Compare commits
No commits in common. "0c133ff09d5d60c7f653fa22a5322c87bb81e602" and "e7bc551234290b229274f5fb56fc495db7626ee7" have entirely different histories.
0c133ff09d
...
e7bc551234
5 changed files with 21 additions and 50 deletions
|
|
@ -31,7 +31,7 @@ RUN go mod download
|
||||||
RUN go mod verify
|
RUN go mod verify
|
||||||
|
|
||||||
# Build the binary.
|
# Build the binary.
|
||||||
RUN CGO_ENABLED=0 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/oidc-forward-auth
|
RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/oidc-forward-auth
|
||||||
|
|
||||||
# Runner
|
# Runner
|
||||||
FROM scratch
|
FROM scratch
|
||||||
|
|
@ -55,7 +55,7 @@ ARG VCS_REF
|
||||||
# Good docker practice
|
# Good docker practice
|
||||||
LABEL org.opencontainers.image.created=$BUILD_DATE \
|
LABEL org.opencontainers.image.created=$BUILD_DATE \
|
||||||
org.opencontainers.image.authors="StiviiK" \
|
org.opencontainers.image.authors="StiviiK" \
|
||||||
org.opencontainers.image.source="https://code.thetadev.de/ThetaDev/oidc-forward-auth" \
|
org.opencontainers.image.source="https://github.com/StiviiK/oidc-forward-auth.git" \
|
||||||
org.opencontainers.image.revision=$VCS_REF
|
org.opencontainers.image.revision=$VCS_REF
|
||||||
|
|
||||||
ENTRYPOINT ["/go/bin/oidc-forward-auth"]
|
ENTRYPOINT ["/go/bin/oidc-forward-auth"]
|
||||||
|
|
@ -7,7 +7,6 @@ package forwardauth
|
||||||
import (
|
import (
|
||||||
"context"
|
"context"
|
||||||
"fmt"
|
"fmt"
|
||||||
"strings"
|
|
||||||
|
|
||||||
"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
|
"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
|
||||||
"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/utils"
|
"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/utils"
|
||||||
|
|
@ -37,7 +36,6 @@ type Claims struct {
|
||||||
Picture string `json:"picture"`
|
Picture string `json:"picture"`
|
||||||
Locale string `json:"locale"`
|
Locale string `json:"locale"`
|
||||||
PreferedUsername string `json:"preferred_username"`
|
PreferedUsername string `json:"preferred_username"`
|
||||||
Groups []string `json:"groups"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Create creates a new fw auth client from our options
|
// Create creates a new fw auth client from our options
|
||||||
|
|
@ -51,9 +49,6 @@ func Create(ctx context.Context, options *options.Options) (*ForwardAuth, error)
|
||||||
ClientID: options.ClientID,
|
ClientID: options.ClientID,
|
||||||
})
|
})
|
||||||
|
|
||||||
scopes := []string{oidc.ScopeOpenID, "profile", "email"}
|
|
||||||
scopes = append(scopes, strings.Split(options.Scopes, " ")...)
|
|
||||||
|
|
||||||
return &ForwardAuth{
|
return &ForwardAuth{
|
||||||
OidcProvider: provider,
|
OidcProvider: provider,
|
||||||
OAuth2Config: oauth2.Config{
|
OAuth2Config: oauth2.Config{
|
||||||
|
|
@ -65,7 +60,7 @@ func Create(ctx context.Context, options *options.Options) (*ForwardAuth, error)
|
||||||
Endpoint: provider.Endpoint(),
|
Endpoint: provider.Endpoint(),
|
||||||
|
|
||||||
// "openid" is a required scope for OpenID Connect flows.
|
// "openid" is a required scope for OpenID Connect flows.
