Merge branch 'master' into fix/373_vouch_in_a_path

.github/workflows/docker-release.yml → .github/workflows/docker-release-arm.yml

@@ -6,7 +6,7 @@ on:
       - master
 
 jobs:
-  Publish-to-docker:
+  publish-to-docker-arm:
     runs-on: ubuntu-latest
     env:
       DOCKER_TAG: latest-arm

.github/workflows/docker-release-quayio-alpine.yml

@@ -0,0 +1,47 @@
+name: Publish Docker image to Quay.io using Dockerfile.alpine
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - 'v*'
+
+
+jobs:
+  publish-to-docker-quayio:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_REPO: quay.io
+
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v2
+
+      - name: Log in to Docker repository
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.DOCKER_REPO }}
+          username: ${{ secrets.QUAYIO_ROBOT_USERNAME }}
+          password: ${{ secrets.QUAYIO_ROBOT_PASSWORD }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@a67f45cb0f8e65cf693a0bc5bfa1c5057c623030
+        with:
+          images: quay.io/vouch/vouch-proxy
+          flavor: |
+            prefix=alpine-,onlatest=true
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+     
+      - name: Build and push Docker image using Dockerfile.alpine
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          file: Dockerfile.alpine
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/docker-release-quayio.yml

@@ -0,0 +1,44 @@
+name: Publish Docker image to Quay.io
+
+on:
+  push:
+    branches:
+      - master
+    tags:
+      - 'v*'
+
+
+jobs:
+  publish-to-docker-quayio:
+    runs-on: ubuntu-latest
+    env:
+      DOCKER_REPO: quay.io
+
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v2
+
+      - name: Log in to Docker repository
+        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
+        with:
+          registry: ${{ env.DOCKER_REPO }}
+          username: ${{ secrets.QUAYIO_ROBOT_USERNAME }}
+          password: ${{ secrets.QUAYIO_ROBOT_PASSWORD }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
+        with:
+          images: quay.io/vouch/vouch-proxy
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+     
+      - name: Build and push Docker image using Dockerfile
+        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

CHANGELOG.md

@@ -0,0 +1,25 @@
+# Changelog for Vouch Proxy
+
+## Unreleased
+
+Coming soon! Please document any work in progress here as part of your PR. It will be moved to the next tag when released.
+
+## v0.32.0
+
+- [slack oidc example](https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example_slack) and [slack app manifest](https://github.com/vouch/vouch-proxy/blob/master/examples/slack/vouch-slack-oidc-app-manifest.yml)
+- [CHANGELOG.md](https://github.com/vouch/vouch-proxy/blob/master/CHANGELOG.md)
+
+## v0.31.0
+
+- [use quay.io](https://quay.io/repository/vouch/vouch-proxy?tab=tags) instead of Docker Hub for docker image hosting
+- use [httprouter's](https://github.com/julienschmidt/httprouter) more performant mux
+
+## v0.29.0
+
+- embed static assets as templates using [go:embed](https://golang.org/pkg/embed/)
+
+## v0.28.0
+
+- add support for a custom 'relying party identifier' for ADFS
+
+_the rest is history_ and can be teased out with `git log`

Dockerfile

@@ -20,10 +20,6 @@ RUN ./do.sh install
 FROM scratch
 LABEL maintainer="[email protected]"
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY templates /templates
-COPY .defaults.yml /.defaults.yml 
-# see note for /static in main.go
-COPY static /static
 COPY --from=builder /go/bin/vouch-proxy /vouch-proxy
 EXPOSE 9090
 ENTRYPOINT ["/vouch-proxy"]

Dockerfile.alpine

@@ -17,10 +17,6 @@ FROM alpine:latest
 LABEL maintainer="[email protected]"
 ENV VOUCH_ROOT=/
 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-COPY templates /templates
-COPY .defaults.yml /.defaults.yml 
-# see note for /static in main.go
-COPY static /static
 
