Add more v2 tests + fixes + improve legacy config parsing

2019-04-18 15:07:39 +01:00 · 2019-04-18 15:07:39 +01:00 · 6968f6181b
commit 6968f6181b
parent 5597b7268b
13 changed files with 538 additions and 407 deletions
--- a/11
+++ b/11
@ -1,20 +1,15 @@
-FROM golang:1.10-alpine as builder
+FROM golang:1.12-alpine as builder

 # Setup
 RUN mkdir -p /go/src/github.com/thomseddon/traefik-forward-auth
 WORKDIR /go/src/github.com/thomseddon/traefik-forward-auth

 # Add libraries
-RUN apk add --no-cache git && \
-  go get "github.com/BurntSushi/toml" && \
-  go get "github.com/gorilla/mux" && \
-  go get "github.com/namsral/flag" && \
-  go get "github.com/sirupsen/logrus" && \
-  apk del git
+RUN apk add --no-cache git

 # Copy & build
 ADD . /go/src/github.com/thomseddon/traefik-forward-auth/
-RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix nocgo -o /traefik-forward-auth .
+RUN CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build -a -installsuffix nocgo -o /traefik-forward-auth github.com/thomseddon/traefik-forward-auth/cmd

 # Copy into scratch container
 FROM scratch
--- a/cmd/main_test.go
+++ b/cmd/main_test.go
@ -1,13 +0,0 @@
-package main
-
-// import (
-// 	"testing"
-// )
-
-/**
- * Tests
- */
-
-// func TestMain(t *testing.T) {
-
-// }
--- a/internal/auth.go
+++ b/internal/auth.go
@ -164,7 +164,7 @@ func MakeCookie(r *http.Request, email string) *http.Cookie {
 		Path:     "/",
 		Domain:   cookieDomain(r),
 		HttpOnly: true,
-		Secure:   !config.CookieInsecure,
+		Secure:   !config.InsecureCookie,
 		Expires:  expires,
 	}
 }
@ -177,7 +177,7 @@ func MakeCSRFCookie(r *http.Request, nonce string) *http.Cookie {
 		Path:     "/",
 		Domain:   csrfCookieDomain(r),
 		HttpOnly: true,
-		Secure:   !config.CookieInsecure,
+		Secure:   !config.InsecureCookie,
 		Expires:  cookieExpiry(),
 	}
 }
@ -190,7 +190,7 @@ func ClearCSRFCookie(r *http.Request) *http.Cookie {
 		Path:     "/",
 		Domain:   csrfCookieDomain(r),
 		HttpOnly: true,
-		Secure:   !config.CookieInsecure,
+		Secure:   !config.InsecureCookie,
 		Expires:  time.Now().Local().Add(time.Hour * -1),
 	}
 }
@ -325,5 +325,9 @@ func (c *CookieDomains) UnmarshalFlag(value string) error {
 }

 func (c *CookieDomains) MarshalFlag() (string, error) {
-	return fmt.Sprintf("%+v", *c), nil
+	var domains []string
+	for _, d := range *c {
+		domains = append(domains, d.Domain)
+	}
+	return strings.Join(domains, ","), nil
 }
--- a/internal/auth_test.go
+++ b/internal/auth_test.go
@ -5,26 +5,19 @@ import (
 	"net/http"
 	"net/url"
 	"reflect"
+	"strings"
 	"testing"
 	"time"

 	"github.com/thomseddon/traefik-forward-auth/internal/provider"
 )

-/**
- * Setup
- */
-
-func init() {
-	// fw = &ForwardAuth{}
-}
-
 /**
 * Tests
 */

-func TestValidateCookie(t *testing.T) {
-	config = Config{}
+func TestAuthValidateCookie(t *testing.T) {
+	config, _ = NewConfig([]string{})
 	r, _ := http.NewRequest("GET", "http://example.com", nil)
 	c := &http.Cookie{}

@ -75,8 +68,8 @@ func TestValidateCookie(t *testing.T) {
 	}
 }

-func TestValidateEmail(t *testing.T) {
-	config = Config{}
+func TestAuthValidateEmail(t *testing.T) {
+	config, _ = NewConfig([]string{})

 	// Should allow any
 	if !ValidateEmail("test@test.com") || !ValidateEmail("one@two.com") {
@ -110,28 +103,28 @@ func TestValidateEmail(t *testing.T) {
 	}
 }

