From db40d4f913d08b198e2f1924d7de05fbf648e740 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Thu, 20 May 2021 13:06:14 -0700 Subject: [PATCH 01/25] make sure JWT expires from cache by jwt.expiration --- pkg/jwtmanager/jwtcache.go | 38 ++++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 10 deletions(-) diff --git a/pkg/jwtmanager/jwtcache.go b/pkg/jwtmanager/jwtcache.go index 5a04b49b..ffb22137 100644 --- a/pkg/jwtmanager/jwtcache.go +++ b/pkg/jwtmanager/jwtcache.go @@ -23,15 +23,15 @@ import ( // Cache in memory temporary store for responses from /validate for jwt var Cache *cache.Cache +var expire int = 20 // default 20 minutes +var dExp time.Duration func cacheConfigure() { - var expire int = 20 // default 20 minutes - if cfg.Cfg.JWT.MaxAge < expire { expire = cfg.Cfg.JWT.MaxAge } - dExp := time.Duration(expire) * time.Minute + dExp = time.Duration(expire) * time.Minute purgeCheck := dExp / 5 // log.Debugf("cacheConfigure expire %d dExp %d purgecheck %d", expire, dExp, purgeCheck) Cache = cache.New(dExp, purgeCheck) @@ -46,16 +46,13 @@ func cacheConfigure() { // JWTCacheHandler looks for a JWT and... // returns a cached response -// or passes the JWT in the context -// tests for JWTCacheHandler are present in `handlers/validate_test.go` to avoid circular imports +// or passes the request to /validate +// all tests for JWTCacheHandler are present in `handlers/validate_test.go` to avoid circular imports func JWTCacheHandler(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - // return http.HandlerFunc(func(w CaptureWriter, r *http.Request) { - - // wrap ResponseWriter - // v := CachedResponse{CaptureWriter: &CaptureWriter{ResponseWriter: w}} jwt := FindJWT(r) + // check to see if we have headers cached for this jwt if jwt != "" { if resp, found := Cache.Get(jwt); found { @@ -82,7 +79,28 @@ func JWTCacheHandler(next http.Handler) http.Handler { // r.Context().Done() is still open // cache the response headers for this jwt // log.Debug("setting cache for %+v", w.Header().Clone()) - Cache.SetDefault(jwt, w.Header().Clone()) + + claims, err := ClaimsFromJWT(jwt) + now := time.Now().Unix() + if err != nil { + log.Error("very unusual error, we found a jwt for /validate but we couldn't parse it for claims while setting it into cache, returning") + return + // log.Debugf("*HERE* claims expire, time.now.unix, dExp %d - %d = %d > %d", claims.ExpiresAt, now, claims.ExpiresAt-now, int64(dExp)) + // log.Debugf("*HERE* time.Duration((claims.ExpiresAt-time.Now().Unix())*time.Second.Nanoseconds()) %d", time.Duration((claims.ExpiresAt-time.Now().Unix())*time.Second.Nanoseconds())) + } + + // first see if the jwt's expiration will arrive before the cache expiration + // if this jwt expires in 10 minutes then we don't want to cache it for 20 + // this might happen if the jwt expiration is set to 240 minutes, and the user last logged into the IdP 230 minutes ago + // then the user went away, cache was purged and now they return with 10 minutes left before token expiration + if !claims.VerifyExpiresAt(now+int64(dExp/time.Second), true) { + jwtExpiresIn := time.Duration((claims.ExpiresAt - now) * int64(time.Second)) + log.Debugf("cache default expiration (%d) is after claim expiration (%d). setting cache experation to claim expiration for this entry", dExp, jwtExpiresIn) + Cache.Set(jwt, w.Header().Clone(), jwtExpiresIn) + } else { + Cache.SetDefault(jwt, w.Header().Clone()) + } + } }) } From 06331fbc4f48a679c2fa520e7c70ce1da3c5f626 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=94=D0=B0=D0=BC=D1=98=D0=B0=D0=BD=20=D0=93=D0=B5=D0=BE?= =?UTF-8?q?=D1=80=D0=B3=D0=B8=D0=B5=D0=B2=D1=81=D0=BA=D0=B8?= Date: Tue, 6 Jul 2021 17:27:12 +0200 Subject: [PATCH 02/25] embed the static files into the vouch binary the embed package is new to Go 1.6 https://golang.org/pkg/embed/ with this change it's no longer neccesseary to distribute the static files with vouch. all urls under the /static/ path are served from the embeded static filesystem. the static filesystem has all the files with the /static/ subdirectory so no stripping is needed. also removed the copy of static files to the Docker image --- Dockerfile | 2 -- Dockerfile.alpine | 2 -- main.go | 18 ++++++------------ pkg/cfg/cfg.go | 2 +- 4 files changed, 7 insertions(+), 17 deletions(-) diff --git a/Dockerfile b/Dockerfile index e09dddc1..2b8f65a2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,8 +22,6 @@ LABEL maintainer="vouch@bnf.net" COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY templates /templates COPY .defaults.yml /.defaults.yml -# see note for /static in main.go -COPY static /static COPY --from=builder /go/bin/vouch-proxy /vouch-proxy EXPOSE 9090 ENTRYPOINT ["/vouch-proxy"] diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 0cffd220..48660186 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -19,8 +19,6 @@ ENV VOUCH_ROOT=/ COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY templates /templates COPY .defaults.yml /.defaults.yml -# see note for /static in main.go -COPY static /static # do.sh requires bash RUN apk add --no-cache bash diff --git a/main.go b/main.go index b9ce660d..bd087282 100644 --- a/main.go +++ b/main.go @@ -23,13 +23,13 @@ https://github.com/vouch/vouch-proxy#submitting-a-pull-request-for-a-new-feature */ import ( + "embed" "errors" "flag" "log" "net" "net/http" "os" - "path/filepath" "strconv" "time" @@ -57,7 +57,6 @@ var ( semver = "undefined" branch = "undefined" uname = "undefined" - staticDir = "/static/" logger *zap.SugaredLogger fastlog *zap.Logger help = flag.Bool("help", false, "show usage") @@ -68,6 +67,9 @@ var ( // doProfile = flag.Bool("profile", false, "run profiler at /debug/pprof") ) +//go:embed static +var staticFs embed.FS + // fwdToZapWriter allows us to use the zap.Logger as our http.Server ErrorLog // see https://stackoverflow.com/questions/52294334/net-http-set-custom-logger type fwdToZapWriter struct { @@ -152,16 +154,8 @@ func main() { healthH := http.HandlerFunc(handlers.HealthcheckHandler) muxR.HandleFunc("/healthcheck", timelog.TimeLog(healthH)) - // setup static - sPath, err := filepath.Abs(cfg.RootDir + staticDir) - if fastlog.Core().Enabled(zap.DebugLevel) { - if err != nil { - logger.Errorf("couldn't find static assets at %s", sPath) - } - logger.Debugf("serving static files from %s", sPath) - } - // https://golangcode.com/serve-static-assets-using-the-mux-router/ - muxR.PathPrefix(staticDir).Handler(http.StripPrefix(staticDir, http.FileServer(http.Dir(sPath)))) + // setup /static/ urls to be satisfied from the embedded /static/... fs + muxR.PathPrefix("/static/").Handler(http.FileServer(http.FS(staticFs))) // // if *doProfile { diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index 46357dfd..a7ce5033 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -104,7 +104,7 @@ var ( // Branding that's our name Branding = branding{"vouch", "VOUCH", "Vouch", "Vouch Proxy", "https://github.com/vouch/vouch-proxy"} - // RootDir is where Vouch Proxy looks for ./config/config.yml, ./data, ./static and ./templates + // RootDir is where Vouch Proxy looks for ./config/config.yml, ./data and ./templates RootDir string secretFile string From a4d64cc0a6e1c6ceeb6a768b31cd8aa36db357a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=94=D0=B0=D0=BC=D1=98=D0=B0=D0=BD=20=D0=93=D0=B5=D0=BE?= =?UTF-8?q?=D1=80=D0=B3=D0=B8=D0=B5=D0=B2=D1=81=D0=BA=D0=B8?