabProvider: p.SetGroups(o.GitLabGroups) case *providers.GoogleProvider: diff --git a/providers/github.go b/providers/github.go index a055013c9..713a5b289 100644 --- a/providers/github.go +++ b/providers/github.go @@ -10,13 +10,12 @@ import ( "path" "regexp" "strconv" - "strings" ) type GitHubProvider struct { *ProviderData - Org string - Team string + Org string + Teams []string } func NewGitHubProvider(p *ProviderData) *GitHubProvider { @@ -56,10 +55,10 @@ func getGitHubHeader(accessToken string) http.Header { return header } -func (p *GitHubProvider) SetOrgTeam(org, team string) { +func (p *GitHubProvider) SetOrgTeam(org string, teams []string) { p.Org = org - p.Team = team - if org != "" || team != "" { + p.Teams = teams + if org != "" || len(teams) > 0 { p.Scope += " read:org" } } @@ -149,7 +148,7 @@ func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) { pattern := regexp.MustCompile(`<([^>]+)>; rel="next"`) var hasOrg bool - presentOrgs := make(map[string]bool) + var presentOrgs []string var presentTeams []string for i := 0; i < 10; i++ { @@ -175,11 +174,10 @@ func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) { } for _, team := range teams { - presentOrgs[team.Org.Login] = true + presentOrgs = append(presentOrgs, team.Org.Login) if p.Org == team.Org.Login { hasOrg = true - ts := strings.Split(p.Team, ",") - for _, t := range ts { + for _, t := range p.Teams { if t == team.Slug { log.Printf("Found Github Organization:%q Team:%q (Name:%q)", team.Org.Login, team.Slug, team.Name) @@ -198,13 +196,9 @@ func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) { } if hasOrg { - log.Printf("Missing Team:%q from Org:%q in teams: %v", p.Team, p.Org, presentTeams) + log.Printf("Missing Team:%v from Org:%q in teams: %v", p.Teams, p.Org, presentTeams) } else { - var allOrgs []string - for org, _ := range presentOrgs { - allOrgs = append(allOrgs, org) - } - log.Printf("Missing Organization:%q in %#v", p.Org, allOrgs) + log.Printf("Missing Organization:%q in %#v", p.Org, presentOrgs) } return false, nil } @@ -219,7 +213,7 @@ func (p *GitHubProvider) GetEmailAddress(s *SessionState) (string, error) { // if we require an Org or Team, check that first if p.Org != "" { - if p.Team != "" { + if len(p.Teams) > 0 { if ok, err := p.hasOrgAndTeam(s.AccessToken); err != nil || !ok { return "", err }