-func TestGetLoginURL(t *testing.T) {
+// TODO: Split google tests out
+func TestAuthGetLoginURL(t *testing.T) {
+	google := provider.Google{
+		ClientId:     "idtest",
+		ClientSecret: "sectest",
+		Scope:        "scopetest",
+		Prompt:       "consent select_account",
+		LoginURL: &url.URL{
+			Scheme: "https",
+			Host:   "test.com",
+			Path:   "/auth",
+		},
+	}
+
+	config, _ = NewConfig([]string{})
+	config.Providers.Google = google
+
 	r, _ := http.NewRequest("GET", "http://example.com", nil)
 	r.Header.Add("X-Forwarded-Proto", "http")
 	r.Header.Add("X-Forwarded-Host", "example.com")
 	r.Header.Add("X-Forwarded-Uri", "/hello")

-	config = Config{
-		Path: "/_oauth",
-		Providers: provider.Providers{
-			Google: provider.Google{
-				ClientId:     "idtest",
-				ClientSecret: "sectest",
-				Scope:        "scopetest",
-				LoginURL: &url.URL{
-					Scheme: "https",
-					Host:   "test.com",
-					Path:   "/auth",
-				},
-			},
-		},
-	}
-
 	// Check url
 	uri, err := url.Parse(GetLoginURL(r, "nonce"))
 	if err != nil {
@ -154,6 +147,7 @@ func TestGetLoginURL(t *testing.T) {
 		"redirect_uri":  []string{"http://example.com/_oauth"},
 		"response_type": []string{"code"},
 		"scope":         []string{"scopetest"},
+		"prompt":        []string{"consent select_account"},
 		"state":         []string{"nonce:http://example.com/hello"},
 	}
 	if !reflect.DeepEqual(qs, expectedQs) {
@ -166,23 +160,9 @@ func TestGetLoginURL(t *testing.T) {
 	// With Auth URL but no matching cookie domain
 	// - will not use auth host
 	//
-	config = Config{
-		Path:     "/_oauth",
-		AuthHost: "auth.example.com",
-		Providers: provider.Providers{
-			Google: provider.Google{
-				ClientId:     "idtest",
-				ClientSecret: "sectest",
-				Scope:        "scopetest",
-				Prompt:       "consent select_account",
-				LoginURL: &url.URL{
-					Scheme: "https",
-					Host:   "test.com",
-					Path:   "/auth",
-				},
-			},
-		},
-	}
+	config, _ = NewConfig([]string{})
+	config.AuthHost = "auth.example.com"
+	config.Providers.Google = google

 	// Check url
 	uri, err = url.Parse(GetLoginURL(r, "nonce"))
@ -218,25 +198,10 @@ func TestGetLoginURL(t *testing.T) {
 	//
 	// With correct Auth URL + cookie domain
 	//
-	cookieDomain := NewCookieDomain("example.com")
-	config = Config{
-		Path:          "/_oauth",
-		AuthHost:      "auth.example.com",
-		CookieDomains: []CookieDomain{*cookieDomain},
-		Providers: provider.Providers{
-			Google: provider.Google{
-				ClientId:     "idtest",
-				ClientSecret: "sectest",
-				Scope:        "scopetest",
-				Prompt:       "consent select_account",
-				LoginURL: &url.URL{
-					Scheme: "https",
-					Host:   "test.com",
-					Path:   "/auth",
-				},
-			},
-		},
-	}
+	config, _ = NewConfig([]string{})
+	config.AuthHost = "auth.example.com"
+	config.CookieDomains = []CookieDomain{*NewCookieDomain("example.com")}
+	config.Providers.Google = google

 	// Check url
 	uri, err = url.Parse(GetLoginURL(r, "nonce"))
@ -317,19 +282,59 @@ func TestGetLoginURL(t *testing.T) {
 }

 // TODO
-// func TestExchangeCode(t *testing.T) {
+// func TestAuthExchangeCode(t *testing.T) {
 // }

 // TODO
-// func TestGetUser(t *testing.T) {
+// func TestAuthGetUser(t *testing.T) {
 // }

-// TODO? Tested in TestValidateCookie
-// func TestMakeCookie(t *testing.T) {
-// }
+func TestAuthMakeCookie(t *testing.T) {
+	config, _ = NewConfig([]string{})
+	r, _ := http.NewRequest("GET", "http://app.example.com", nil)
+	r.Header.Add("X-Forwarded-Host", "app.example.com")