= Date: Tue, 6 Jul 2021 17:57:54 +0200 Subject: [PATCH 03/25] embed the template files into the vouch binary the embed package is new to Go 1.6 https://golang.org/pkg/embed/ with this change it's no longer necessary to distribute the template files with vouch. also removed the copy of template files to the Docker image --- Dockerfile | 1 - Dockerfile.alpine | 1 - handlers/handlers_test.go | 3 ++- main.go | 5 ++++- pkg/cfg/cfg.go | 2 +- pkg/responses/responses.go | 8 ++++---- 6 files changed, 11 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2b8f65a2..02f7971b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,6 @@ RUN ./do.sh install FROM scratch LABEL maintainer="vouch@bnf.net" COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt -COPY templates /templates COPY .defaults.yml /.defaults.yml COPY --from=builder /go/bin/vouch-proxy /vouch-proxy EXPOSE 9090 diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 48660186..29d984da 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -17,7 +17,6 @@ FROM alpine:latest LABEL maintainer="vouch@bnf.net" ENV VOUCH_ROOT=/ COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt -COPY templates /templates COPY .defaults.yml /.defaults.yml # do.sh requires bash diff --git a/handlers/handlers_test.go b/handlers/handlers_test.go index b972c422..050cfaad 100644 --- a/handlers/handlers_test.go +++ b/handlers/handlers_test.go @@ -40,7 +40,8 @@ func setUp(configFile string) { domains.Configure() jwtmanager.Configure() cookie.Configure() - responses.Configure() + var templatesFs = os.DirFS(os.Getenv("VOUCH_ROOT")) + responses.Configure(templatesFs) } diff --git a/main.go b/main.go index bd087282..971f7ae6 100644 --- a/main.go +++ b/main.go @@ -70,6 +70,9 @@ var ( //go:embed static var staticFs embed.FS +//go:embed templates +var templatesFs embed.FS + // fwdToZapWriter allows us to use the zap.Logger as our http.Server ErrorLog // see https://stackoverflow.com/questions/52294334/net-http-set-custom-logger type fwdToZapWriter struct { @@ -110,7 +113,7 @@ func configure() { domains.Configure() jwtmanager.Configure() cookie.Configure() - responses.Configure() + responses.Configure(templatesFs) handlers.Configure() timelog.Configure() } diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index a7ce5033..d826b56f 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -104,7 +104,7 @@ var ( // Branding that's our name Branding = branding{"vouch", "VOUCH", "Vouch", "Vouch Proxy", "https://github.com/vouch/vouch-proxy"} - // RootDir is where Vouch Proxy looks for ./config/config.yml, ./data and ./templates + // RootDir is where Vouch Proxy looks for ./config/config.yml and ./data RootDir string secretFile string diff --git a/pkg/responses/responses.go b/pkg/responses/responses.go index 56f4bcf7..68c38d0e 100644 --- a/pkg/responses/responses.go +++ b/pkg/responses/responses.go @@ -13,8 +13,8 @@ package responses import ( "errors" "html/template" + "io/fs" "net/http" - "path/filepath" "github.com/vouch/vouch-proxy/pkg/cfg" "github.com/vouch/vouch-proxy/pkg/cookie" @@ -39,12 +39,12 @@ var ( ) // Configure see main.go configure() -func Configure() { +func Configure(templatesFs fs.FS) { log = cfg.Logging.Logger fastlog = cfg.Logging.FastLogger - log.Debugf("responses.Configure() attempting to parse templates with cfg.RootDir: %s", cfg.RootDir) - indexTemplate = template.Must(template.ParseFiles(filepath.Join(cfg.RootDir, "templates/index.tmpl"))) + log.Debugf("responses.Configure() attempting to parse embedded templates") + indexTemplate = template.Must(template.ParseFS(templatesFs, "templates/index.tmpl")) } From 8ca24f1ecde44f18416ee874a8966e5273c71b6b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=94=D0=B0=D0=BC=D1=98=D0=B0=D0=BD=20=D0=93=D0=B5=D0=BE?= =?UTF-8?q?=D1=80=D0=B3=D0=B8=D0=B5=D0=B2=D1=81=D0=BA=D0=B8?= Date: Sat, 31 Jul 2021 21:15:32 +0200 Subject: [PATCH 04/25] introduce responses.LoadTemplates, responses.Configure() is back --- main.go | 3 ++- pkg/responses/responses.go | 5 +++-- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/main.go b/main.go index 971f7ae6..9ef17ef8 100644 --- a/main.go +++ b/main.go @@ -113,7 +113,8 @@ func configure() { domains.Configure() jwtmanager.Configure() cookie.Configure() - responses.Configure(templatesFs) + responses.Configure() + responses.LoadTemplates(templatesFs) handlers.Configure() timelog.Configure() } diff --git a/pkg/responses/responses.go b/pkg/responses/responses.go index 68c38d0e..dab565b9 100644 --- a/pkg/responses/responses.go +++ b/pkg/responses/responses.go @@ -39,13 +39,14 @@ var ( ) // Configure see main.go configure() -func Configure(templatesFs fs.FS) { +func Configure() { log = cfg.Logging.Logger fastlog = cfg.Logging.FastLogger +} +func LoadTemplates(templatesFs fs.FS) { log.Debugf("responses.Configure() attempting to parse embedded templates") indexTemplate = template.Must(template.ParseFS(templatesFs, "templates/index.tmpl")) - } // RenderIndex render the response as an HTML page, mostly used in testing From ad7d1e60710b4ce293097ef20fa8ed85be85d330 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=94=D0=B0=D0=BC=D1=98=D0=B0=D0=BD=20=D0=93=D0=B5=D0=BE?= =?UTF-8?q?=D1=80=D0=B3=D0=B8=D0=B5=D0=B2=D1=81=D0=BA=D0=B8?= Date: Sat, 31 Jul 2021 21:25:16 +0200 Subject: [PATCH 05/25] fix responses.Configure() test too --- handlers/handlers_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/handlers/handlers_test.go b/handlers/handlers_test.go index 050cfaad..be19e331 100644 --- a/handlers/handlers_test.go +++ b/handlers/handlers_test.go @@ -41,7 +41,8 @@ func setUp(configFile string) { jwtmanager.Configure() cookie.Configure() var templatesFs = os.DirFS(os.Getenv("VOUCH_ROOT")) - responses.Configure(templatesFs) + responses.Configure() + responses.LoadTemplates(templatesFs) } From 8ba0c5526ff9eefc9cb637ed2c26852217ef1f0d Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Mon, 2 Aug 2021 16:16:44 -0700 Subject: [PATCH 06/25] #398 hold embeded templates in cfg.Templates --- main.go | 23 ++++++++++++----------- pkg/cfg/cfg.go | 4 ++++ pkg/responses/responses.go | 5 +---- 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/main.go b/main.go index 9ef17ef8..cfb96aba 100644 --- a/main.go +++ b/main.go @@ -51,16 +51,16 @@ import ( // version and semver get overwritten by build with // go build -i -v -ldflags="-X main.version=$(git describe --always --long) -X main.semver=v$(git semver get)" var ( - version = "undefined" - builddt = "undefined" - host = "undefined" - semver = "undefined" - branch = "undefined" - uname = "undefined" - logger *zap.SugaredLogger - fastlog *zap.Logger - help = flag.Bool("help", false, "show usage") - scheme = map[bool]string{ + version = "undefined" + builddt = "undefined" + host = "undefined" + semver = "undefined" + branch = "undefined" + uname = "undefined" + logger *zap.SugaredLogger + fastlog *zap.Logger + help = flag.Bool("help", false, "show usage") + scheme = map[bool]string{ false: "http", true: "https", } @@ -103,6 +103,8 @@ func configure() { cfg.Configure() healthcheck.CheckAndExitIfIsHealthCheck() + cfg.Templates = templatesFs + logger = cfg.Logging.Logger fastlog = cfg.Logging.FastLogger @@ -114,7 +116,6 @@ func configure() { jwtmanager.Configure() cookie.Configure() responses.Configure() - responses.LoadTemplates(templatesFs) handlers.Configure() timelog.Configure() } diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index d826b56f..142969ee 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -14,6 +14,7 @@ import ( "errors" "flag" "fmt" + "io/fs" "io/ioutil" "net/http" "os" @@ -127,6 +128,9 @@ var ( errConfigNotFound = errors.New("configuration file not found") // TODO: audit errors and use errConfigIsBad // errConfigIsBad = errors.New("configuration file is malformed") + + // Templates are loaded from the file system with a go:embed directive in main.go + Templates fs.FS ) type cmdLineFlags struct { diff --git a/pkg/responses/responses.go b/pkg/responses/responses.go index dab565b9..48942c8d 100644 --- a/pkg/responses/responses.go +++ b/pkg/responses/responses.go @@ -13,7 +13,6 @@ package responses import ( "errors" "html/template" - "io/fs" "net/http" "github.com/vouch/vouch-proxy/pkg/cfg" @@ -42,11 +41,9 @@ var ( func Configure() { log = cfg.Logging.Logger fastlog = cfg.Logging.FastLogger -} -func LoadTemplates(templatesFs fs.FS) { log.Debugf("responses.Configure() attempting to parse embedded templates") - indexTemplate = template.Must(template.ParseFS(templatesFs, "templates/index.tmpl")) + indexTemplate = template.Must(template.ParseFS(cfg.Templates, "templates/index.tmpl")) } // RenderIndex render the response