Make sis path configurable (oauth2-proxy#14)

vjacynycz · Sep 7, 2021 · ac90836 · ac90836
1 parent bfa7615
commit ac90836
Show file tree

Hide file tree

Showing 10 changed files with 18 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## 7.1.2 (June 15, 2021)
 
+* [EOS-5416] Make sis path configurable
 * [EOS-5112] Clear extra cookies whenever session cookie is removed
 * [EOS-5112] Use extra cookies info from request
 * Clear extra cookies on sign out

diff --git a/contrib/oauth2-proxy_autocomplete.sh b/contrib/oauth2-proxy_autocomplete.sh
@@ -24,7 +24,7 @@ _oauth2_proxy() {
 			COMPREPLY=( $(compgen -W 'X-Real-IP X-Forwarded-For X-ProxyUser-IP' -- ${cur}) )
 			return 0
 			;;
-		--@(http-address|https-address|redirect-url|upstream|basic-auth-password|skip-auth-regex|flush-interval|extra-jwt-issuers|email-domain|whitelist-domain|trusted-ip|keycloak-group|azure-tenant|bitbucket-team|bitbucket-repository|github-org|github-team|github-repo|github-token|gitlab-group|github-user|google-group|google-admin-email|google-service-account-json|client-id|client_secret|banner|footer|proxy-prefix|ping-path|cookie-name|cookie-secret|cookie-domain|cookie-path|cookie-expire|cookie-refresh|cookie-samesite|redist-sentinel-master-name|redist-sentinel-connection-urls|redist-cluster-connection-urls|logging-max-size|logging-max-age|logging-max-backups|standard-logging-format|request-logging-format|exclude-logging-paths|auth-logging-format|oidc-issuer-url|oidc-jwks-url|login-url|redeem-url|profile-url|resource|validate-url|scope|approval-prompt|signature-key|acr-values|jwt-key|pubjwk-url|sis-root-url|jwt-session-key|jwt-session-key-file))
+		--@(http-address|https-address|redirect-url|upstream|basic-auth-password|skip-auth-regex|flush-interval|extra-jwt-issuers|email-domain|whitelist-domain|trusted-ip|keycloak-group|azure-tenant|bitbucket-team|bitbucket-repository|github-org|github-team|github-repo|github-token|gitlab-group|github-user|google-group|google-admin-email|google-service-account-json|client-id|client_secret|banner|footer|proxy-prefix|ping-path|cookie-name|cookie-secret|cookie-domain|cookie-path|cookie-expire|cookie-refresh|cookie-samesite|redist-sentinel-master-name|redist-sentinel-connection-urls|redist-cluster-connection-urls|logging-max-size|logging-max-age|logging-max-backups|standard-logging-format|request-logging-format|exclude-logging-paths|auth-logging-format|oidc-issuer-url|oidc-jwks-url|login-url|redeem-url|profile-url|resource|validate-url|scope|sign-out-url|approval-prompt|signature-key|acr-values|jwt-key|pubjwk-url|sis-root-url|jwt-session-key|jwt-session-key-file))
 			return 0
 			;;
 	esac

diff --git a/docs/docs/configuration/overview.md b/docs/docs/configuration/overview.md
@@ -120,6 +120,7 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/
 | `--set-authorization-header` | bool | set Authorization Bearer response header (useful in Nginx auth_request mode) | false |
 | `--set-basic-auth` | bool | set HTTP Basic Auth information in response (useful in Nginx auth_request mode) | false |
 | `--show-debug-on-error` | bool | show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production) | false |
+| `--sign-out-url` | string | Sign out endpoint | |
 | `--signature-key` | string | GAP-Signature request signature key (algorithm:secretkey) | |
 | `--silence-ping-logging` | bool | disable logging of requests to ping endpoint | false |
 | `--skip-auth-preflight` | bool | will skip authentication for OPTIONS requests | false |

diff --git a/docs/versioned_docs/version-6.1.x/configuration/overview.md b/docs/versioned_docs/version-6.1.x/configuration/overview.md
@@ -374,7 +374,7 @@ Send a request like the one in the example below to the sis-api component:
 
 4. Launch `oauth2-proxy` with the following flags:
 
-`oauth2-proxy --provider=sis --client-id=local --client-secret=local --email-domain="*"  --redirect-url=http://127.0.0.1:4180 --provider-ca-file=sis-ca.crt --cookie-secure=false --sis-root-url=https://bootstrap.mike.hetzner.stratio.com:9005 --session-store-type=jwt --jwt-session-key-file=jwt-key`
+`oauth2-proxy --provider=sis --client-id=local --client-secret=local --email-domain="*"  --redirect-url=http://127.0.0.1:4180 --provider-ca-file=sis-ca.crt --cookie-secure=false --sis-root-url=https://bootstrap.mike.hetzner.stratio.com:9005/sso --session-store-type=jwt --jwt-session-key-file=jwt-key`
 
 This will launch a new proxy using the sis provider and jwt session storage.
 