-func TestMakeCSRFCookie(t *testing.T) {
-	config = Config{}
+	c := MakeCookie(r, "test@example.com")
+	if c.Name != "_forward_auth" {
+		t.Error("Cookie name should be \"_forward_auth\", got:", c.Name)
+	}
+	parts := strings.Split(c.Value, "|")
+	if len(parts) != 3 {
+		t.Error("Cookie should be in 3 parts, got:", c.Value)
+	}
+	valid, _, _ := ValidateCookie(r, c)
+	if !valid {
+		t.Error("Should generate valid cookie:", c.Value)
+	}
+	if c.Path != "/" {
+		t.Error("Cookie path should be \"/\", got:", c.Path)
+	}
+	if c.Domain != "app.example.com" {
+		t.Error("Cookie domain should be \"app.example.com\", got:", c.Domain)
+	}
+	if c.Secure != true {
+		t.Error("Cookie domain should be true, got:", c.Secure)
+	}
+	if !c.Expires.After(time.Now().Local()) {
+		t.Error("Expires should be after now, got:", c.Expires)
+	}
+	if !c.Expires.Before(time.Now().Local().Add(config.Lifetime).Add(10 * time.Second)) {
+		t.Error("Expires should be before lifetime + 10 seconds, got:", c.Expires)
+	}
+
+	config.CookieName = "testname"
+	config.InsecureCookie = true
+	c = MakeCookie(r, "test@example.com")
+	if c.Name != "testname" {
+		t.Error("Cookie name should be \"testname\", got:", c.Name)
+	}
+	if c.Secure != false {
+		t.Error("Cookie domain should be false, got:", c.Secure)
+	}
+}
+
+func TestAuthMakeCSRFCookie(t *testing.T) {
+	config, _ = NewConfig([]string{})
 	r, _ := http.NewRequest("GET", "http://app.example.com", nil)
 	r.Header.Add("X-Forwarded-Host", "app.example.com")

@ -340,9 +345,8 @@ func TestMakeCSRFCookie(t *testing.T) {
 	}

 	// With cookie domain but no auth url
-	cookieDomain := NewCookieDomain("example.com")
 	config = Config{
-		CookieDomains: []CookieDomain{*cookieDomain},
+		CookieDomains: []CookieDomain{*NewCookieDomain("example.com")},
 	}
 	c = MakeCSRFCookie(r, "12345678901234567890123456789012")
 	if c.Domain != "app.example.com" {
@ -352,7 +356,7 @@ func TestMakeCSRFCookie(t *testing.T) {
 	// With cookie domain and auth url
 	config = Config{
 		AuthHost:      "auth.example.com",
-		CookieDomains: []CookieDomain{*cookieDomain},
+		CookieDomains: []CookieDomain{*NewCookieDomain("example.com")},
 	}
 	c = MakeCSRFCookie(r, "12345678901234567890123456789012")
 	if c.Domain != "example.com" {
@ -360,8 +364,8 @@ func TestMakeCSRFCookie(t *testing.T) {
 	}
 }

-func TestClearCSRFCookie(t *testing.T) {
-	config = Config{}
+func TestAuthClearCSRFCookie(t *testing.T) {
+	config, _ = NewConfig([]string{})
 	r, _ := http.NewRequest("GET", "http://example.com", nil)

 	c := ClearCSRFCookie(r)
@ -370,8 +374,8 @@ func TestClearCSRFCookie(t *testing.T) {
 	}
 }

-func TestValidateCSRFCookie(t *testing.T) {
-	config = Config{}
+func TestAuthValidateCSRFCookie(t *testing.T) {
+	config, _ = NewConfig([]string{})
 	c := &http.Cookie{}

 	newCsrfRequest := func(state string) *http.Request {
@ -416,7 +420,7 @@ func TestValidateCSRFCookie(t *testing.T) {
 	}
 }

-func TestNonce(t *testing.T) {
+func TestAuthNonce(t *testing.T) {
 	err, nonce1 := Nonce()
 	if err != nil {
 		t.Error("Error generation nonce:", err)
@ -435,7 +439,7 @@ func TestNonce(t *testing.T) {
 	}
 }

-func TestCookieDomainMatch(t *testing.T) {
+func TestAuthCookieDomainMatch(t *testing.T) {
 	cd := NewCookieDomain("example.com")