as an HTML page, mostly used in testing From 33847ed9b120f4f7525d9195f42368b84c7390cb Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Mon, 2 Aug 2021 16:43:11 -0700 Subject: [PATCH 07/25] #398 embed .defaults.yml --- Dockerfile | 1 - Dockerfile.alpine | 1 - README.md | 2 ++ main.go | 8 ++++++-- pkg/cfg/cfg.go | 19 ++++++++++++++----- 5 files changed, 22 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 02f7971b..16901da9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -20,7 +20,6 @@ RUN ./do.sh install FROM scratch LABEL maintainer="vouch@bnf.net" COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt -COPY .defaults.yml /.defaults.yml COPY --from=builder /go/bin/vouch-proxy /vouch-proxy EXPOSE 9090 ENTRYPOINT ["/vouch-proxy"] diff --git a/Dockerfile.alpine b/Dockerfile.alpine index 29d984da..9e668b0f 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -17,7 +17,6 @@ FROM alpine:latest LABEL maintainer="vouch@bnf.net" ENV VOUCH_ROOT=/ COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt -COPY .defaults.yml /.defaults.yml # do.sh requires bash RUN apk add --no-cache bash diff --git a/README.md b/README.md index d71fa8a8..1ca5fe2f 100644 --- a/README.md +++ b/README.md @@ -295,6 +295,8 @@ Helm Charts are maintained by [halkeye](https://github.com/halkeye) and are avai ./vouch-proxy ``` +As of `v0.29.0` all templates, static assets and configuration defaults in `.defaults.yml` are built into the static binary using [go:embed](https://pkg.go.dev/embed) directives. + ## /login and /logout endpoint redirection As of `v0.11.0` additional checks are in place to reduce [the attack surface of url redirection](https://blog.detectify.com/2019/05/16/the-real-impact-of-an-open-redirect/). diff --git a/main.go b/main.go index cfb96aba..704e6aae 100644 --- a/main.go +++ b/main.go @@ -73,6 +73,9 @@ var staticFs embed.FS //go:embed templates var templatesFs embed.FS +//go:embed .defaults.yml +var defaultsFs embed.FS + // fwdToZapWriter allows us to use the zap.Logger as our http.Server ErrorLog // see https://stackoverflow.com/questions/52294334/net-http-set-custom-logger type fwdToZapWriter struct { @@ -100,11 +103,12 @@ func configure() { os.Exit(1) } + cfg.Templates = templatesFs + cfg.Defaults = defaultsFs + cfg.Configure() healthcheck.CheckAndExitIfIsHealthCheck() - cfg.Templates = templatesFs - logger = cfg.Logging.Logger fastlog = cfg.Logging.FastLogger diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index 142969ee..7b46a28e 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -11,10 +11,11 @@ OR CONDITIONS OF ANY KIND, either express or implied. package cfg import ( + "bytes" + "embed" "errors" "flag" "fmt" - "io/fs" "io/ioutil" "net/http" "os" @@ -130,7 +131,10 @@ var ( // errConfigIsBad = errors.New("configuration file is malformed") // Templates are loaded from the file system with a go:embed directive in main.go - Templates fs.FS + Templates embed.FS + + // Defaults are loaded from the file system with a go:embed directive in main.go + Defaults embed.FS ) type cmdLineFlags struct { @@ -476,10 +480,15 @@ func basicTest() error { // setDefaults set default options for most items from `.defaults.yml` in the root dir func setDefaults() { - viper.SetConfigName(".defaults") + // viper.SetConfigName(".defaults") viper.SetConfigType("yaml") - viper.AddConfigPath(RootDir) - viper.ReadInConfig() + // viper.AddConfigPath(RootDir) + // viper.ReadInConfig() + d, err := Defaults.ReadFile(".defaults.yml") + if err != nil { + log.Fatal(err) + } + viper.ReadConfig(bytes.NewBuffer(d)) if err := viper.UnmarshalKey(Branding.LCName, &Cfg); err != nil { log.Error(err) } From 4d39cb1f36165f2ebd34df91e507860a0545a8d0 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Mon, 2 Aug 2021 17:55:06 -0700 Subject: [PATCH 08/25] adjust testing environment for go:embed --- handlers/handlers_test.go | 3 --- pkg/cfg/cfg.go | 19 +++++++++++++++++-- 2 files changed, 17 insertions(+), 5 deletions(-) diff --git a/handlers/handlers_test.go b/handlers/handlers_test.go index be19e331..8c399c61 100644 --- a/handlers/handlers_test.go +++ b/handlers/handlers_test.go @@ -40,10 +40,7 @@ func setUp(configFile string) { domains.Configure() jwtmanager.Configure() cookie.Configure() - var templatesFs = os.DirFS(os.Getenv("VOUCH_ROOT")) responses.Configure() - responses.LoadTemplates(templatesFs) - } func TestVerifyUserPositiveUserInWhiteList(t *testing.T) { diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index 4b116afc..6a5ad5ec 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -16,6 +16,7 @@ import ( "errors" "flag" "fmt" + "io/fs" "io/ioutil" "net/http" "os" @@ -131,7 +132,7 @@ var ( // errConfigIsBad = errors.New("configuration file is malformed") // Templates are loaded from the file system with a go:embed directive in main.go - Templates embed.FS + Templates fs.FS // Defaults are loaded from the file system with a go:embed directive in main.go Defaults embed.FS @@ -563,6 +564,7 @@ func InitForTestPurposes() { // InitForTestPurposesWithProvider just for testing func InitForTestPurposesWithProvider(provider string) { Cfg = &Config{} // clear it out since we're called multiple times from subsequent tests + Logging.setLogLevel(zapcore.InfoLevel) setRootDir() // _, b, _, _ := runtime.Caller(0) @@ -575,7 +577,20 @@ func InitForTestPurposesWithProvider(provider string) { } // Configure() // setRootDir() - setDefaults() + + // can't use setDefaults for testing which is go:embed based so we do it the old way + // setDefaults() + viper.SetConfigName(".defaults") + viper.SetConfigType("yaml") + viper.AddConfigPath(RootDir) + viper.ReadInConfig() + if err := UnmarshalKey(Branding.LCName, &Cfg); err != nil { + log.Error(err) + } + + // this also mimics the go:embed testing setup + Templates = os.DirFS(RootDir) + if err := parseConfigFile(); err != nil { log.Error(err) } From 20cb366e3beed46cc5866ad9bdc091a1623c29d3 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Tue, 3 Aug 2021 14:09:36 -0700 Subject: [PATCH 09/25] set cache expiration to jwt expiration --- pkg/jwtmanager/jwtcache.go | 36 ++++++++++++++----------- pkg/jwtmanager/jwtcache_test.go | 48 +++++++++++++++++++++++++++++++++ 2 files changed, 69 insertions(+), 15 deletions(-) create mode 100644 pkg/jwtmanager/jwtcache_test.go diff --git a/pkg/jwtmanager/jwtcache.go b/pkg/jwtmanager/jwtcache.go index ffb22137..9b07462d 100644 --- a/pkg/jwtmanager/jwtcache.go +++ b/pkg/jwtmanager/jwtcache.go @@ -81,26 +81,32 @@ func JWTCacheHandler(next http.Handler) http.Handler { // log.Debug("setting cache for %+v", w.Header().Clone()) claims, err := ClaimsFromJWT(jwt) - now := time.Now().Unix() if err != nil { log.Error("very unusual error, we found a jwt for /validate but we couldn't parse it for claims while setting it into cache, returning") return - // log.Debugf("*HERE* claims expire, time.now.unix, dExp %d - %d = %d > %d", claims.ExpiresAt, now, claims.ExpiresAt-now, int64(dExp)) - // log.Debugf("*HERE* time.Duration((claims.ExpiresAt-time.Now().Unix())*time.Second.Nanoseconds()) %d", time.Duration((claims.ExpiresAt-time.Now().Unix())*time.Second.Nanoseconds())) - } - - // first see if the jwt's expiration will arrive before the cache expiration - // if this jwt expires in 10 minutes then we don't want to cache it for 20 - // this might happen if the jwt expiration is set to 240 minutes, and the user last logged into the IdP 230 minutes ago - // then the user went away, cache was purged and now they return with 10 minutes left before token expiration - if !claims.VerifyExpiresAt(now+int64(dExp/time.Second), true) { - jwtExpiresIn := time.Duration((claims.ExpiresAt - now) * int64(time.Second)) - log.Debugf("cache default expiration (%d) is after claim expiration (%d). setting cache experation to claim expiration for this entry", dExp, jwtExpiresIn) - Cache.Set(jwt, w.Header().Clone(), jwtExpiresIn) - } else { - Cache.SetDefault(jwt, w.Header().Clone()) + // log.Debugf("claims expire, time.now.unix, dExp %d - %d = %d > %d", claims.ExpiresAt, now, claims.ExpiresAt-now, int64(dExp)) + // log.Debugf("time.Duration((claims.ExpiresAt-time.Now().Unix())*time.Second.Nanoseconds()) %d", time.Duration((claims.ExpiresAt-time.Now().Unix())*time.Second.Nanoseconds())) } + cacheExp := getCacheExpirationDuration(claims) + Cache.Set(jwt, w.Header().Clone(), cacheExp) } }) } + +// getCacheExpirationDuration - return time.Duration til the jwt should be purged from cache +// first see if the jwt's expiration will arrive before the cache expiration +// if this jwt expires in 10 minutes then we don't want to cache it for 20 +// this might happen if the jwt expiration is set to 240 minutes, and the user last logged into the IdP 230 minutes ago +// then the user went away, cache was purged and now they return with 10 minutes left before token expiration +func getCacheExpirationDuration(claims *VouchClaims) time.Duration { + + now := time.Now().Unix() + expiresAt := now + int64(dExp/time.Second) + if !claims.VerifyExpiresAt(expiresAt, true) { + jwtExpiresIn := time.Duration((claims.ExpiresAt - now) * int64(time.Second)) + log.Debugf("cache default expiration (%d) is after jwt expiration (%d). setting cache expiration to claim expiration for this entry", dExp, jwtExpiresIn) + return jwtExpiresIn + } + return dExp +} diff --git a/pkg/jwtmanager/jwtcache_test.go b/pkg/jwtmanager/jwtcache_test.go new file mode 100644 index 00000000..3f57559e --- /dev/null +++ b/pkg/jwtmanager/jwtcache_test.go @@ -0,0 +1,48 @@ +/* + +Copyright 2020 The Vouch Proxy Authors. +Use of this source code is governed by The MIT License (MIT) that +can be found in the LICENSE file. Software distributed under The +MIT License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES +OR CONDITIONS OF ANY KIND, either express or implied. + +*/ + +package jwtmanager + +import ( + "fmt" + "reflect" + "testing" + "time" +) + +func Test_getCacheExpirationDuration(t *testing.T) { + // default cache expire is 20 minutes, so we test +/- 5 minutes of that + expire = 17 + now := time.Now() + + claimsA := lc + claimsA.ExpiresAt = now.Add(time.Minute * time.Duration(expire+5)).Unix() + + claimsB := lc + dBexp := time.Minute * time.Duration(expire-5) + claimsB.ExpiresAt = now.Add(dBexp).Unix() + + tests := []struct { + name string + claims *VouchClaims + want time.Duration + }{ + {fmt.Sprintf("should equal %d", expire), &claimsA, dExp}, // dExp is the default expiration duration + {fmt.Sprintf("should equal %d -5", expire), &claimsB, dBexp}, + // TODO: Add test cases. + } + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if got := getCacheExpirationDuration(tt.claims); !reflect.DeepEqual(got, tt.want) { + t.Errorf("getCacheExpirationDuration() = %v, want %v", got, tt.want) + } + }) + } +} From a7b7a07be00de12d68e3964b4bdfae5ff3e2ef7e Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Tue, 3 Aug 2021 14:28:31 -0700 Subject: [PATCH 10/25] systemd example, claims cookie language --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 06fc8f51..3a7dd71b 100644 --- a/README.md +++ b/README.md @@ -208,16 +208,17 @@ All Vouch Proxy configuration items are documented in [config/config.yml_example - [Reverse Proxy for Google Cloud Run Services](https://github.com/karthikv2k/oauth_reverse_proxy) - [Enable native TLS in Vouch Proxy](https://github.com/vouch/vouch-proxy/pull/332#issue-522612010) - [FreeBSD support](https://github.com/vouch/vouch-proxy/issues/368) +- [systemd startup of Vouch Proxy](https://github.com/vouch/vouch-proxy/tree/master/examples/startup) Please do help us to expand this list. ### Scopes and Claims -With Vouch Proxy you can request various `scopes` (standard and custom) to obtain more information about the user or gain access to the provider's APIs. Internally, Vouch Proxy launches a requests to `user_info_url` after successful authentication. From the provider's response the required `claims` are extracted and stored in the vouch cookie. +With Vouch Proxy you can request various `scopes` (standard and custom) to obtain more information about the user or gain access to the provider's APIs. Internally, Vouch Proxy launches a requests to `user_info_url` after successful authentication. The required `claims` are extracted from the provider's response and stored in the VP cookie. ⚠️ **Additional claims and tokens will be added to the VP cookie and can make it large** -The VP cookie may get split up into several cookies, but if you need it, you need it. Large cookies and headers require Nginx to be configured with larger buffers. See [large_client_header_buffers](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers) and [proxy_buffer_size](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) for more information. +The VP cookie may be split into several cookies to accomdate browser cookie size limits. But if you need it, you need it. Large cookies and headers require Nginx to be configured with larger buffers. See [large_client_header_buffers](http://nginx.org/en/docs/http/ngx_http_core_module.html#large_client_header_buffers) and [proxy_buffer_size](http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffer_size) for more information. #### Setup `scopes` and `claims` in Vouch Proxy with Nginx From d5c40652e643d3d4877d51c10cc0b012a9d088f6 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 4 Aug 2021 10:42:03 -0700 Subject: [PATCH 11/25] use log.Warn for common "token not found" error --- pkg/responses/responses.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/responses/responses.go b/pkg/responses/responses.go index 48942c8d..2ff29f3e 100644 --- a/pkg/responses/responses.go +++ b/pkg/responses/responses.go @@ -120,7 +120,7 @@ func Error500(w http.ResponseWriter, r *http.Request, e error) { // cancelClearSetError convenience method to keep it DRY func cancelClearSetError(w http.ResponseWriter, r *http.Request, e error) { - log.Error(e) + log.Warn(e) cookie.ClearCookie(w, r) w.Header().Set(cfg.Cfg.Headers.Error, e.Error()) addErrandCancelRequest(r) From 7dd36bf3b746eac70e2e898e7e5ac15fe6fb3e3c Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 4 Aug 2021 11:59:20 -0700 Subject: [PATCH 12/25] use httprouter's more performant mux --- go.mod | 2 +- go.sum | 4 ++-- main.go | 61 +++++++++++++++++++++++++++++++++------------------------ 3 files changed, 38 insertions(+), 29 deletions(-) diff --git a/go.mod b/go.mod index 4b404bda..0fdb0c36 100644 --- a/go.mod +++ b/go.mod @@ -8,9 +8,9 @@ require ( github.com/dgryski/go-gk v0.0.0-20200319235926-a69029f61654 // indirect github.com/golang-jwt/jwt v3.2.2+incompatible github.com/google/go-cmp v0.5.6 - github.com/gorilla/mux v1.8.0 github.com/gorilla/sessions v1.2.1 github.com/influxdata/tdigest v0.0.1 // indirect + github.com/julienschmidt/httprouter v1.3.0 github.com/karupanerura/go-mock-http-response v0.0.0-20171201120521-7c242a447d45 github.com/kelseyhightower/envconfig v1.4.0 github.com/mailru/easyjson v0.7.7 // indirect diff --git a/go.sum b/go.sum index 3fa25dec..4f8290c5 100644 --- a/go.sum +++ b/go.sum @@ -161,8 +161,6 @@ github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+ github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1 h1:EGx4pi6eqNxGaHF6qqu48+N2wcFQ5qg5FXgOdqsJ5d8= github.com/gopherjs/gopherjs v0.0.0-20181017120253-0766667cb4d1/go.mod h1:wJfORRmW1u3UXTncJ5qlYoELFm8eSnnEO6hX4iZ3EWY= -github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= -github.com/gorilla/mux v1.8.0/go.mod h1:DVbg23sWSpFRCP0SfiEN6jmj59UnW/n46BH5rLB71So= github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ= github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI= @@ -200,6 +198,8 @@ github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1 github.com/jstemmer/go-junit-report v0.9.1/go.mod h1:Brl9GWCQeLvo8nXZwPNNblvFj/XSXhF0NWZEnDohbsk= github.com/jtolds/gls v4.20.0+incompatible h1:xdiiI2gbIgH/gLH7ADydsJ1uDOEzR8yvV7C0MuV77Wo= github.com/jtolds/gls v4.20.0+incompatible/go.mod h1:QJZ7F/aHp+rZTRtaJ1ow/lLfFfVYBRgL+9YlvaHOwJU= +github.com/julienschmidt/httprouter v1.3.0 