 #  do.sh requires bash
 RUN apk add --no-cache bash

README.md

@@ -1,9 +1,9 @@
 # Vouch Proxy
 
 [![GitHub stars](https://img.shields.io/github/stars/vouch/vouch-proxy.svg)](https://github.com/vouch/vouch-proxy)
+[![Build Status](https://travis-ci.org/vouch/vouch-proxy.svg?branch=master)](https://travis-ci.org/vouch/vouch-proxy)
 [![Go Report Card](https://goreportcard.com/badge/github.com/vouch/vouch-proxy)](https://goreportcard.com/report/github.com/vouch/vouch-proxy)
 [![MIT license](https://img.shields.io/badge/license-MIT-green.svg)](https://github.com/vouch/vouch-proxy/blob/master/LICENSE)
-[![Docker Repository on Quay](https://quay.io/repository/vouch/vouch-proxy/status 'Docker Repository on Quay')](https://quay.io/repository/vouch/vouch-proxy)
 [![GitHub version](https://img.shields.io/github/v/tag/vouch/vouch-proxy.svg?sort=semver&color=green)](https://github.com/vouch/vouch-proxy)
 
 An SSO solution for Nginx using the [auth_request](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) module. Vouch Proxy can protect all of your websites at once.
@@ -15,6 +15,7 @@ Vouch Proxy supports many OAuth and OIDC login providers and can enforce authent
 - GitHub Enterprise
 - [IndieAuth](https://indieauth.spec.indieweb.org/)
 - [Okta](https://developer.okta.com/blog/2018/08/28/nginx-auth-request)
+- [Slack](https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example_slack)
 - [ADFS](https://github.com/vouch/vouch-proxy/pull/68)
 - [Azure AD](https://github.com/vouch/vouch-proxy/issues/290)
 - [Alibaba / Aliyun iDaas](https://github.com/vouch/vouch-proxy/issues/344)
@@ -208,16 +209,17 @@ All Vouch Proxy configuration items are documented in [config/config.yml_example
 - [Reverse Proxy for Google Cloud Run Services](https://github.com/karthikv2k/oauth_reverse_proxy)
 - [Enable native TLS in Vouch Proxy](https://github.com/vouch/vouch-proxy/pull/332#issue-522612010)
 - [FreeBSD support](https://github.com/vouch/vouch-proxy/issues/368)
+- [systemd startup of Vouch Proxy](https://github.com/vouch/vouch-proxy/tree/master/examples/startup)
 
 Please do help us to expand this list.
 
 ### Scopes and Claims
 
-With Vouch Proxy you can request various `scopes` (standard and custom) to obtain more information about the user or gain access to the provider's APIs. Internally, Vouch Proxy launches a requests to `user_info_url` after successful authentication. From the provider's response the required `claims` are extracted and stored in the vouch cookie.
+With Vouch Proxy you can request various `scopes` (standard and custom) to obtain more information about the user or gain access to the provider's APIs. Internally, Vouch Proxy launches a requests to `user_info_url` after successful authentication. The required `claims` are extracted from the provider's response and stored in the VP cookie.
 
 ⚠️ **Additional claims and tokens will be added to the VP cookie and can make it large**
 
-The VP cookie may get split up into several cookies, but if you need it, you need it. Large cookies and headers require Nginx to be configured with larger buffers. See [large_client_header_buffers](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers) and [proxy_buffer_size](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) for more information.
+The VP cookie may be split into several cookies to accomdate browser cookie size limits. But if you need it, you need it. Large cookies and headers require Nginx to be configured with larger buffers. See [large_client_header_buffers](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers) and [proxy_buffer_size](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) for more information.
 