 	// Exact should match
@ -458,3 +462,29 @@ func TestCookieDomainMatch(t *testing.T) {
 		t.Error("Other domain should not match")
 	}
 }
+
+func TestAuthCookieDomains(t *testing.T) {
+	cds := CookieDomains{}
+
+	err := cds.UnmarshalFlag("one.com,two.org")
+	if err != nil {
+		t.Error(err)
+	}
+	if len(cds) != 2 {
+		t.Error("Expected UnmarshalFlag to provide 2 CookieDomains, got", cds)
+	}
+	if cds[0].Domain != "one.com" || cds[0].SubDomain != ".one.com" {
+		t.Error("Expected UnmarshalFlag to provide one.com, got", cds[0])
+	}
+	if cds[1].Domain != "two.org" || cds[1].SubDomain != ".two.org" {
+		t.Error("Expected UnmarshalFlag to provide two.org, got", cds[1])
+	}
+
+	marshal, err := cds.MarshalFlag()
+	if err != nil {
+		t.Error(err)
+	}
+	if marshal != "one.com,two.org" {
+		t.Error("Expected MarshalFlag to provide \"one.com,two.org\", got", cds)
+	}
+}
--- a/internal/config.go
+++ b/internal/config.go
@ -1,10 +1,14 @@
 package tfa

 import (
+	"bytes"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"io"
+	"io/ioutil"
 	"os"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@ -16,48 +20,41 @@ import (
 var config Config

 type Config struct {
-	LogLevel  string `long:"log-level" default:"warn" description:"Log level: trace, debug, info, warn, error, fatal, panic"`
-	LogFormat string `long:"log-format" default:"text" description:"Log format: text, json, pretty"`
+	LogLevel  string `long:"log-level" env:"LOG_LEVEL" default:"warn" choice:"trace" choice:"debug" choice:"info" choice:"warn" choice:"error" choice:"fatal" choice:"panic" description:"Log level"`
+	LogFormat string `long:"log-format"  env:"LOG_FORMAT" default:"text" choice:"text" choice:"json" choice:"pretty" description:"Log format"`

-	AuthHost       string             `long:"auth-host" description:"Host for central auth login"`
-	ConfigFile     string             `long:"config-file" description:"Config File"`
-	CookieDomains  CookieDomains      `long:"cookie-domains" description:"Comma separated list of cookie domains"`
-	CookieInsecure bool               `long:"cookie-insecure" description:"Use secure cookies"`
-	CookieName     string             `long:"cookie-name" default:"_forward_auth" description:"Cookie Name"`
-	CSRFCookieName string             `long:"csrf-cookie-name" default:"_forward_auth_csrf" description:"CSRF Cookie Name"`
-	DefaultAction  string             `long:"default-action" default:"allow" description:"Default Action"`
-	Domains        CommaSeparatedList `long:"domains" description:"Comma separated list of email domains to allow"`
-	LifetimeString int                `long:"lifetime" default:"43200" description:"Lifetime in seconds"`
-	Path           string             `long:"path" default:"_oauth" description:"Callback URL Path"`
-	SecretString   string             `long:"secret" description:"*Secret used for signing (required)"`
-	Whitelist      CommaSeparatedList `long:"whitelist" description:"Comma separated list of email addresses to allow"`
+	AuthHost       string               `long:"auth-host" env:"AUTH_HOST" description:"Host for central auth login"`
+	Config         func(s string) error `long:"config" env:"CONFIG" description:"Config file"`
+	CookieDomains  CookieDomains        `long:"cookie-domains" env:"COOKIE_DOMAINS" description:"Comma separated list of cookie domains"`
+	InsecureCookie bool                 `long:"insecure-cookie" env:"INSECURE_COOKIE" description:"Use insecure cookies"`
+	CookieName     string               `long:"cookie-name" env:"COOKIE_NAME" default:"_forward_auth" description:"Cookie Name"`
+	CSRFCookieName string               `long:"csrf-cookie-name" env:"CSRF_COOKIE_NAME" default:"_forward_auth_csrf" description:"CSRF Cookie Name"`
+	DefaultAction  string               `long:"default-action" env:"DEFAULT_ACTION" default:"auth" choice:"auth" choice:"allow" description:"Default Action"`
+	Domains        CommaSeparatedList   `long:"domains" env:"DOMAINS" description:"Comma separated list of email domains to allow"`
+	LifetimeString int                  `long:"lifetime" env:"LIFETIME" default:"43200" description:"Lifetime in seconds"`
+	Path           string               `long:"url-path" env:"URL_PATH" default:"_oauth" description:"Callback URL Path"`
+	SecretString   string               `long:"secret" env:"SECRET" description:"*Secret used for signing (required)"`
+	Whitelist      CommaSeparatedList   `long:"whitelist" env:"WHITELIST" description:"Comma separated list of email addresses to allow"`