h1:U0609e9tgbseu3rBINet9P48AI/D3oJs4dN7jwJOQ1U= +github.com/julienschmidt/httprouter v1.3.0/go.mod h1:JR6WtHb+2LUe8TCKY3cZOxFyyO8IZAc4RVcycCCAKdM= github.com/karupanerura/go-mock-http-response v0.0.0-20171201120521-7c242a447d45 h1:XSik/ETzj52cVbZcv7tJuUFX14XzvRX0te26UaKY0Aw= github.com/karupanerura/go-mock-http-response v0.0.0-20171201120521-7c242a447d45/go.mod h1:FULZ2B7LE0CUYtI8XLMYxI58AF9M6MTg6nWmZvWoFHQ= github.com/kelseyhightower/envconfig v1.4.0 h1:Im6hONhd3pLkfDFsbRgu68RDNkGF1r3dvMUtDTo2cv8= diff --git a/main.go b/main.go index 704e6aae..bea18f3d 100644 --- a/main.go +++ b/main.go @@ -35,7 +35,7 @@ import ( // "net/http/pprof" - "github.com/gorilla/mux" + "github.com/julienschmidt/httprouter" "go.uber.org/zap" "github.com/vouch/vouch-proxy/handlers" @@ -48,7 +48,7 @@ import ( "github.com/vouch/vouch-proxy/pkg/timelog" ) -// version and semver get overwritten by build with +// `version`, `semver` and others are populated during build by.. // go build -i -v -ldflags="-X main.version=$(git describe --always --long) -X main.semver=v$(git semver get)" var ( version = "undefined" @@ -142,37 +142,46 @@ func main() { "tls", tls, "oauth.provider", cfg.GenOAuth.Provider) - muxR := mux.NewRouter() + // router := mux.NewRouter() + router := httprouter.New() authH := http.HandlerFunc(handlers.ValidateRequestHandler) - muxR.HandleFunc("/validate", timelog.TimeLog(jwtmanager.JWTCacheHandler(authH))) - muxR.HandleFunc("/_external-auth-{id}", timelog.TimeLog(jwtmanager.JWTCacheHandler(authH))) + router.HandlerFunc(http.MethodGet, "/validate", timelog.TimeLog(jwtmanager.JWTCacheHandler(authH))) + router.HandlerFunc(http.MethodGet, "/_external-auth-:id", timelog.TimeLog(jwtmanager.JWTCacheHandler(authH))) loginH := http.HandlerFunc(handlers.LoginHandler) - muxR.HandleFunc("/login", timelog.TimeLog(loginH)) + router.HandlerFunc(http.MethodGet, "/login", timelog.TimeLog(loginH)) logoutH := http.HandlerFunc(handlers.LogoutHandler) - muxR.HandleFunc("/logout", timelog.TimeLog(logoutH)) - - authStateH := http.HandlerFunc(handlers.AuthStateHandler) - muxR.HandleFunc("/auth/{state}/", timelog.TimeLog(authStateH)) + router.HandlerFunc(http.MethodGet, "/logout", timelog.TimeLog(logoutH)) callH := http.HandlerFunc(handlers.CallbackHandler) - muxR.HandleFunc("/auth", timelog.TimeLog(callH)) + router.HandlerFunc(http.MethodGet, "/auth/", timelog.TimeLog(callH)) + + authStateH := http.HandlerFunc(handlers.AuthStateHandler) + router.HandlerFunc(http.MethodGet, "/auth/:state/", timelog.TimeLog(authStateH)) healthH := http.HandlerFunc(handlers.HealthcheckHandler) - muxR.HandleFunc("/healthcheck", timelog.TimeLog(healthH)) + router.HandlerFunc(http.MethodGet, "/healthcheck", timelog.TimeLog(healthH)) + + // this is the documented implemenation for static file serving but it doesn't seem to work with go:embed + // router.ServeFiles("/static/*filepath", http.FS(staticFs)) + + // so instead we publish all three routes + router.Handler(http.MethodGet, "/static/css/main.css", http.FileServer(http.FS(staticFs))) + router.Handler(http.MethodGet, "/static/img/favicon.ico", http.FileServer(http.FS(staticFs))) + router.Handler(http.MethodGet, "/static/img/multicolor_V_500x500.png", http.FileServer(http.FS(staticFs))) - // setup /static/ urls to be satisfied from the embedded /static/... fs - muxR.PathPrefix("/static/").Handler(http.FileServer(http.FS(staticFs))) + // this also works for static files + // router.NotFound = http.FileServer(http.FS(staticFs)) // // if *doProfile { - // addProfilingHandlers(muxR) + // addProfilingHandlers(router) // } srv := &http.Server{ - Handler: muxR, + Handler: router, Addr: listen, // Good practice: enforce timeouts for servers you create! WriteTimeout: 15 * time.Second, @@ -202,16 +211,16 @@ func checkTCPPortAvailable(listen string) { } // if you'd like to enable profiling uncomment these -// func addProfilingHandlers(muxR *mux.Router) { +// func addProfilingHandlers(router *httprouter.Router) { // // https://stackoverflow.com/questions/47452471/pprof-profile-with-julienschmidtrouter-and-benchmarks-not-profiling-handler // logger.Debugf("profiling routes added at http://%s:%d/debug/pprof/", cfg.Cfg.Listen, cfg.Cfg.Port) -// muxR.HandleFunc("/debug/pprof/", pprof.Index) -// muxR.HandleFunc("/debug/pprof/cmdline", pprof.Cmdline) -// muxR.HandleFunc("/debug/pprof/profile", pprof.Profile) -// muxR.HandleFunc("/debug/pprof/symbol", pprof.Symbol) -// muxR.HandleFunc("/debug/pprof/trace", pprof.Trace) -// muxR.Handle("/debug/pprof/goroutine", pprof.Handler("goroutine")) -// muxR.Handle("/debug/pprof/heap", pprof.Handler("heap")) -// muxR.Handle("/debug/pprof/threadcreate", pprof.Handler("threadcreate")) -// muxR.Handle("/debug/pprof/block", pprof.Handler("block")) +// router.HandlerFunc(http.MethodGet, "/debug/pprof/", pprof.Index) +// router.HandlerFunc(http.MethodGet, "/debug/pprof/cmdline", pprof.Cmdline) +// router.HandlerFunc(http.MethodGet, "/debug/pprof/profile", pprof.Profile) +// router.HandlerFunc(http.MethodGet, "/debug/pprof/symbol", pprof.Symbol) +// router.HandlerFunc(http.MethodGet, "/debug/pprof/trace", pprof.Trace) +// router.Handler(http.MethodGet, "/debug/pprof/goroutine", pprof.Handler("goroutine")) +// router.Handler(http.MethodGet, "/debug/pprof/heap", pprof.Handler("heap")) +// router.Handler(http.MethodGet, "/debug/pprof/threadcreate", pprof.Handler("threadcreate")) +// router.Handler(http.MethodGet, "/debug/pprof/block", pprof.Handler("block")) // } From f0ac39a76efef2a8c91b78b327bf3b525fb5a338 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 4 Aug 2021 13:46:37 -0700 Subject: [PATCH 13/25] #406 gh action docker build and push to quay.io --- ...ker-release.yml => docker-release-arm.yml} | 2 +- .github/workflows/docker-release-quayio.yml | 53 +++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) rename .github/workflows/{docker-release.yml => docker-release-arm.yml} (98%) create mode 100644 .github/workflows/docker-release-quayio.yml diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release-arm.yml similarity index 98% rename from .github/workflows/docker-release.yml rename to .github/workflows/docker-release-arm.yml index ca6d44f3..a28f9f7f 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release-arm.yml @@ -6,7 +6,7 @@ on: - master jobs: - Publish-to-docker: + publish-to-docker-arm: runs-on: ubuntu-latest env: DOCKER_TAG: latest-arm diff --git a/.github/workflows/docker-release-quayio.yml b/.github/workflows/docker-release-quayio.yml new file mode 100644 index 00000000..83dcfa48 --- /dev/null +++ b/.github/workflows/docker-release-quayio.yml @@ -0,0 +1,53 @@ +name: Publish Docker image to Quay.io + +on: + push: + branches: + - master + tags: + - 'v*' + + +jobs: + publish-to-docker-quayio: + runs-on: ubuntu-latest + env: + DOCKER_REPO: quay.io + + steps: + - name: Check out the repo + uses: actions/checkout@v2 + + - name: Log in to Docker repository + uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 + with: + registry: ${{ env.DOCKER_REPO }} + username: ${{ secrets.QUAYIO_ROBOT_USERNAME }} + password: ${{ secrets.QUAYIO_ROBOT_PASSWORD }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: quay.io/vouch/vouch-proxy + tags: | + type=ref,event=branch + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + + - name: Build and push Docker image using Dockerfile + uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Build and push Docker image using Dockerfile.alpine + uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + with: + file: Dockerfile.alpine + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: alpine-${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file From dc806813b07bc2d3f516cd4018b9161d6b8a0439 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 4 Aug 2021 13:46:37 -0700 Subject: [PATCH 14/25] #406 gh action docker build and push to quay.io --- ...ker-release.yml => docker-release-arm.yml} | 2 +- .github/workflows/docker-release-quayio.yml | 53 +++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) rename .github/workflows/{docker-release.yml => docker-release-arm.yml} (98%) create mode 100644 .github/workflows/docker-release-quayio.yml diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release-arm.yml similarity index 98% rename from .github/workflows/docker-release.yml rename to .github/workflows/docker-release-arm.yml index ca6d44f3..a28f9f7f 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release-arm.yml @@ -6,7 +6,7 @@ on: - master jobs: - Publish-to-docker: + publish-to-docker-arm: runs-on: ubuntu-latest env: DOCKER_TAG: latest-arm diff --git a/.github/workflows/docker-release-quayio.yml b/.github/workflows/docker-release-quayio.yml new file mode 100644 index 00000000..83dcfa48 --- /dev/null +++ b/.github/workflows/docker-release-quayio.yml @@ -0,0 +1,53 @@ +name: Publish Docker image to Quay.io + +on: + push: + branches: + - master + tags: + - 'v*' + + +jobs: + publish-to-docker-quayio: + runs-on: ubuntu-latest + env: + DOCKER_REPO: quay.io + + steps: + - name: Check out the repo + uses: actions/checkout@v2 + + - name: Log in to Docker repository + uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 + with: + registry: ${{ env.DOCKER_REPO }} + username: ${{ secrets.QUAYIO_ROBOT_USERNAME }} + password: ${{ secrets.QUAYIO_ROBOT_PASSWORD }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: quay.io/vouch/vouch-proxy + tags: | + type=ref,event=branch + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + + - name: Build and push Docker image using Dockerfile + uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + with: + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + + - name: Build and push Docker image using Dockerfile.alpine + uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + with: + file: Dockerfile.alpine + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: alpine-${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file From 64b6903469b8f58109858893fc557a468e48b5c5 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 4 Aug 2021 14:08:39 -0700 Subject: [PATCH 15/25] #406 gh action docker alpine build push to quay.io --- .../docker-release-quayio-alpine.yml | 47 +++++++++++++++++++ .github/workflows/docker-release-quayio.yml | 8 ---- 2 files changed, 47 insertions(+), 8 deletions(-) create mode 100644 .github/workflows/docker-release-quayio-alpine.yml diff --git a/.github/workflows/docker-release-quayio-alpine.yml b/.github/workflows/docker-release-quayio-alpine.yml new file mode 100644 index 00000000..5ae651d8 --- /dev/null +++ b/.github/workflows/docker-release-quayio-alpine.yml @@ -0,0 +1,47 @@ +name: Publish Docker image to Quay.io + +on: + push: + branches: + - master + tags: + - 'v*' + + +jobs: + publish-to-docker-quayio: + runs-on: ubuntu-latest + env: + DOCKER_REPO: quay.io + + steps: + - name: Check out the repo + uses: actions/checkout@v2 + + - name: Log in to Docker repository + uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 + with: + registry: ${{ env.DOCKER_REPO }} + username: ${{ secrets.QUAYIO_ROBOT_USERNAME }} + password: ${{ secrets.QUAYIO_ROBOT_PASSWORD }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + with: + images: quay.io/vouch/vouch-proxy + flavor: | + prefix=alpine-,onlatest=true + tags: | + type=ref,event=branch + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + + - name: Build and push Docker image using Dockerfile.alpine + uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc + with: + file: Dockerfile.alpine + context: . + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file diff --git a/.github/workflows/docker-release-quayio.yml b/.github/workflows/docker-release-quayio.yml index 83dcfa48..d6d5df3d 100644 --- a/.github/workflows/docker-release-quayio.yml +++ b/.github/workflows/docker-release-quayio.yml @@ -43,11 +43,3 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} - - name: Build and push Docker image using Dockerfile.alpine - uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc - with: - file: Dockerfile.alpine - context: . - push: ${{ github.event_name != 'pull_request' }} - tags: alpine-${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} \ No newline at end of file From 8288b58a3bcf2ef8ddfd6605b0eab0d182276128 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 4 Aug 2021 14:22:56 -0700 Subject: [PATCH 16/25] #406 drop onlatest, name as alpine --- .github/workflows/docker-release-quayio-alpine.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/docker-release-quayio-alpine.yml b/.github/workflows/docker-release-quayio-alpine.yml index 5ae651d8..4df1b969 100644 --- a/.github/workflows/docker-release-quayio-alpine.yml +++ b/.github/workflows/docker-release-quayio-alpine.yml @@ -1,4 +1,4 @@ -name: Publish Docker image to Quay.io +name: Publish Docker image to Quay.io using Dockerfile.alpine on: push: @@ -31,7 +31,7 @@ jobs: with: images: quay.io/vouch/vouch-proxy flavor: | - prefix=alpine-,onlatest=true + prefix=alpine- tags: | type=ref,event=branch type=semver,pattern={{version}} From e81acdab18933df8042ab182228232e6462b7dc0 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 4 Aug 2021 14:43:34 -0700 Subject: [PATCH 17/25] #406 fix naming of alpine images, update README --- .github/workflows/docker-release-quayio-alpine.yml | 4 ++-- README.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-release-quayio-alpine.yml b/.github/workflows/docker-release-quayio-alpine.yml index 4df1b969..4c2a1d1f 100644 --- a/.github/workflows/docker-release-quayio-alpine.yml +++ b/.github/workflows/docker-release-quayio-alpine.yml @@ -27,11 +27,11 @@ jobs: - name: Extract metadata (tags, labels) for Docker id: meta - uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 + uses: docker/metadata-action@a67f45cb0f8e65cf693a0bc5bfa1c5057c623030 with: images: quay.io/vouch/vouch-proxy flavor: | - prefix=alpine- + prefix=alpine-,onlatest=true tags: | type=ref,event=branch type=semver,pattern={{version}} diff --git a/README.md b/README.md index 3a7dd71b..e6d48f78 100644 --- a/README.md +++ b/README.md @@ -268,12 +268,12 @@ Automated container builds for each Vouch Proxy release are available from [quay a minimal go binary container built from `Dockerfile` - `quay.io/vouch/vouch-proxy:latest` -- `quay.io/vouch/vouch-proxy:vx.y.z` such as `quay.io/vouch/vouch-proxy:v0.28.0` +- `quay.io/vouch/vouch-proxy:x.y.z` such as `quay.io/vouch/vouch-proxy:0.28.0` an `alpine` based container built from `Dockerfile.alpine` -- `quay.io/vouch/vouch-proxy:alpine` -- `quay.io/vouch/vouch-proxy:alpine-vx.y.z` +- `quay.io/vouch/vouch-proxy:alpine-latest` +- `quay.io/vouch/vouch-proxy:alpine-x.y.z` Vouch Proxy `arm` images are available on [Docker Hub](https://hub.docker.com/r/voucher/vouch-proxy/) From 62eb090f7c61e164e8b097b04d210a4993f8d186 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 4 Aug 2021 15:10:40 -0700 Subject: [PATCH 18/25] #406 use travis instead of quay.io badge --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index e6d48f78..44d4e0dd 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,9 @@ # Vouch Proxy [![GitHub stars](https://img.shields.io/github/stars/vouch/vouch-proxy.svg)](https://github.com/vouch/vouch-proxy) +[![Build Status](https://travis-ci.org/vouch/vouch-proxy.svg?branch=master)](https://travis-ci.org/vouch/vouch-proxy) [![Go Report Card](https://goreportcard.com/badge/github.com/vouch/vouch-proxy)](https://goreportcard.com/report/github.com/vouch/vouch-proxy) [![MIT license](https://img.shields.io/badge/license-MIT-green.svg)](https://github.com/vouch/vouch-proxy/blob/master/LICENSE) -[![Docker Repository on Quay](https://quay.io/repository/vouch/vouch-proxy/status 'Docker Repository on Quay')](https://quay.io/repository/vouch/vouch-proxy) [![GitHub version](https://img.shields.io/github/v/tag/vouch/vouch-proxy.svg?sort=semver&color=green)](https://github.com/vouch/vouch-proxy) An SSO solution for Nginx using the [auth_request](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) module. Vouch Proxy can protect all of your websites at once. From c98de26a7030e1a9c1bbefd94b06a9745b97599f Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 4 Aug 2021 18:32:18 -0700 Subject: [PATCH 19/25] copy the struct, not the address --- pkg/cfg/cfg.