Add --whitelist-prefix option to allowlist a path prefix

The existing --whitelist option only allows a fixed string; this one does a prefix match instead.
2023-12-20 14:58:55 -03:00 · 2023-12-20 14:58:55 -03:00 · 12d537b902
parent 5bb40a908f
commit 12d537b902
3 changed files with 9 additions and 2 deletions
--- a/config.go
+++ b/config.go
@ -23,6 +23,7 @@ type Config struct {
 	AllowGroups     StringSet
 	BasicAuth       string
 	Whitelist       string
 	WhitelistPrefix string
 	UsernameHeader  string
 	GroupsHeader    string
 	Timeout         time.Duration
@ -89,6 +90,7 @@ func ParseConfig() (*Config, error) {
 	c.AllowGroups = NewStringSet(*rc.AllowGroups)
 	c.BasicAuth = *rc.BasicAuth
 	c.Whitelist = *rc.Whitelist
 	c.WhitelistPrefix = *rc.WhitelistPrefix
 	c.UsernameHeader = *rc.UsernameHeader
 	c.GroupsHeader = *rc.GroupsHeader
 	c.Timeout = time.Duration(*rc.Timeout) * time.Second
@ -114,6 +116,7 @@ type rawConfig struct {
 	AllowGroups     *string
 	BasicAuth       *string
 	Whitelist       *string
 	WhitelistPrefix *string
 	UsernameHeader  *string
 	GroupsHeader    *string
 	Timeout         *int
@ -132,6 +135,7 @@ func parseRawConfig() *rawConfig {
 		AllowGroups:     flag.String("allow-groups", "", "Allow users belonging to the specified groups, comma delimited (default: no groups are allowed)"),
 		BasicAuth:       flag.String("basic-auth", "", "HTTP Basic authentication credentials to let through directly"),
 		Whitelist:       flag.String("whitelist", "", "Path which does not require authorization"),
 		WhitelistPrefix: flag.String("whitelist-prefix", "", "Prefix for paths which do not require authorization"),
 		UsernameHeader:  flag.String("username-header", "Discourse-User-Name", "Request header to pass authenticated username into"),
 		GroupsHeader:    flag.String("groups-header", "Discourse-User-Groups", "Request header to pass authenticated groups into"),
 		Timeout:         flag.Int("timeout", 10, "Read/write timeout (seconds)"),
--- a/main.go
+++ b/main.go
@ -129,11 +129,13 @@ func checkAuthorizationHeader(handler http.Handler, r *http.Request, w http.Resp
 }
 func checkWhitelist(handler http.Handler, r *http.Request, w http.ResponseWriter) bool {
-	if config.Whitelist == "" {
+	if config.Whitelist == "" && config.WhitelistPrefix == "" {
 		return false
 	}
-	if r.URL.Path == config.Whitelist {
+	prefixAllowed := len(config.WhitelistPrefix) > 0 && strings.HasPrefix(r.URL.Path, config.WhitelistPrefix)
 	if r.URL.Path == config.Whitelist || prefixAllowed {
 		handler.ServeHTTP(w, r)
 		return true
 	}
--- a/main_test.go
+++ b/main_test.go
@ -41,6 +41,7 @@ func NewTestConfig() Config {
 		AllowGroups:     NewStringSet(""),
 		BasicAuth:       "",
 		Whitelist:       "",
 		WhitelistPrefix: "",
 		UsernameHeader:  "username-header",
 		GroupsHeader:    "groups-header",
 		Timeout:         10,