github.com/pusher/oauth2_proxy@v3.2.0+incompatible/main.go (about) 1 package main 2 3 import ( 4 "flag" 5 "fmt" 6 "log" 7 "math/rand" 8 "net/http" 9 "os" 10 "runtime" 11 "strings" 12 "time" 13 14 "github.com/BurntSushi/toml" 15 options "github.com/mreiferson/go-options" 16 ) 17 18 func main() { 19 log.SetFlags(log.Ldate | log.Ltime | log.Lshortfile) 20 flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError) 21 22 emailDomains := StringArray{} 23 whitelistDomains := StringArray{} 24 upstreams := StringArray{} 25 skipAuthRegex := StringArray{} 26 googleGroups := StringArray{} 27 28 config := flagSet.String("config", "", "path to config file") 29 showVersion := flagSet.Bool("version", false, "print version string") 30 31 flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients") 32 flagSet.String("https-address", ":443", "<addr>:<port> to listen on for HTTPS clients") 33 flagSet.String("tls-cert", "", "path to certificate file") 34 flagSet.String("tls-key", "", "path to private key file") 35 flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"") 36 flagSet.Bool("set-xauthrequest", false, "set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)") 37 flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path") 38 flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream") 39 flagSet.Bool("pass-user-headers", true, "pass X-Forwarded-User and X-Forwarded-Email information to upstream") 40 flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header") 41 flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header") 42 flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream") 43 flagSet.Bool("pass-authorization-header", false, "pass the Authorization Header to upstream") 44 flagSet.Bool("set-authorization-header", false, "set Authorization response headers (useful in Nginx auth_request mode)") 45 flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)") 46 flagSet.Bool("skip-provider-button", false, "will skip sign-in-page to directly reach the next step: oauth/start") 47 flagSet.Bool("skip-auth-preflight", false, "will skip authentication for OPTIONS requests") 48 flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS") 49 flagSet.Duration("flush-interval", time.Duration(1)*time.Second, "period between response flushing when streaming responses") 50 51 flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email") 52 flagSet.Var(&whitelistDomains, "whitelist-domain", "allowed domains for redirection after authentication. Prefix domain with a . to allow subdomains (eg .example.com)") 53 flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.") 54 flagSet.String("github-org", "", "restrict logins to members of this organisation") 55 flagSet.String("github-team", "", "restrict logins to members of this team") 56 flagSet.Var(&googleGroups, "google-group", "restrict logins to members of this google group (may be given multiple times).") 57 flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls") 58 flagSet.String("google-service-account-json", "", "the path to the service account json credentials") 59 flagSet.String("client-id", "", "the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"") 60 flagSet.String("client-secret", "", "the OAuth Client Secret") 61 flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)") 62 flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption or \"htpasswd -B\" for bcrypt encryption") 63 flagSet.Bool("display-htpasswd-form", true, "display username / password login form if an htpasswd file is provided") 64 flagSet.String("custom-templates-dir", "", "path to custom html templates") 65 flagSet.String("footer", "", "custom footer string. Use \"-\" to disable default footer.") 66 flagSet.String("proxy-prefix", "/oauth2", "the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)") 67 flagSet.Bool("proxy-websockets", true, "enables WebSocket proxying") 68 69 flagSet.String("cookie-name", "_oauth2_proxy", "the name of the cookie that the oauth_proxy creates") 70 flagSet.String("cookie-secret", "", "the seed string for secure cookies (optionally base64 encoded)") 71 flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*") 72 flagSet.String("cookie-path", "/", "an optional cookie path to force cookies to (ie: /poc/)*") 73 flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie") 74 flagSet.Duration("cookie-refresh", time.Duration(0), "refresh the cookie after this duration; 0 to disable") 75 flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag") 76 flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag") 77 78 flagSet.Bool("request-logging", true, "Log requests to stdout") 79 flagSet.String("request-logging-format", defaultRequestLoggingFormat, "Template for log lines") 80 81 flagSet.String("provider", "google", "OAuth provider") 82 flagSet.String("oidc-issuer-url", "", "OpenID Connect issuer URL (ie: https://accounts.google.com)") 83 flagSet.Bool("skip-oidc-discovery", false, "Skip OIDC discovery and use manually supplied Endpoints") 84 flagSet.String("oidc-jwks-url", "", "OpenID Connect JWKS URL (ie: https://www.googleapis.com/oauth2/v3/certs)") 85 flagSet.String("login-url", "", "Authentication endpoint") 86 flagSet.String("redeem-url", "", "Token redemption endpoint") 87 flagSet.String("profile-url", "", "Profile access endpoint") 88 flagSet.String("resource", "", "The resource that is protected (Azure AD only)") 89 flagSet.String("validate-url", "", "Access token validation endpoint") 90 flagSet.String("scope", "", "OAuth scope specification") 91 flagSet.String("approval-prompt", "force", "OAuth approval_prompt") 92 93 flagSet.String("signature-key", "", "GAP-Signature request signature key (algorithm:secretkey)") 94 flagSet.String("acr-values", "http://idmanagement.gov/ns/assurance/loa/1", "acr values string: optional, used by login.gov") 95 flagSet.String("jwt-key", "", "private key used to sign JWT: required by login.gov") 96 flagSet.String("pubjwk-url", "", "JWK pubkey access endpoint: required by login.gov") 97 flagSet.Bool("gcp-healthchecks", false, "Enable GCP/GKE healthcheck endpoints") 98 99 flagSet.Parse(os.Args[1:]) 100 101 if *showVersion { 102 fmt.Printf("oauth2_proxy %s (built with %s)\n", VERSION, runtime.Version()) 103 return 104 } 105 106 opts := NewOptions() 107 108 cfg := make(EnvOptions) 109 if *config != "" { 110 _, err := toml.DecodeFile(*config, &cfg) 111 if err != nil { 112 log.Fatalf("ERROR: failed to load config file %s - %s", *config, err) 113 } 114 } 115 cfg.LoadEnvForStruct(opts) 116 options.Resolve(opts, flagSet, cfg) 117 118 err := opts.Validate() 119 if err != nil { 120 log.Printf("%s", err) 121 os.Exit(1) 122 } 123 validator := NewValidator(opts.EmailDomains, opts.AuthenticatedEmailsFile) 124 oauthproxy := NewOAuthProxy(opts, validator) 125 126 if len(opts.EmailDomains) != 0 && opts.AuthenticatedEmailsFile == "" { 127 if len(opts.EmailDomains) > 1 { 128 oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using one of the following domains: %v", strings.Join(opts.EmailDomains, ", ")) 129 } else if opts.EmailDomains[0] != "*" { 130 oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using %v", opts.EmailDomains[0]) 131 } 132 } 133 134 if opts.HtpasswdFile != "" { 135 log.Printf("using htpasswd file %s", opts.HtpasswdFile) 136 oauthproxy.HtpasswdFile, err = NewHtpasswdFromFile(opts.HtpasswdFile) 137 oauthproxy.DisplayHtpasswdForm = opts.DisplayHtpasswdForm 138 if err != nil { 139 log.Fatalf("FATAL: unable to open %s %s", opts.HtpasswdFile, err) 140 } 141 } 142 143 rand.Seed(time.Now().UnixNano()) 144 145 var handler http.Handler 146 if opts.GCPHealthChecks { 147 handler = gcpHealthcheck(LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging, opts.RequestLoggingFormat)) 148 } else { 149 handler = LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging, opts.RequestLoggingFormat) 150 } 151 s := &Server{ 152 Handler: handler, 153 Opts: opts, 154 } 155 s.ListenAndServe() 156 }