|
||||||
Scopes: scopes,
|
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
|
||||||
},
|
},
|
||||||
OidcVefifier: verifier,
|
OidcVefifier: verifier,
|
||||||
}, nil
|
}, nil
|
||||||
|
|
|
||||||
|
|
@ -27,22 +27,18 @@ func Create(fw *forwardauth.ForwardAuth, options *options.Options) *HttpHandler
|
||||||
func (h *HttpHandler) Entrypoint() func(http.ResponseWriter, *http.Request) {
|
func (h *HttpHandler) Entrypoint() func(http.ResponseWriter, *http.Request) {
|
||||||
return func(w http.ResponseWriter, r *http.Request) {
|
return func(w http.ResponseWriter, r *http.Request) {
|
||||||
uri, err := url.Parse(r.Header.Get("X-Forwarded-Uri"))
|
uri, err := url.Parse(r.Header.Get("X-Forwarded-Uri"))
|
||||||
host := r.Header.Get("X-Forwarded-Host")
|
switch {
|
||||||
|
case err != nil:
|
||||||
if err != nil {
|
|
||||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||||
return
|
return
|
||||||
}
|
|
||||||
|
|
||||||
if host == h.options.AuthDomain {
|
case uri.Path == h.options.RedirectURL:
|
||||||
// Handles OIDC callback
|
|
||||||
if uri.Path == h.options.RedirectURL {
|
|
||||||
h.callbackHandler(w, r, uri)
|
h.callbackHandler(w, r, uri)
|
||||||
return
|
return
|
||||||
|
|
||||||
|
default:
|
||||||
|
h.rootHandler(w, r, uri)
|
||||||
|
return
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Handles forward auth
|
|
||||||
h.rootHandler(w, r, uri, r.URL)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,6 @@ This code is licensed under MIT license (see LICENSE for details)
|
||||||
package httphandler
|
package httphandler
|
||||||
|
|
||||||
import (
|
import (
|
||||||
"fmt"
|
|
||||||
"net/http"
|
"net/http"
|
||||||
"net/url"
|
"net/url"
|
||||||
|
|
||||||
|
|
@ -14,7 +13,7 @@ import (
|
||||||
)
|
)
|
||||||
|
|
||||||
// RootHandler returns a handler function which handles all requests to the root
|
// RootHandler returns a handler function which handles all requests to the root
|
||||||
func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL, queryURI *url.URL) {
|
func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL) {
|
||||||
logger := logrus.WithFields(logrus.Fields{
|
logger := logrus.WithFields(logrus.Fields{
|
||||||
"SourceIP": r.Header.Get("X-Forwarded-For"),
|
"SourceIP": r.Header.Get("X-Forwarded-For"),
|
||||||
"RequestTarget": root.forwardAuth.GetReturnUri(r),
|
"RequestTarget": root.forwardAuth.GetReturnUri(r),
|
||||||
|
|
@ -35,24 +34,6 @@ func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, for
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check group
|
|
||||||
group := queryURI.Query().Get("group")
|
|
||||||
if len(group) > 0 {
|
|
||||||
if !contains(claims.Groups, group) {
|
|
||||||
logger.Warnf("User %s not member of group %s", claims.PreferedUsername, group)
|
|
||||||
http.Error(w, fmt.Sprintf("You need to be a member of the group '%s' to access this site", group), http.StatusForbidden)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
w.Header().Set("X-Forwarded-User", claims.Email)
|
w.Header().Set("X-Forwarded-User", claims.Email)
|
||||||
w.WriteHeader(200)
|
w.WriteHeader(200)
|
||||||
}
|
}
|
||||||
|
|
||||||
func contains(s []string, e string) bool {
|
|
||||||
for _, a := range s {
|
|
||||||
if a == e {
|
|
||||||
return true
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return false
|
|
||||||
}
|
|
||||||
|
|
|
||||||
|
|
@ -18,7 +18,6 @@ type Options struct {
|
||||||
CookieDomain string `env:"COOKIE_DOMAIN"`
|
CookieDomain string `env:"COOKIE_DOMAIN"`
|
||||||
Port int `env:"PORT" envDefault:"4181"`
|
Port int `env:"PORT" envDefault:"4181"`
|
||||||
RedirectURL string `env:"REDIRECT_URL" envDefault:"/auth/resp"`
|
RedirectURL string `env:"REDIRECT_URL" envDefault:"/auth/resp"`
|
||||||
Scopes string `env:"SCOPES"`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// LoadOptions parses the environment vars and the options
|
// LoadOptions parses the environment vars and the options
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue