#71 change names to include 'IdP', cleanup config comments

vouch · Feb 14, 2019 · c28fe55 · c28fe55
1 parent b6c5926
commit c28fe55
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 27 deletions.
diff --git a/config/config.yml_example b/config/config.yml_example
@@ -11,6 +11,12 @@ vouch:
   listen: 0.0.0.0
   port: 9090
 
+  # testing: force all 302 redirects to be rendered as a webpage with a link
+  # if you're having difficulty with constant redirects, please do turn on testing
+  # testing: true
+  # test_url: add this URL to the page which vouch displays as a convenience for testing
+  test_url: http://yourdomain.com
+
   # domains:
   # each of these domains must serve the url https://vouch.$domains[0] https://vouch.$domains[1] ...
   # so that the cookie which stores the JWT can be set in the relevant domain
@@ -75,22 +81,19 @@ vouch:
     jwt: X-Vouch-Token
     querystring: access_token
     redirect: X-Vouch-Requested-URI
-    # If idToken is defined, all valid requests to /validate will receive a header (defined in the value) containing the id_token from the OpenID Provider
-    # If idToken is empty or undefined, no header will be added
-    # This will make the response largerwich in turn can affect the response time
-    # idToken: x-vouch-idtoken
-    # If accessToken is defined, all valid requests to /validate will receive a header (defined in the value) containing the access_token from the OpenID Provider
-    # If accessToken is empty or undefined, no header will be added
-    # This will make the response larger wich in turn can affect the response time
-    # accessToken: x-vouch-accesstoken
+    # If idpIDToken is defined, the `id_token` from the OpenID Provider will be returned by /validate in the configured header
+    # idpIDToken: X-Vouch-IdP-IDToken
+    # If idpAccessToken is defined, the `access_token` from the OpenID Provider will be returned by /validate in the configured header
+    # idpAccessToken: X-Vouch-IdP-AccessToken
+    # If either idpIDToken or idpAccessToken is empty or undefined, no header will be added
+    # a note on idp headers:
+    # Unless your application will make use of these headers there is no reason you should expose these tokens.
+    # They are not used by Vouch Proxy for validation. Including these headers will make the response slightly larger which may
+    # incur a marginal performance penalty
 
   db: 
     file: data/vouch_bolt.db
 
-  # testing: force all 302 redirects to be rendered as a webpage with a link
-  testing: true
-  # test_url: add this URL to the page which vouch displays
-  test_url: http://yourdomain.com
   # webapp: WIP for web interface to vouch (mostly logs)
   webapp: true
 

diff --git a/handlers/handlers.go b/handlers/handlers.go
@@ -192,11 +192,11 @@ func ValidateRequestHandler(w http.ResponseWriter, r *http.Request) {
 	}
 
 	w.Header().Add(cfg.Cfg.Headers.User, claims.Username)
-	if cfg.Cfg.Headers.IDToken != "" {
-		w.Header().Add(cfg.Cfg.Headers.IDToken, claims.IDToken)
+	if cfg.Cfg.Headers.IdpIDToken != "" {
+		w.Header().Add(cfg.Cfg.Headers.IdpIDToken, claims.IDToken)
 	}
-	if cfg.Cfg.Headers.AccessToken != "" {
-		w.Header().Add(cfg.Cfg.Headers.AccessToken, claims.AccessToken)
+	if cfg.Cfg.Headers.IdpAccessToken != "" {
+		w.Header().Add(cfg.Cfg.Headers.IdpAccessToken, claims.AccessToken)
 	}
 	w.Header().Add(cfg.Cfg.Headers.Success, "true")
 	log.WithFields(log.Fields{cfg.Cfg.Headers.User: w.Header().Get(cfg.Cfg.Headers.User)}).Debug("response header")
@@ -255,6 +255,8 @@ func LogoutHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+// HealthcheckHandler returns json "ok" (we're alive!)
+// TODO: add additional checks!
 func HealthcheckHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 	fmt.Fprintf(w, "{ \"ok\": true }")

diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go
@@ -41,13 +41,13 @@ type config struct {
 		HTTPOnly bool   `mapstructure:"httpOnly"`
 	}
 	Headers struct {
-		JWT         string `mapstructure:"jwt"`
-		IDToken     string `mapstructure:"idToken"`
-		AccessToken string `mapstructure:"accessToken"`
-		User        string `mapstructure:"user"`
-		QueryString string `mapstructure:"querystring"`
-		Redirect    string `mapstructure:"redirect"`
-		Success     string `mapstructure:"success"`
+		JWT            string `mapstructure:"jwt"`
+		User           string `mapstructure:"user"`
+		QueryString    string `mapstructure:"querystring"`
+		Redirect       string `mapstructure:"redirect"`
+		Success        string `mapstructure:"success"`
+		IdpIDToken     string `mapstructure:"idpIDToken"`
+		IdpAccessToken string `mapstructure:"idpAccessToken"`
 	}
 	DB struct {
 		File string `mapstructure:"file"`
@@ -356,11 +356,11 @@ func setDefaults() {
 	if !viper.IsSet(Branding.LCName + ".headers.jwt") {
 		Cfg.Headers.JWT = "X-" + Branding.CcName + "-Token"
 	}
-	if !viper.IsSet(Branding.LCName + ".headers.idToken") {
-		Cfg.Headers.IDToken = ""
+	if !viper.IsSet(Branding.LCName + ".headers.idpIDToken") {
+		Cfg.Headers.IdpAccessToken = ""
 	}
-	if !viper.IsSet(Branding.LCName + ".headers.accessToken") {
-		Cfg.Headers.AccessToken = ""
+	if !viper.IsSet(Branding.LCName + ".headers.idpAccessToken") {
+		Cfg.Headers.IdpAccessToken = ""
 	}
 	if !viper.IsSet(Branding.LCName + ".headers.querystring") {
 		Cfg.Headers.QueryString = "access_token"