From a12a919d3ecca71614ff826c8b78b6855586f2ef Mon Sep 17 00:00:00 2001 From: seuf Date: Tue, 20 Oct 2020 10:31:34 +0200 Subject: [PATCH 1/4] Allow configuration of returned auth proxy header Signed-off-by: seuf --- connector/authproxy/authproxy.go | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/connector/authproxy/authproxy.go b/connector/authproxy/authproxy.go index c405c69ce8..0ff61a6b80 100644 --- a/connector/authproxy/authproxy.go +++ b/connector/authproxy/authproxy.go @@ -14,16 +14,22 @@ import ( // Config holds the configuration parameters for a connector which returns an // identity with the HTTP header X-Remote-User as verified email. -type Config struct{} +type Config struct { + HeaderName string `json:"headerName"` +} // Open returns an authentication strategy which requires no user interaction. func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) { - return &callback{logger: logger, pathSuffix: "/" + id}, nil + if c.HeaderName == "" { + c.HeaderName = "X-Remote-User" + } + return &callback{headerName: c.HeaderName, logger: logger, pathSuffix: "/" + id}, nil } // Callback is a connector which returns an identity with the HTTP header // X-Remote-User as verified email. type callback struct { + headerName string logger log.Logger pathSuffix string } @@ -43,9 +49,9 @@ func (m *callback) LoginURL(s connector.Scopes, callbackURL, state string) (stri // HandleCallback parses the request and returns the user's identity func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connector.Identity, error) { - remoteUser := r.Header.Get("X-Remote-User") + remoteUser := r.Header.Get(m.headerName) if remoteUser == "" { - return connector.Identity{}, fmt.Errorf("required HTTP header X-Remote-User is not set") + return connector.Identity{}, fmt.Errorf("required HTTP header %s is not set", m.headerName) } // TODO: add support for X-Remote-Group, see // https://kubernetes.io/docs/admin/authentication/#authenticating-proxy From f19bccfc9282866977b36a72f3796e1451a5107c Mon Sep 17 00:00:00 2001 From: seuf Date: Tue, 20 Oct 2020 11:19:48 +0200 Subject: [PATCH 2/4] Allow configuration of groups for authproxy Signed-off-by: seuf --- connector/authproxy/authproxy.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/connector/authproxy/authproxy.go b/connector/authproxy/authproxy.go index 0ff61a6b80..ee9f6d6b7e 100644 --- a/connector/authproxy/authproxy.go +++ b/connector/authproxy/authproxy.go @@ -15,7 +15,8 @@ import ( // Config holds the configuration parameters for a connector which returns an // identity with the HTTP header X-Remote-User as verified email. type Config struct { - HeaderName string `json:"headerName"` + HeaderName string `json:"headerName"` + Groups []string `json:"groups"` } // Open returns an authentication strategy which requires no user interaction. @@ -23,13 +24,14 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) if c.HeaderName == "" { c.HeaderName = "X-Remote-User" } - return &callback{headerName: c.HeaderName, logger: logger, pathSuffix: "/" + id}, nil + return &callback{headerName: c.HeaderName, logger: logger, pathSuffix: "/" + id, groups: c.Groups}, nil } // Callback is a connector which returns an identity with the HTTP header // X-Remote-User as verified email. type callback struct { headerName string + groups []string logger log.Logger pathSuffix string } @@ -59,5 +61,6 @@ func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connecto UserID: remoteUser, // TODO: figure out if this is a bad ID value. Email: remoteUser, EmailVerified: true, + Groups: m.groups, }, nil } From a1c7198738a2166102099cbd185d216bf1fc3e7c Mon Sep 17 00:00:00 2001 From: seuf Date: Tue, 24 Nov 2020 10:39:12 +0100 Subject: [PATCH 3/4] Rename config header to userHeader Signed-off-by: seuf --- connector/authproxy/authproxy.go | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/connector/authproxy/authproxy.go b/connector/authproxy/authproxy.go index ee9f6d6b7e..da8c0e984d 100644 --- a/connector/authproxy/authproxy.go +++ b/connector/authproxy/authproxy.go @@ -15,23 +15,18 @@ import ( // Config holds the configuration parameters for a connector which returns an // identity with the HTTP header X-Remote-User as verified email. type Config struct { - HeaderName string `json:"headerName"` - Groups []string `json:"groups"` + UserHeader string `json:"userHeader"` } // Open returns an authentication strategy which requires no user interaction. func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) { - if c.HeaderName == "" { - c.HeaderName = "X-Remote-User" - } - return &callback{headerName: c.HeaderName, logger: logger, pathSuffix: "/" + id, groups: c.Groups}, nil + return &callback{UserHeader: c.UserHeader, logger: logger, pathSuffix: "/" + id}, nil } // Callback is a connector which returns an identity with the HTTP header // X-Remote-User as verified email. type callback struct { - headerName string - groups []string + UserHeader string logger log.Logger pathSuffix string } @@ -51,9 +46,13 @@ func (m *callback) LoginURL(s connector.Scopes, callbackURL, state string) (stri // HandleCallback parses the request and returns the user's identity func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connector.Identity, error) { - remoteUser := r.Header.Get(m.headerName) + userHeader := "X-Remote-User" // Default value + if m.UserHeader != "" { + userHeader = m.UserHeader + } + remoteUser := r.Header.Get(userHeader) if remoteUser == "" { - return connector.Identity{}, fmt.Errorf("required HTTP header %s is not set", m.headerName) + return connector.Identity{}, fmt.Errorf("required HTTP header %s is not set", m.UserHeader) } // TODO: add support for X-Remote-Group, see // https://kubernetes.io/docs/admin/authentication/#authenticating-proxy @@ -61,6 +60,5 @@ func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connecto UserID: remoteUser, // TODO: figure out if this is a bad ID value. Email: remoteUser, EmailVerified: true, - Groups: m.groups, }, nil } From e164bb381e92a39cf3b6a8252bc30e7483a8d99e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thierry=20Sall=C3=A9?= Date: Thu, 17 Dec 2020 16:25:11 +0100 Subject: [PATCH 4/4] Apply suggestions from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Márk Sági-Kazár Signed-off-by: seuf --- connector/authproxy/authproxy.go | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/connector/authproxy/authproxy.go b/connector/authproxy/authproxy.go index da8c0e984d..853e5ee29f 100644 --- a/connector/authproxy/authproxy.go +++ b/connector/authproxy/authproxy.go @@ -20,13 +20,18 @@ type Config struct { // Open returns an authentication strategy which requires no user interaction. func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) { - return &callback{UserHeader: c.UserHeader, logger: logger, pathSuffix: "/" + id}, nil + userHeader := c.UserHeader + if userHeader == "" { + userHeader = "X-Remote-User" + } + + return &callback{userHeader: userHeader, logger: logger, pathSuffix: "/" + id}, nil } // Callback is a connector which returns an identity with the HTTP header // X-Remote-User as verified email. type callback struct { - UserHeader string + userHeader string logger log.Logger pathSuffix string } @@ -46,13 +51,9 @@ func (m *callback) LoginURL(s connector.Scopes, callbackURL, state string) (stri // HandleCallback parses the request and returns the user's identity func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connector.Identity, error) { - userHeader := "X-Remote-User" // Default value - if m.UserHeader != "" { - userHeader = m.UserHeader - } - remoteUser := r.Header.Get(userHeader) + remoteUser := r.Header.Get(m.userHeader) if remoteUser == "" { - return connector.Identity{}, fmt.Errorf("required HTTP header %s is not set", m.UserHeader) + return connector.Identity{}, fmt.Errorf("required HTTP header %s is not set", m.userHeader) } // TODO: add support for X-Remote-Group, see // https://kubernetes.io/docs/admin/authentication/#authenticating-proxy