github.com/pusher/oauth2_proxy@v3.2.0+incompatible/main.go

github.com/pusher/oauth2_proxy@v3.2.0+incompatible/main.go (about)

     1  package main
     2  
     3  import (
     4  	"flag"
     5  	"fmt"
     6  	"log"
     7  	"math/rand"
     8  	"net/http"
     9  	"os"
    10  	"runtime"
    11  	"strings"
    12  	"time"
    13  
    14  	"github.com/BurntSushi/toml"
    15  	options "github.com/mreiferson/go-options"
    16  )
    17  
    18  func main() {
    19  	log.SetFlags(log.Ldate | log.Ltime | log.Lshortfile)
    20  	flagSet := flag.NewFlagSet("oauth2_proxy", flag.ExitOnError)
    21  
    22  	emailDomains := StringArray{}
    23  	whitelistDomains := StringArray{}
    24  	upstreams := StringArray{}
    25  	skipAuthRegex := StringArray{}
    26  	googleGroups := StringArray{}
    27  
    28  	config := flagSet.String("config", "", "path to config file")
    29  	showVersion := flagSet.Bool("version", false, "print version string")
    30  
    31  	flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")
    32  	flagSet.String("https-address", ":443", "<addr>:<port> to listen on for HTTPS clients")
    33  	flagSet.String("tls-cert", "", "path to certificate file")
    34  	flagSet.String("tls-key", "", "path to private key file")
    35  	flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
    36  	flagSet.Bool("set-xauthrequest", false, "set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)")
    37  	flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path")
    38  	flagSet.Bool("pass-basic-auth", true, "pass HTTP Basic Auth, X-Forwarded-User and X-Forwarded-Email information to upstream")
    39  	flagSet.Bool("pass-user-headers", true, "pass X-Forwarded-User and X-Forwarded-Email information to upstream")
    40  	flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
    41  	flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
    42  	flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")
    43  	flagSet.Bool("pass-authorization-header", false, "pass the Authorization Header to upstream")
    44  	flagSet.Bool("set-authorization-header", false, "set Authorization response headers (useful in Nginx auth_request mode)")
    45  	flagSet.Var(&skipAuthRegex, "skip-auth-regex", "bypass authentication for requests path's that match (may be given multiple times)")
    46  	flagSet.Bool("skip-provider-button", false, "will skip sign-in-page to directly reach the next step: oauth/start")
    47  	flagSet.Bool("skip-auth-preflight", false, "will skip authentication for OPTIONS requests")
    48  	flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS")
    49  	flagSet.Duration("flush-interval", time.Duration(1)*time.Second, "period between response flushing when streaming responses")
    50  
    51  	flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
    52  	flagSet.Var(&whitelistDomains, "whitelist-domain", "allowed domains for redirection after authentication. Prefix domain with a . to allow subdomains (eg .example.com)")
    53  	flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
    54  	flagSet.String("github-org", "", "restrict logins to members of this organisation")
    55  	flagSet.String("github-team", "", "restrict logins to members of this team")
    56  	flagSet.Var(&googleGroups, "google-group", "restrict logins to members of this google group (may be given multiple times).")
    57  	flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls")
    58  	flagSet.String("google-service-account-json", "", "the path to the service account json credentials")
    59  	flagSet.String("client-id", "", "the OAuth Client ID: ie: \"123456.apps.googleusercontent.com\"")
    60  	flagSet.String("client-secret", "", "the OAuth Client Secret")
    61  	flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
    62  	flagSet.String("htpasswd-file", "", "additionally authenticate against a htpasswd file. Entries must be created with \"htpasswd -s\" for SHA encryption or \"htpasswd -B\" for bcrypt encryption")
    63  	flagSet.Bool("display-htpasswd-form", true, "display username / password login form if an htpasswd file is provided")
    64  	flagSet.String("custom-templates-dir", "", "path to custom html templates")
    65  	flagSet.String("footer", "", "custom footer string. Use \"-\" to disable default footer.")