diff --git a/docs/versioned_docs/version-7.1.x/configuration/overview.md b/docs/versioned_docs/version-7.1.x/configuration/overview.md
@@ -122,6 +122,7 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/
 | `--set-authorization-header` | bool | set Authorization Bearer response header (useful in Nginx auth_request mode) | false |
 | `--set-basic-auth` | bool | set HTTP Basic Auth information in response (useful in Nginx auth_request mode) | false |
 | `--show-debug-on-error` | bool | show detailed error information on error pages (WARNING: this may contain sensitive information - do not use in production) | false |
+| `--sign-out-url` | string | Sign out endpoint | |
 | `--signature-key` | string | GAP-Signature request signature key (algorithm:secretkey) | |
 | `--silence-ping-logging` | bool | disable logging of requests to ping endpoint | false |
 | `--skip-auth-preflight` | bool | will skip authentication for OPTIONS requests | false |

diff --git a/pkg/apis/options/options.go b/pkg/apis/options/options.go
@@ -94,6 +94,7 @@ type Options struct {
 	ProtectedResource                  string   `flag:"resource" cfg:"resource"`
 	ValidateURL                        string   `flag:"validate-url" cfg:"validate_url"`
 	Scope                              string   `flag:"scope" cfg:"scope"`
+	SignOutURL                         string   `flag:"sign-out-url" cfg:"sign_out_url"`
 	Prompt                             string   `flag:"prompt" cfg:"prompt"`
 	ApprovalPrompt                     string   `flag:"approval-prompt" cfg:"approval_prompt"` // Deprecated by OIDC 1.0
 	UserIDClaim                        string   `flag:"user-id-claim" cfg:"user_id_claim"`
@@ -232,6 +233,7 @@ func NewFlagSet() *pflag.FlagSet {
 	flagSet.String("resource", "", "The resource that is protected (Azure AD only)")
 	flagSet.String("validate-url", "", "Access token validation endpoint")
 	flagSet.String("scope", "", "OAuth scope specification")
+	flagSet.String("sign-out-url", "", "Sign out endpoint")
 	flagSet.String("prompt", "", "OIDC prompt")
 	flagSet.String("approval-prompt", "force", "OAuth approval_prompt")
 

diff --git a/pkg/validation/options.go b/pkg/validation/options.go
@@ -235,6 +235,7 @@ func parseProviderInfo(o *options.Options, msgs []string) []string {
 	p.RedeemURL, msgs = parseURL(o.RedeemURL, "redeem", msgs)
 	p.ProfileURL, msgs = parseURL(o.ProfileURL, "profile", msgs)
 	p.ValidateURL, msgs = parseURL(o.ValidateURL, "validate", msgs)
+	p.SignOutURL, msgs = parseURL(o.SignOutURL, "sign-out", msgs)
 	p.ProtectedResource, msgs = parseURL(o.ProtectedResource, "resource", msgs)
 
 	// Make the OIDC options available to all providers that support it

diff --git a/providers/__debug_bin b/providers/__debug_bin
diff --git a/providers/sis.go b/providers/sis.go
@@ -8,6 +8,7 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
+	"strings"
 	"time"
 
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
@@ -73,35 +74,37 @@ func NewSISProvider(p *ProviderData) *SISProvider {
 
 // Configure defaults the SISProvider configuration options
 func (p *SISProvider) Configure(rootURL *url.URL) {
+	fmt.Println(rootURL.String())
+	basePath := strings.TrimSuffix(rootURL.Path, "/")
 	if p.LoginURL.String() == sisDefaultLoginURL.String() {
 		p.LoginURL = &url.URL{
 			Scheme: rootURL.Scheme,
 			Host:   rootURL.Host,
-			Path:   "/sso/oauth2.0/authorize",
+			Path:   basePath + "/oauth2.0/authorize",
 		}
 	}
 
 	if p.RedeemURL.String() == sisDefaultRedeemURL.String() {
 		p.RedeemURL = &url.URL{
 			Scheme: rootURL.Scheme,
 			Host:   rootURL.Host,
-			Path:   "/sso/oauth2.0/accessToken",
+			Path:   basePath + "/oauth2.0/accessToken",
 		}
 	}
 
 	if p.ProfileURL.String() == sisDefaultProfileURL.String() {
 		p.ProfileURL = &url.URL{
 			Scheme: rootURL.Scheme,
 			Host:   rootURL.Host,
-			Path:   "/sso/oauth2.0/profile",
+			Path:   basePath + "/oauth2.0/profile",
 		}
 	}
 
 	if p.SignOutURL.String() == sisDefaultSignOutURL.String() {
 		p.SignOutURL = &url.URL{
 			Scheme: rootURL.Scheme,
 			Host:   rootURL.Host,
-			Path:   "/sso/logout",
+			Path:   basePath + "/logout",
 		}
 	}
 }
@@ -127,6 +130,7 @@ func (p *SISProvider) Redeem(ctx context.Context, redirectURL, code string) (s *
 		params.Add("resource", p.ProtectedResource.String())
 	}
 
+	fmt.Println(p.RedeemURL.String())
 	result := requests.New(p.RedeemURL.String()).
 		WithContext(ctx).
 		WithMethod("POST").

diff --git a/providers/sis_test.go b/providers/sis_test.go
@@ -62,7 +62,7 @@ func TestSISProviderRedeem(t *testing.T) {
 	})
 	defer b.Close()
 
-	bURL, _ := url.Parse(b.URL)
+	bURL, _ := url.Parse(b.URL + "/sso")
 	p := testSISProvider(bURL)
 	s, err := p.Redeem(context.Background(), "imaginary_redirect_url", "imaginary_code")
 	assert.NoError(t, err)
@@ -78,7 +78,7 @@ func TestSISProviderEnrichSession(t *testing.T) {
 	})
 	defer b.Close()
 
-	bURL, _ := url.Parse(b.URL)
+	bURL, _ := url.Parse(b.URL + "/sso")
 	p := testSISProvider(bURL)
 	s := CreateAuthorizedSession()
 	err := p.EnrichSession(context.Background(), s)