Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: allow multiple cookie domains via env var #60

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions internal/configuration/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,10 @@ type Config struct {
ProviderURI string `long:"provider-uri" env:"PROVIDER_URI" description:"OIDC Provider URI"`
ClientID string `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
ClientSecret string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
Scope string `long:"scope" env:"SCOPE" description:"Define scope"`
Scope []string `long:"scope" env:"SCOPE" env-delim:" " description:"Define scope. Space delimited when used as env var."`
AuthHost string `long:"auth-host" env:"AUTH_HOST" description:"Single host to use when returning from 3rd party auth"`
Config func(s string) error `long:"config" env:"CONFIG" description:"Path to config file" json:"-"`
CookieDomains []util.CookieDomain `long:"cookie-domain" env:"COOKIE_DOMAIN" description:"Domain to set auth cookie on, can be set multiple times"`
CookieDomains []util.CookieDomain `long:"cookie-domain" env:"COOKIE_DOMAIN" env-delim:"," description:"Domain to set auth cookie on, can be set multiple times. Comma delimited when used as env var."`
InsecureCookie bool `long:"insecure-cookie" env:"INSECURE_COOKIE" description:"Use insecure cookies"`
CookieName string `long:"cookie-name" env:"COOKIE_NAME" default:"_forward_auth" description:"ID Cookie Name"`
EmailHeaderNames CommaSeparatedList `long:"email-header-names" env:"EMAIL_HEADER_NAMES" default:"X-Forwarded-User" description:"Response headers containing the authenticated user's username"`
Expand Down
37 changes: 37 additions & 0 deletions internal/configuration/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,8 @@ func TestConfigParseArgs(t *testing.T) {
assert := assert.New(t)
c, err := NewConfig([]string{
"--cookie-name=cookiename",
"--cookie-domain=example.com",
"--cookie-domain=example2.com",
"--csrf-cookie-name", "\"csrfcookiename\"",
"--rule.1.action=allow",
"--rule.1.rule=PathPrefix(`/one`)",
Expand All @@ -61,6 +63,12 @@ func TestConfigParseArgs(t *testing.T) {
Rule: "Host(`two.com`) && Path(`/two`)",
},
}, c.Rules)

// Check cookie domain
if assert.Len(c.CookieDomains, 2, "there must be 2 cookie domains") {
assert.Equal("example.com", c.CookieDomains[0].Domain, "first cookie domain should be read from environment")
assert.Equal("example2.com", c.CookieDomains[1].Domain, "second cookie domain should be read from environment")
}
}

func TestConfigParseUnknownFlags(t *testing.T) {
Expand Down Expand Up @@ -116,6 +124,10 @@ func TestConfigParseIni(t *testing.T) {
Rule: "Host(`two.com`) && Path(`/two`)",
},
}, c.Rules)
if assert.Len(c.CookieDomains, 2, "there must be 2 cookie domains") {
assert.Equal("example.com", c.CookieDomains[0].Domain, "first cookie domain should be read from environment")
assert.Equal("example2.com", c.CookieDomains[1].Domain, "second cookie domain should be read from environment")
}
}

func TestConfigParseEnvironment(t *testing.T) {
Expand All @@ -129,6 +141,31 @@ func TestConfigParseEnvironment(t *testing.T) {
os.Unsetenv("COOKIE_NAME")
}

func TestConfigParseCookieDomainFromEnvironment(t *testing.T) {
assert := assert.New(t)
os.Setenv("COOKIE_DOMAIN", "example.com,example2.com")
c, err := NewConfig([]string{})
assert.Nil(err)

if assert.Len(c.CookieDomains, 2, "there must be 2 cookie domains") {
assert.Equal("example.com", c.CookieDomains[0].Domain, "first cookie domain should be read from environment")
assert.Equal("example2.com", c.CookieDomains[1].Domain, "second cookie domain should be read from environment")
}

os.Unsetenv("COOKIE_DOMAIN")
}

func TestConfigParseScopeFromEnvironment(t *testing.T) {
assert := assert.New(t)
os.Setenv("SCOPE", "openid email")
c, err := NewConfig([]string{})
assert.Nil(err)

assert.Equal([]string{"openid", "email"}, c.Scope, "scope array should be populated")

os.Unsetenv("SCOPE")
}

func TestConfigTransformation(t *testing.T) {
assert := assert.New(t)
c, err := NewConfig([]string{
Expand Down
8 changes: 4 additions & 4 deletions internal/handlers/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -284,8 +284,8 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc {

// Mapping scope
var scope []string
if s.config.Scope != "" {
scope = []string{s.config.Scope}
if len(s.config.Scope) > 0 {
scope = s.config.Scope
} else {
scope = []string{oidc.ScopeOpenID, "profile", "email", "groups"}
}
Expand Down Expand Up @@ -442,8 +442,8 @@ func (s *Server) authRedirect(logger *logrus.Entry, w http.ResponseWriter, r *ht

// Mapping scope
var scope []string
if s.config.Scope != "" {
scope = []string{s.config.Scope}
if len(s.config.Scope) > 0 {
scope = s.config.Scope
} else {
scope = []string{oidc.ScopeOpenID, "profile", "email", "groups"}
}
Expand Down
2 changes: 2 additions & 0 deletions test/config0
Original file line number Diff line number Diff line change
Expand Up @@ -3,3 +3,5 @@ csrf-cookie-name=inicsrfcookiename
url-path=one
rule.1.action=allow
rule.1.rule=PathPrefix(`/one`)
cookie-domain=example.com
cookie-domain=example2.com