    66  	flagSet.String("proxy-prefix", "/oauth2", "the url root path that this proxy should be nested under (e.g. /<oauth2>/sign_in)")
    67  	flagSet.Bool("proxy-websockets", true, "enables WebSocket proxying")
    68  
    69  	flagSet.String("cookie-name", "_oauth2_proxy", "the name of the cookie that the oauth_proxy creates")
    70  	flagSet.String("cookie-secret", "", "the seed string for secure cookies (optionally base64 encoded)")
    71  	flagSet.String("cookie-domain", "", "an optional cookie domain to force cookies to (ie: .yourcompany.com)*")
    72  	flagSet.String("cookie-path", "/", "an optional cookie path to force cookies to (ie: /poc/)*")
    73  	flagSet.Duration("cookie-expire", time.Duration(168)*time.Hour, "expire timeframe for cookie")
    74  	flagSet.Duration("cookie-refresh", time.Duration(0), "refresh the cookie after this duration; 0 to disable")
    75  	flagSet.Bool("cookie-secure", true, "set secure (HTTPS) cookie flag")
    76  	flagSet.Bool("cookie-httponly", true, "set HttpOnly cookie flag")
    77  
    78  	flagSet.Bool("request-logging", true, "Log requests to stdout")
    79  	flagSet.String("request-logging-format", defaultRequestLoggingFormat, "Template for log lines")
    80  
    81  	flagSet.String("provider", "google", "OAuth provider")
    82  	flagSet.String("oidc-issuer-url", "", "OpenID Connect issuer URL (ie: https://accounts.google.com)")
    83  	flagSet.Bool("skip-oidc-discovery", false, "Skip OIDC discovery and use manually supplied Endpoints")
    84  	flagSet.String("oidc-jwks-url", "", "OpenID Connect JWKS URL (ie: https://www.googleapis.com/oauth2/v3/certs)")
    85  	flagSet.String("login-url", "", "Authentication endpoint")
    86  	flagSet.String("redeem-url", "", "Token redemption endpoint")
    87  	flagSet.String("profile-url", "", "Profile access endpoint")
    88  	flagSet.String("resource", "", "The resource that is protected (Azure AD only)")
    89  	flagSet.String("validate-url", "", "Access token validation endpoint")
    90  	flagSet.String("scope", "", "OAuth scope specification")
    91  	flagSet.String("approval-prompt", "force", "OAuth approval_prompt")
    92  
    93  	flagSet.String("signature-key", "", "GAP-Signature request signature key (algorithm:secretkey)")
    94  	flagSet.String("acr-values", "http://idmanagement.gov/ns/assurance/loa/1", "acr values string:  optional, used by login.gov")
    95  	flagSet.String("jwt-key", "", "private key used to sign JWT: required by login.gov")
    96  	flagSet.String("pubjwk-url", "", "JWK pubkey access endpoint: required by login.gov")
    97  	flagSet.Bool("gcp-healthchecks", false, "Enable GCP/GKE healthcheck endpoints")
    98  
    99  	flagSet.Parse(os.Args[1:])
   100  
   101  	if *showVersion {
   102  		fmt.Printf("oauth2_proxy %s (built with %s)\n", VERSION, runtime.Version())
   103  		return
   104  	}
   105  
   106  	opts := NewOptions()
   107  
   108  	cfg := make(EnvOptions)
   109  	if *config != "" {
   110  		_, err := toml.DecodeFile(*config, &cfg)
   111  		if err != nil {
   112  			log.Fatalf("ERROR: failed to load config file %s - %s", *config, err)
   113  		}
   114  	}
   115  	cfg.LoadEnvForStruct(opts)
   116  	options.Resolve(opts, flagSet, cfg)
   117  
   118  	err := opts.Validate()
   119  	if err != nil {
   120  		log.Printf("%s", err)
   121  		os.Exit(1)
   122  	}
   123  	validator := NewValidator(opts.EmailDomains, opts.AuthenticatedEmailsFile)
   124  	oauthproxy := NewOAuthProxy(opts, validator)
   125  
   126  	if len(opts.EmailDomains) != 0 && opts.AuthenticatedEmailsFile == "" {
   127  		if len(opts.EmailDomains) > 1 {
   128  			oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using one of the following domains: %v", strings.Join(opts.EmailDomains, ", "))
   129  		} else if opts.EmailDomains[0] != "*" {
   130  			oauthproxy.SignInMessage = fmt.Sprintf("Authenticate using %v", opts.EmailDomains[0])
   131  		}
   132  	}
   133  
   134  	if opts.HtpasswdFile != "" {
   135  		log.Printf("using htpasswd file %s", opts.HtpasswdFile)
   136  		oauthproxy.HtpasswdFile, err = NewHtpasswdFromFile(opts.HtpasswdFile)
   137  		oauthproxy.DisplayHtpasswdForm = opts.DisplayHtpasswdForm
   138  		if err != nil {
   139  			log.Fatalf("FATAL: unable to open %s %s", opts.HtpasswdFile, err)
   140  		}
   141  	}
   142  
   143  	rand.Seed(time.Now().UnixNano())
   144  
   145  	var handler http.Handler
   146  	if opts.GCPHealthChecks {
   147  		handler = gcpHealthcheck(LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging, opts.RequestLoggingFormat))
   148  	} else {
   149  		handler = LoggingHandler(os.Stdout, oauthproxy, opts.RequestLogging, opts.RequestLoggingFormat)
   150  	}
   151  	s := &Server{
   152  		Handler: handler,
   153  		Opts:    opts,
   154  	}
   155  	s.ListenAndServe()
   156  }