This new setting allows you to add a list of comma delimited groups to
the allow list.
Previous to this change auth proxy was able to authenticate admins OR
all users on the site, without any fidelity of allowing specific groups.
This also refactors the tests somewhat and adds a bunch of integration
tests to ensure the new setting is properly respected.
Co-authored-by: Saj Goonatilleke <saj@discourse.org>
It is occasionally useful to assert that our output was built with >=x
version of the Go compiler or linked against >=x version of the Go
standard library. While it is possible to make this assertion after the
fact -- say, by dumping the value of runtime.buildVersion with a
debugger -- it's usually much easier to inspect this file.
Use Form.Get() instead of [0].
Move important constants to constants.
Document some functions.
Eliminate a single-use one-line closure.
Avoid bare return when reasonable.
There are two distinct configuration layers in this program: the 'raw'
types provided by the flag library, and the 'validated' types we present
to the rest of the program. This commit makes that distinction clear,
and internalises some pointer muck from the flag lib.
The big change here is to support an extremely limited form of HTTP basic
auth, for those situations when you've got some subset of requests coming in
which still need to be authenticated, but which aren't able to authenticate
via Discourse SSO. The intended use case is for webhooks and other
progammatic access methods. It is not intended to be a fully-featured HTTP
auth method (it only supports a single hard-coded user/password pair), but
instead an extremely simplistic "escape hatch".
If you need more complicated HTTP authentication, you probably want to
install nginx and do some crazy proxy chain games. Best of luck to you with
that.
To avoid getting in the way of the SSO flow, the HTTP authentication is done
"blind"; that is, a `WWW-Authenticate` is never sent in a response. This
may get up the nose of some user agents, however I can't see an easy way
around this.
Allowing the username header to be changed to something other than
Discourse-User-Name is a smaller change, needed to support third-party
software which looks for the authenticated username in a different header,
and which can't be overridden without a hammer and chisel.