 #### Setup `scopes` and `claims` in Vouch Proxy with Nginx
 
@@ -267,12 +269,12 @@ Automated container builds for each Vouch Proxy release are available from [quay
 a minimal go binary container built from `Dockerfile`
 
 - `quay.io/vouch/vouch-proxy:latest`
-- `quay.io/vouch/vouch-proxy:vx.y.z` such as `quay.io/vouch/vouch-proxy:v0.28.0`
+- `quay.io/vouch/vouch-proxy:x.y.z` such as `quay.io/vouch/vouch-proxy:0.28.0`
 
 an `alpine` based container built from `Dockerfile.alpine`
 
-- `quay.io/vouch/vouch-proxy:alpine`
-- `quay.io/vouch/vouch-proxy:alpine-vx.y.z`
+- `quay.io/vouch/vouch-proxy:alpine-latest`
+- `quay.io/vouch/vouch-proxy:alpine-x.y.z`
 
 Vouch Proxy `arm` images are available on [Docker Hub](https://hub.docker.com/r/voucher/vouch-proxy/)
 
@@ -303,6 +305,8 @@ Helm Charts are maintained by [halkeye](https://github.com/halkeye) and are avai
   ./vouch-proxy
 ```
 
+As of `v0.29.0` all templates, static assets and configuration defaults in `.defaults.yml` are built into the static binary using [go:embed](https://pkg.go.dev/embed) directives.
+
 ## /login and /logout endpoint redirection
 
 As of `v0.11.0` additional checks are in place to reduce [the attack surface of url redirection](https://blog.detectify.com/2019/05/16/the-real-impact-of-an-open-redirect/).

config/config.yml_example_slack

@@ -0,0 +1,33 @@
+
+# vouch config
+# bare minimum to get vouch running with Slack
+
+vouch:
+  domains:
+  - yourdomain.com
+
+  # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at Gitea
+  # allowAllUsers: true
+
+  # cookie:
+    # secure: false
+    # vouch.cookie.domain must be set when enabling allowAllUsers
+    # domain: yourdomain.com
+
+
+oauth:
+  # create a new OAuth application at:
+  # https://api.slack.com/apps
+  # use the manifest at `examples/slack/vouch-slack-oidc-app-manifest.yml`
+  # but be sure to match the `callback_url`'s below to the `redirect_urls` in the manifest
+  # then install the new app to your slack instance
+  provider: oidc
+  # careful! the slack client_id must be single quoted so that the yaml parser 
+  # doesn't interpret it as a number (because yaml is actually javascript)
+  client_id: 'xxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxx'
+  client_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+  callback_url: https://vouch.yourdomain.com/auth  
+  # from https://slack.com/.well-known/openid-configuration
+  auth_url: https://slack.com/openid/connect/authorize
+  token_url: https://slack.com/api/openid.connect.token
+  user_info_url: https://slack.com/api/openid.connect.userInfo

do.sh

@@ -29,7 +29,7 @@ build () {
   local SEMVER=$(git tag --list --sort="v:refname" | tail -n -1)
   local BRANCH=$(git rev-parse --abbrev-ref HEAD)
   local UNAME=$(uname)
-  go build -i -v -ldflags=" -X main.version=${VERSION} -X main.uname=${UNAME} -X main.builddt=${DT} -X main.host=${FQDN} -X main.semver=${SEMVER} -X main.branch=${BRANCH}" .
+  go build -v -ldflags=" -X main.version=${VERSION} -X main.uname=${UNAME} -X main.builddt=${DT} -X main.host=${FQDN} -X main.semver=${SEMVER} -X main.branch=${BRANCH}" .
 }
 
 _hostname() {

examples/OpenResty/conf.d/app1.yourdomain.com.conf

@@ -49,7 +49,7 @@ server {
     location / {
       proxy_pass http://app1-private.yourdomain.com:8080;
       #  may need to set
-      #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user
+      #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
       #    auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups;
       #    auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name;
 

examples/OpenResty/conf.d/app2.yourdomain.com.conf

@@ -49,7 +49,7 @@ server {
     location / {
       proxy_pass http://app2-private.yourdomain.com:8080;
       #  may need to set
-      #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user
+      #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
       #    auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups;
       #    auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name;
 

examples/nginx/multi-file/conf.d/app1.yourdomain.com.conf

@@ -41,7 +41,7 @@ server {
     location / {
       proxy_pass http://app1.yourdomain.com:8080;
       #  may need to set
-      #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user
+      #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
       #  in this bock as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810
       # set user header (usually an email)
       proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;

examples/nginx/multi-file/conf.d/app2.yourdomain.com.conf

@@ -41,7 +41,7 @@ server {
     location / {
       proxy_pass http://app2.yourdomain.com:8080;
       #  may need to set
-      #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user
