Only restrict auth-proxy access to admin users if -admin-only flag is provided
This commit is contained in:
parent
cfa7d348a2
commit
abe0105423
|
@ -15,6 +15,8 @@ Usage of ./discourse-auth-proxy:
|
|||
-proxy-url="": outer url of this host eg: http://secrets.example.com
|
||||
-sso-secret="": SSO secret for origin
|
||||
-sso-url="": SSO endpoint eg: http://discourse.forum.com
|
||||
-admin-only: restrict access to "admin" users on the SSO endpoint
|
||||
|
||||
```
|
||||
|
||||
```
|
||||
|
@ -30,8 +32,6 @@ Usage of ./discourse-auth-proxy:
|
|||
+-----------+ +----------------------+
|
||||
```
|
||||
|
||||
At the moment only "admin" users on the sso endpoint will be allowed through.
|
||||
|
||||
Note: you may use ENV vars as well to pass configuration EG:
|
||||
|
||||
ORIGIN_URL=http://somesite.com PROXY_URL=http://listen.com SSO_SECRET="somesecret" SSO_URL="http://somediscourse.com" ./discourse-auth-proxy
|
||||
|
|
24
main.go
24
main.go
|
@ -6,9 +6,6 @@ import (
|
|||
"encoding/base64"
|
||||
"encoding/hex"
|
||||
"fmt"
|
||||
"github.com/pborman/uuid"
|
||||
"github.com/golang/groupcache/lru"
|
||||
"github.com/namsral/flag"
|
||||
"log"
|
||||
"net/http"
|
||||
"net/http/httputil"
|
||||
|
@ -16,6 +13,10 @@ import (
|
|||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/golang/groupcache/lru"
|
||||
"github.com/namsral/flag"
|
||||
"github.com/pborman/uuid"
|
||||
)
|
||||
|
||||
var nonceCache = lru.New(20)
|
||||
|
@ -27,6 +28,7 @@ func main() {
|
|||
originUriPtr := flag.String("origin-url", "", "origin to proxy eg: http://localhost:2002")
|
||||
ssoSecretPtr := flag.String("sso-secret", "", "SSO secret for origin")
|
||||
ssoUriPtr := flag.String("sso-url", "", "SSO endpoint eg: http://discourse.forum.com")
|
||||
adminOnlyPtr := flag.Bool("admin-only", false, "only allow discourse users with admin rights")
|
||||
|
||||
flag.Parse()
|
||||
|
||||
|
@ -66,7 +68,7 @@ func main() {
|
|||
|
||||
proxy := httputil.NewSingleHostReverseProxy(originUrl)
|
||||
|
||||
handler := redirectIfCookieMissing(proxy, *ssoSecretPtr, cookieSecret, *ssoUriPtr, *proxyUriPtr)
|
||||
handler := redirectIfCookieMissing(proxy, *ssoSecretPtr, cookieSecret, *ssoUriPtr, *proxyUriPtr, *adminOnlyPtr)
|
||||
|
||||
server := &http.Server{
|
||||
Addr: *listenUriPtr,
|
||||
|
@ -79,7 +81,7 @@ func main() {
|
|||
log.Fatal(server.ListenAndServe())
|
||||
}
|
||||
|
||||
func redirectIfCookieMissing(handler http.Handler, ssoSecret, cookieSecret, ssoUri, proxyHost string) http.Handler {
|
||||
func redirectIfCookieMissing(handler http.Handler, ssoSecret, cookieSecret, ssoUri, proxyHost string, adminOnly bool) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
cookie, err := r.Cookie("__discourse_proxy")
|
||||
|
||||
|
@ -111,7 +113,17 @@ func redirectIfCookieMissing(handler http.Handler, ssoSecret, cookieSecret, ssoU
|
|||
admin := parsedQuery["admin"]
|
||||
nonce := parsedQuery["nonce"]
|
||||
|
||||
if len(nonce) > 0 && len(admin) > 0 && len(username) > 0 && admin[0] == "true" {
|
||||
if len(nonce) > 0 && len(username) > 0 {
|
||||
|
||||
if adminOnly == true {
|
||||
if len(admin) < 1 || admin[0] != "true" {
|
||||
log.Println("Rejecting access to non-admin user ", username)
|
||||
w.Write([]byte(fmt.Sprintf("auth-proxy access is restricted to admin users, and %s is not an admin", username)))
|
||||
return
|
||||
}
|
||||
log.Println("Granting access to admin user ", username)
|
||||
}
|
||||
|
||||
returnUrl, err := getReturnUrl(ssoSecret, sso, sig, nonce[0])
|
||||
|
||||
if err != nil {
|
||||
|
|
Loading…
Reference in New Issue