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index 6a5ad5ec..accfbdaf 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -306,7 +306,7 @@ func logConfigIfDebug() { // log.Debugf("viper settings %+v", viper.AllSettings()) // Mask sensitive configuration items before logging - maskedCfg := *Cfg + maskedCfg := Cfg if len(Cfg.Session.Key) != 0 { maskedCfg.Session.Key = "XXXXXXXX" } From 8efcbd2d1574d8865ffb67f6edd0e535acfbd719 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Wed, 4 Aug 2021 22:11:21 -0700 Subject: [PATCH 20/25] Revert "copy the struct, not the address" This reverts commit c98de26a7030e1a9c1bbefd94b06a9745b97599f. --- pkg/cfg/cfg.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/cfg/cfg.go b/pkg/cfg/cfg.go index accfbdaf..6a5ad5ec 100644 --- a/pkg/cfg/cfg.go +++ b/pkg/cfg/cfg.go @@ -306,7 +306,7 @@ func logConfigIfDebug() { // log.Debugf("viper settings %+v", viper.AllSettings()) // Mask sensitive configuration items before logging - maskedCfg := Cfg + maskedCfg := *Cfg if len(Cfg.Session.Key) != 0 { maskedCfg.Session.Key = "XXXXXXXX" } From 8567f1240d86d50d74a1131a5c7c2085cc721a56 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Thu, 5 Aug 2021 16:29:34 -0700 Subject: [PATCH 21/25] slack oidc example and app manifest --- README.md | 1 + config/config.yml_example_slack | 32 +++++++++++++++++++ .../slack/vouch-slack-oidc-app-manifest.yml | 17 ++++++++++ 3 files changed, 50 insertions(+) create mode 100644 config/config.yml_example_slack create mode 100644 examples/slack/vouch-slack-oidc-app-manifest.yml diff --git a/README.md b/README.md index 44d4e0dd..5db2ab96 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ Vouch Proxy supports many OAuth and OIDC login providers and can enforce authent - GitHub Enterprise - [IndieAuth](https://indieauth.spec.indieweb.org/) - [Okta](https://developer.okta.com/blog/2018/08/28/nginx-auth-request) +- [Slack](https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example_slack) - [ADFS](https://github.com/vouch/vouch-proxy/pull/68) - [Azure AD](https://github.com/vouch/vouch-proxy/issues/290) - [Alibaba / Aliyun iDaas](https://github.com/vouch/vouch-proxy/issues/344) diff --git a/config/config.yml_example_slack b/config/config.yml_example_slack new file mode 100644 index 00000000..8a13461b --- /dev/null +++ b/config/config.yml_example_slack @@ -0,0 +1,32 @@ + +# vouch config +# bare minimum to get vouch running with Slack + +vouch: + domains: + - yourdomain.com + + # set allowAllUsers: true to use Vouch Proxy to just accept anyone who can authenticate at Gitea + # allowAllUsers: true + + # cookie: + # secure: false + # vouch.cookie.domain must be set when enabling allowAllUsers + # domain: yourdomain.com + + +oauth: + # create a new OAuth application at: + # https://api.slack.com/apps + # use the manifest at `examples/slack/vouch-slack-oidc-app-manifest.yml` + # then install the new app to your slack instance + provider: oidc + # careful! the slack client_id must be single quoted so that the yaml parser + # doesn't interpret it as a number (because yaml is actually javascript) + client_id: 'xxxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxx' + client_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + callback_url: https://vouch.yourdomain.com/auth + # from https://slack.com/.well-known/openid-configuration + auth_url: https://slack.com/openid/connect/authorize + token_url: https://slack.com/api/openid.connect.token + user_info_url: https://slack.com/api/openid.connect.userInfo diff --git a/examples/slack/vouch-slack-oidc-app-manifest.yml b/examples/slack/vouch-slack-oidc-app-manifest.yml new file mode 100644 index 00000000..e8336b46 --- /dev/null +++ b/examples/slack/vouch-slack-oidc-app-manifest.yml @@ -0,0 +1,17 @@ +_metadata: + major_version: 1 + minor_version: 1 +display_information: + name: Vouch Proxy - Login to Slack + description: enforce login to Slack to provide authorized access to your websites + background_color: "#002da8" +oauth_config: + scopes: + user: + - email + - openid + - profile +settings: + org_deploy_enabled: false + socket_mode_enabled: false + token_rotation_enabled: false From 252d46b6d867183d3d23f859e6c776c748b78080 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Thu, 5 Aug 2021 16:30:13 -0700 Subject: [PATCH 22/25] fix #304 add CHANGELOG.md --- CHANGELOG.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 CHANGELOG.md diff --git a/CHANGELOG.md b/CHANGELOG.md new file mode 100644 index 00000000..ba2b6489 --- /dev/null +++ b/CHANGELOG.md @@ -0,0 +1,25 @@ +# Changelog for Vouch Proxy + +## Unreleased + +Coming soon! Please document any work in progress here as part of your PR. It will be moved to the next tag when released. + +## v0.32.0 + +- [slack oidc example](https://github.com/vouch/vouch-proxy/blob/master/config/config.yml_example_slack) and [slack app manifest](https://github.com/vouch/vouch-proxy/blob/master/examples/slack/vouch-slack-oidc-app-manifest.yml) +- [CHANGELOG.md](https://github.com/vouch/vouch-proxy/blob/master/CHANGELOG.md) + +## v0.31.0 + +- [use quay.io](https://quay.io/repository/vouch/vouch-proxy?tab=tags) instead of Docker Hub for docker image hosting +- use [httprouter's](https://github.com/julienschmidt/httprouter) more performant mux + +## v0.29.0 + +- embed static assets at templates using [go:embed](https://golang.org/pkg/embed/) + +## v0.28.0 + +- add support for a custom 'relying party identifier' for ADFS + +_the rest is history_ and can be teased out with `git log` From 51c78b3c4fafa33fd163903d2b2724d3afc69c0d Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Thu, 5 Aug 2021 16:47:00 -0700 Subject: [PATCH 23/25] add note regarding redirect_urls --- CHANGELOG.md | 2 +- config/config.yml_example_slack | 1 + examples/slack/vouch-slack-oidc-app-manifest.yml | 7 +++---- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ba2b6489..769f6da2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,7 +16,7 @@ Coming soon! Please document any work in progress here as part of your PR. It wi ## v0.29.0 -- embed static assets at templates using [go:embed](https://golang.org/pkg/embed/) +- embed static assets as templates using [go:embed](https://golang.org/pkg/embed/) ## v0.28.0 diff --git a/config/config.yml_example_slack b/config/config.yml_example_slack index 8a13461b..b478b7cc 100644 --- a/config/config.yml_example_slack +++ b/config/config.yml_example_slack @@ -19,6 +19,7 @@ oauth: # create a new OAuth application at: # https://api.slack.com/apps # use the manifest at `examples/slack/vouch-slack-oidc-app-manifest.yml` + # but be sure to match the `callback_url`'s below to the `redirect_urls` in the manifest # then install the new app to your slack instance provider: oidc # careful! the slack client_id must be single quoted so that the yaml parser diff --git a/examples/slack/vouch-slack-oidc-app-manifest.yml b/examples/slack/vouch-slack-oidc-app-manifest.yml index e8336b46..edc3183e 100644 --- a/examples/slack/vouch-slack-oidc-app-manifest.yml +++ b/examples/slack/vouch-slack-oidc-app-manifest.yml @@ -6,12 +6,11 @@ display_information: description: enforce login to Slack to provide authorized access to your websites background_color: "#002da8" oauth_config: + # these need to match the + redirect_urls: + - https://vouch.yourdomain.com/auth scopes: user: - email - openid - profile -settings: - org_deploy_enabled: false - socket_mode_enabled: false - token_rotation_enabled: false From 438705e214c49a262f8f1b5791a74407b2d33f48 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Thu, 5 Aug 2021 17:25:15 -0700 Subject: [PATCH 24/25] add `-version` flag --- do.sh | 2 +- main.go | 27 +++++++++++++++++---------- 2 files changed, 18 insertions(+), 11 deletions(-) diff --git a/do.sh b/do.sh index 6f1060cb..8fbdbb5b 100755 --- a/do.sh +++ b/do.sh @@ -29,7 +29,7 @@ build () { local SEMVER=$(git tag --list --sort="v:refname" | tail -n -1) local BRANCH=$(git rev-parse --abbrev-ref HEAD) local UNAME=$(uname) - go build -i -v -ldflags=" -X main.version=${VERSION} -X main.uname=${UNAME} -X main.builddt=${DT} -X main.host=${FQDN} -X main.semver=${SEMVER} -X main.branch=${BRANCH}" . + go build -v -ldflags=" -X main.version=${VERSION} -X main.uname=${UNAME} -X main.builddt=${DT} -X main.host=${FQDN} -X main.semver=${SEMVER} -X main.branch=${BRANCH}" . } _hostname() { diff --git a/main.go b/main.go index bea18f3d..965e7603 100644 --- a/main.go +++ b/main.go @@ -26,6 +26,7 @@ import ( "embed" "errors" "flag" + "fmt" "log" "net" "net/http" @@ -51,16 +52,17 @@ import ( // `version`, `semver` and others are populated during build by.. // go build -i -v -ldflags="-X main.version=$(git describe --always --long) -X main.semver=v$(git semver get)" var ( - version = "undefined" - builddt = "undefined" - host = "undefined" - semver = "undefined" - branch = "undefined" - uname = "undefined" - logger *zap.SugaredLogger - fastlog *zap.Logger - help = flag.Bool("help", false, "show usage") - scheme = map[bool]string{ + version = "undefined" + builddt = "undefined" + host = "undefined" + semver = "undefined" + branch = "undefined" + uname = "undefined" + logger *zap.SugaredLogger + fastlog *zap.Logger + showVersion = flag.Bool("version", false, "display version and exit") + help = flag.Bool("help", false, "show usage") + scheme = map[bool]string{ false: "http", true: "https", } @@ -103,6 +105,11 @@ func configure() { os.Exit(1) } + if *showVersion { + fmt.Printf("%s\n", semver) + os.Exit(0) + } + cfg.Templates = templatesFs cfg.Defaults = defaultsFs From e553b21b5e58d36ed56ca9d04f4dcb6499e61a86 Mon Sep 17 00:00:00 2001 From: Benjamin Foote Date: Sat, 7 Aug 2021 00:11:24 -0700 Subject: [PATCH 25/25] fix #408 add semicolons to auth_request_set --- examples/OpenResty/conf.d/app1.yourdomain.com.conf | 2 +- examples/OpenResty/conf.d/app2.yourdomain.com.conf | 2 +- examples/nginx/multi-file/conf.d/app1.yourdomain.com.conf | 2 +- examples/nginx/multi-file/conf.d/app2.yourdomain.com.conf | 2 +- examples/nginx/single-file/nginx_basic.conf | 2 +- examples/nginx/single-file/nginx_with_vouch.conf | 2 +- examples/nginx/single-file/nginx_with_vouch_single_server.conf | 2 +- examples/nginx/single-file/nginx_with_vouch_ssl.conf | 2 +- 8 files changed, 8 insertions(+), 8 deletions(-) diff --git a/examples/OpenResty/conf.d/app1.yourdomain.com.conf b/examples/OpenResty/conf.d/app1.yourdomain.com.conf index 80c886bf..911e2d1a 100644 --- a/examples/OpenResty/conf.d/app1.yourdomain.com.conf +++ b/examples/OpenResty/conf.d/app1.yourdomain.com.conf @@ -49,7 +49,7 @@ server { location / { proxy_pass http://app1-private.yourdomain.com:8080; # may need to set - # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user + # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; # auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups; # auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name; diff --git a/examples/OpenResty/conf.d/app2.yourdomain.com.conf b/examples/OpenResty/conf.d/app2.yourdomain.com.conf index 00be6e8b..dfc464b1 100644 --- a/examples/OpenResty/conf.d/app2.yourdomain.com.conf +++ b/examples/OpenResty/conf.d/app2.yourdomain.com.conf @@ -49,7 +49,7 @@ server { location / { proxy_pass http://app2-private.yourdomain.com:8080; # may need to set - # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user + # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; # auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups; # auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name; diff --git a/examples/nginx/multi-file/conf.d/app1.yourdomain.com.conf b/examples/nginx/multi-file/conf.d/app1.yourdomain.com.conf index 584ef8fd..e208c328 100644 --- a/examples/nginx/multi-file/conf.d/app1.yourdomain.com.conf +++ b/examples/nginx/multi-file/conf.d/app1.yourdomain.com.conf @@ -41,7 +41,7 @@ server { location / { proxy_pass http://app1.yourdomain.com:8080; # may need to set - # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user + # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; # in this bock as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810 # set user header (usually an email) proxy_set_header X-Vouch-User $auth_resp_x_vouch_user; diff --git a/examples/nginx/multi-file/conf.d/app2.yourdomain.com.conf b/examples/nginx/multi-file/conf.d/app2.yourdomain.com.conf index b7ce7c38..3bbb65be 100644 --- a/examples/nginx/multi-file/conf.d/app2.yourdomain.com.conf +++ b/examples/nginx/multi-file/conf.d/app2.yourdomain.com.conf @@ -41,7 +41,7 @@ server { location / { proxy_pass http://app2.yourdomain.com:8080; # may need to set - # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user + # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; # in this bock as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810 # set user header (usually an email) proxy_set_header X-Vouch-User $auth_resp_x_vouch_user; diff --git a/examples/nginx/single-file/nginx_basic.conf b/examples/nginx/single-file/nginx_basic.conf index cb7ebb41..285aea4d 100644 --- a/examples/nginx/single-file/nginx_basic.conf +++ b/examples/nginx/single-file/nginx_basic.conf @@ -71,7 +71,7 @@ http { # forward authorized requests to your service protectedapp.yourdomain.com proxy_pass http://127.0.0.1:8080; # you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810 - # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user + # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; # auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups; # auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name; diff --git a/examples/nginx/single-file/nginx_with_vouch.conf b/examples/nginx/single-file/nginx_with_vouch.conf index 342507ed..72207164 100644 --- a/examples/nginx/single-file/nginx_with_vouch.conf +++ b/examples/nginx/single-file/nginx_with_vouch.conf @@ -70,7 +70,7 @@ http { # forward authorized requests to your service protectedapp.yourdomain.com proxy_pass http://127.0.0.1:8080; # you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810 - # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user + # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; # auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups; # auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name; diff --git a/examples/nginx/single-file/nginx_with_vouch_single_server.conf b/examples/nginx/single-file/nginx_with_vouch_single_server.conf index edee80a8..e0cfb292 100644 --- a/examples/nginx/single-file/nginx_with_vouch_single_server.conf +++ b/examples/nginx/single-file/nginx_with_vouch_single_server.conf @@ -81,7 +81,7 @@ http { # forward authorized requests to your service protectedapp.yourdomain.com proxy_pass http://127.0.0.1:8080; # you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810 - # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user + # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; # auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups; # auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name; diff --git a/examples/nginx/single-file/nginx_with_vouch_ssl.conf b/examples/nginx/single-file/nginx_with_vouch_ssl.conf index ce55ee05..8e9cb0c3 100644 --- a/examples/nginx/single-file/nginx_with_vouch_ssl.conf +++ b/examples/nginx/single-file/nginx_with_vouch_ssl.conf @@ -69,7 +69,7 @@ http { # forward authorized requests to your service protectedapp.yourdomain.com proxy_pass http://127.0.0.1:8080; # you may need to set these variables in this block as per https://github.com/vouch/vouch-proxy/issues/26#issuecomment-425215810 - # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user + # auth_request_set $auth_resp_x_vouch_user $upstream_http_x_vouch_user; # auth_request_set $auth_resp_x_vouch_idp_claims_groups $upstream_http_x_vouch_idp_claims_groups; # auth_request_set $auth_resp_x_vouch_idp_claims_given_name $upstream_http_x_vouch_idp_claims_given_name;