+      #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
       #  in this bock as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810
       # set user header (usually an email)
       proxy_set_header X-Vouch-User $auth_resp_x_vouch_user;

examples/nginx/single-file/nginx_basic.conf

@@ -71,7 +71,7 @@ http {
           # forward authorized requests to your service protectedapp.yourdomain.com
           proxy_pass http://127.0.0.1:8080;
           # you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810
-          #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user
+          #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
           #    auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups;
           #    auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name;
 

examples/nginx/single-file/nginx_with_vouch.conf

@@ -70,7 +70,7 @@ http {
         # forward authorized requests to your service protectedapp.yourdomain.com
         proxy_pass http://127.0.0.1:8080;
         # you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810
-        #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user
+        #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
         #    auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups;
         #    auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name;
 

examples/nginx/single-file/nginx_with_vouch_single_server.conf

@@ -81,7 +81,7 @@ http {
           # forward authorized requests to your service protectedapp.yourdomain.com
           proxy_pass http://127.0.0.1:8080;
           # you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810
-          #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user
+          #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
           #    auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups;
           #    auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name;
 

examples/nginx/single-file/nginx_with_vouch_ssl.conf

@@ -69,7 +69,7 @@ http {
         # forward authorized requests to your service protectedapp.yourdomain.com
         proxy_pass http://127.0.0.1:8080;
         # you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810
-        #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user
+        #    auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user;
         #    auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups;
         #    auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name;
 

examples/slack/vouch-slack-oidc-app-manifest.yml

@@ -0,0 +1,16 @@
+_metadata:
+  major_version: 1
+  minor_version: 1
+display_information:
+  name: Vouch Proxy - Login to Slack
+  description: enforce login to Slack to provide authorized access to your websites
+  background_color: "#002da8"
+oauth_config:
+  # these need to match the 
+  redirect_urls:    
+    - https://vouch.yourdomain.com/auth
+  scopes:
+    user:
+      - email
+      - openid
+      - profile

go.mod

@@ -8,9 +8,9 @@ require (
 	github.com/dgryski/go-gk v0.0.0-20200319235926-a69029f61654 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/go-cmp v0.5.6
-	github.com/gorilla/mux v1.8.0
 	github.com/gorilla/sessions v1.2.1
 	github.com/influxdata/tdigest v0.0.1 // indirect
+	github.com/julienschmidt/httprouter v1.3.0
 	github.com/karupanerura/go-mock-http-response v0.0.0-20171201120521-7c242a447d45
 	github.com/kelseyhightower/envconfig v1.4.0
 	github.com/mailru/easyjson v0.7.7 // indirect

go.sum

@@ -161,8 +161,6 @@ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8=
 github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY=
-github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI=
-github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So=
 github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
@@ -200,6 +198,8 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1
 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk=
 github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo=
 github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU=
+github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U=
+github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM=
 github.com/karupanerura/go-mock-http-response v0.0.0-20171201120521-7c242a447d45 h1:XSik/ETzj52cVbZcv7tJuUFX14XzvRX0te26UaKY0Aw=
 github.com/karupanerura/go-mock-http-response v0.0.0-20171201120521-7c242a447d45/go.mod h1:FULZ2B7LE0CUYtI8XLMYxI58AF9M6MTg6nWmZvWoFHQ=
 github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8=

handlers/handlers_test.go

@@ -41,7 +41,6 @@ func setUp(configFile string) {
 	jwtmanager.Configure()
 	cookie.Configure()
 	responses.Configure()
-
 }
 
 func TestVerifyUserPositiveUserInWhiteList(t *testing.T) {