dockerfile: enable cross build

feat: add group-based access control
2024-05-02 03:01:26 +02:00 · 2024-05-02 02:53:00 +02:00
5 changed files with 51 additions and 22 deletions
--- a/4
+++ b/4
@ -31,7 +31,7 @@ RUN go mod download
 RUN go mod verify
 # Build the binary.
-RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/oidc-forward-auth
+RUN CGO_ENABLED=0 go build -a -installsuffix cgo -ldflags="-w -s" -o /go/bin/oidc-forward-auth
 # Runner
 FROM scratch
@ -55,7 +55,7 @@ ARG VCS_REF
 # Good docker practice
 LABEL org.opencontainers.image.created=$BUILD_DATE \
      org.opencontainers.image.authors="StiviiK" \
-      org.opencontainers.image.source="https://github.com/StiviiK/oidc-forward-auth.git" \
+      org.opencontainers.image.source="https://code.thetadev.de/ThetaDev/oidc-forward-auth" \
      org.opencontainers.image.revision=$VCS_REF
 ENTRYPOINT ["/go/bin/oidc-forward-auth"]
--- a/pkg/forwardauth/forwardauth.go
+++ b/pkg/forwardauth/forwardauth.go
@ -7,6 +7,7 @@ package forwardauth
 import (
 	"context"
 	"fmt"
 	"strings"
 	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/options"
 	"github.com/StiviiK/keycloak-traefik-forward-auth/pkg/utils"
@ -28,14 +29,15 @@ type Claims struct {
 	IssuedAt   utils.Time `json:"iat"`
 	Expiration utils.Time `json:"exp"`
-	Name             string `json:"name"`
+	Name             string   `json:"name"`
-	GivenName        string `json:"given_name"`
+	GivenName        string   `json:"given_name"`
-	FamilyName       string `json:"family_name"`
+	FamilyName       string   `json:"family_name"`
-	Email            string `json:"email"`
+	Email            string   `json:"email"`
-	VerifiedMail     bool   `json:"email_verified"`
+	VerifiedMail     bool     `json:"email_verified"`
-	Picture          string `json:"picture"`
+	Picture          string   `json:"picture"`
-	Locale           string `json:"locale"`
+	Locale           string   `json:"locale"`
-	PreferedUsername string `json:"preferred_username"`
+	PreferedUsername string   `json:"preferred_username"`
 	Groups           []string `json:"groups"`
 }
 // Create creates a new fw auth client from our options
@ -49,6 +51,9 @@ func Create(ctx context.Context, options *options.Options) (*ForwardAuth, error)
 		ClientID: options.ClientID,
 	})
 	scopes := []string{oidc.ScopeOpenID, "profile", "email"}
 	scopes = append(scopes, strings.Split(options.Scopes, " ")...)
 	return &ForwardAuth{
 		OidcProvider: provider,
 		OAuth2Config: oauth2.Config{
@ -60,7 +65,7 @@ func Create(ctx context.Context, options *options.Options) (*ForwardAuth, error)
 			Endpoint: provider.Endpoint(),
 			// "openid" is a required scope for OpenID Connect flows.
-			Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
+			Scopes: scopes,
 		},
 		OidcVefifier: verifier,
 	}, nil
--- a/pkg/httphandler/handler.go
+++ b/pkg/httphandler/handler.go
@ -27,18 +27,22 @@ func Create(fw *forwardauth.ForwardAuth, options *options.Options) *HttpHandler
 func (h *HttpHandler) Entrypoint() func(http.ResponseWriter, *http.Request) {
 	return func(w http.ResponseWriter, r *http.Request) {
 		uri, err := url.Parse(r.Header.Get("X-Forwarded-Uri"))
-		switch {
+		host := r.Header.Get("X-Forwarded-Host")
-		case err != nil:
+
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		case uri.Path == h.options.RedirectURL:
 			h.callbackHandler(w, r, uri)
 			return
 		default:
 			h.rootHandler(w, r, uri)
 			return
 		}
 		if host == h.options.AuthDomain {
 			// Handles OIDC callback
 			if uri.Path == h.options.RedirectURL {
 				h.callbackHandler(w, r, uri)
 				return
 			}
 		}
 		// Handles forward auth
 		h.rootHandler(w, r, uri, r.URL)
 	}
 }
--- a/pkg/httphandler/root.go
+++ b/pkg/httphandler/root.go
@ -5,6 +5,7 @@ This code is licensed under MIT license (see LICENSE for details)
 package httphandler
 import (
 	"fmt"
 	"net/http"
 	"net/url"
@ -13,7 +14,7 @@ import (
 )
 // RootHandler returns a handler function which handles all requests to the root
-func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL) {
+func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, forwardedURI *url.URL, queryURI *url.URL) {
 	logger := logrus.WithFields(logrus.Fields{
 		"SourceIP":      r.Header.Get("X-Forwarded-For"),
 		"RequestTarget": root.forwardAuth.GetReturnUri(r),
@ -34,6 +35,24 @@ func (root *HttpHandler) rootHandler(w http.ResponseWriter, r *http.Request, for
 		return
 	}
 	// Check group
 	group := queryURI.Query().Get("group")
 	if len(group) > 0 {
 		if !contains(claims.Groups, group) {
 			logger.Warnf("User %s not member of group %s", claims.PreferedUsername, group)
 			http.Error(w, fmt.Sprintf("You need to be a member of the group '%s' to access this site", group), http.StatusForbidden)
 		}
 	}
 	w.Header().Set("X-Forwarded-User", claims.Email)
 	w.WriteHeader(200)
 }
 func contains(s []string, e string) bool {
 	for _, a := range s {
 		if a == e {
 			return true
 		}
 	}
 	return false
 }
--- a/pkg/options/options.go
+++ b/pkg/options/options.go
@ -18,6 +18,7 @@ type Options struct {
 	CookieDomain string `env:"COOKIE_DOMAIN"`
 	Port         int    `env:"PORT" envDefault:"4181"`
 	RedirectURL  string `env:"REDIRECT_URL" envDefault:"/auth/resp"`
 	Scopes       string `env:"SCOPES"`
 }
 // LoadOptions parses the environment vars and the options
Author	SHA1	Message	Date
ThetaDev	0c133ff09d	dockerfile: enable cross build	2024-05-02 03:01:26 +02:00
ThetaDev	e164030119	feat: add group-based access control	2024-05-02 02:53:00 +02:00