-	Providers provider.Providers
-	Rules     map[string]*Rule `long:"rule"`
+	Providers provider.Providers `group:"providers" namespace:"providers" env-namespace:"PROVIDERS"`
+	Rules     map[string]*Rule `long:"rules.<name>.<param>" description:"Rule definitions, see docs, param can be: \"action\", \"rule\""`

+	// Filled during transformations
 	Secret   []byte
 	Lifetime time.Duration

-	Prompt string `long:"prompt" description:"DEPRECATED - Use providers.google.prompt"`
-	// TODO: Need to mimick the default behaviour of bool flags
-	CookieSecure string `long:"cookie-secure" default:"true" description:"DEPRECATED - Use \"cookie-insecure\""`
-
-	flags     []string
-	usingToml bool
+	// Legacy
+	ClientIdLegacy     string `long:"client-id" env:"CLIENT_ID" group:"DEPs" description:"DEPRECATED - Use \"providers.google.client-id\""`
+	ClientSecretLegacy string `long:"client-secret" env:"CLIENT_SECRET" description:"DEPRECATED - Use \"providers.google.client-id\""`
+	PromptLegacy       string `long:"prompt" env:"PROMPT" description:"DEPRECATED - Use \"providers.google.prompt\""`
+	CookieSecureLegacy string `long:"cookie-secure" env:"COOKIE_SECURE" namespace:"DERPS" description:"DEPRECATED - Use \"insecure-cookie\""`
 }

-// TODO:
-// - parse ini
-// - parse env vars
-// - parse env var file
-// - support multiple config files
-// - maintain backwards compat
-
 func NewGlobalConfig() Config {
 	var err error
 	config, err = NewConfig(os.Args[1:])
 	if err != nil {
-		fmt.Printf("startup error: %+v", err)
+		fmt.Printf("%+v\n", err)
 		os.Exit(1)
 	}

@ -74,7 +71,28 @@ func NewConfig(args []string) (Config, error) {
 		return c, err
 	}

-	// Struct defaults
+	// TODO: as log flags have now been parsed maybe we should return here so
+	// any further errors can be logged via logrus instead of printed?
+
+	// Backwards compatability
+	if c.ClientIdLegacy != "" {
+		c.Providers.Google.ClientId = c.ClientIdLegacy
+	}
+	if c.ClientSecretLegacy != "" {
+		c.Providers.Google.ClientSecret = c.ClientSecretLegacy
+	}
+	if c.PromptLegacy != "" {
+		c.Providers.Google.Prompt = c.PromptLegacy
+	}
+	if c.CookieSecureLegacy != "" {
+		secure, err := strconv.ParseBool(c.CookieSecureLegacy)
+		if err != nil {
+			return c, err
+		}
+		c.InsecureCookie = !secure
+	}
+
+	// Provider defaults
 	c.Providers.Google.Build()

 	// Transformations
@ -82,25 +100,35 @@ func NewConfig(args []string) (Config, error) {
 	c.Secret = []byte(c.SecretString)
 	c.Lifetime = time.Second * time.Duration(c.LifetimeString)

-	// TODO: Backwards compatability
-	// "secret" used to be "cookie-secret"
-
 	return c, nil
 }

 func (c *Config) parseFlags(args []string) error {
-	parser := flags.NewParser(c, flags.Default)
-	parser.UnknownOptionHandler = c.parseUnknownFlag
+	p := flags.NewParser(c, flags.Default)
+	p.UnknownOptionHandler = c.parseUnknownFlag

-	_, err := parser.ParseArgs(args)
-	if err != nil {
-		flagsErr, ok := err.(*flags.Error)
-		if ok && flagsErr.Type == flags.ErrHelp {
-			// Library has just printed cli help
-			os.Exit(0)
-		} else {
-			return err
+	i := flags.NewIniParser(p)
+	c.Config = func(s string) error {
+		// Try parsing at as an ini
+		err := i.ParseFile(s)
+
+		// If it fails with a syntax error, try converting legacy to ini
+		if err != nil && strings.Contains(err.Error(), "malformed key=value") {
+			converted, convertErr := convertLegacyToIni(s)
+			if convertErr != nil {
+				// If conversion fails, return the original error
+				return err
+			}
+
+			return i.Parse(converted)
 		}
+
+		return err
+	}
+
+	_, err := p.ParseArgs(args)
+	if err != nil {
+		return handlFlagError(err)
 	}

 	return nil
@ -139,7 +167,7 @@ func (c *Config) parseUnknownFlag(option string, arg flags.SplitArgument, args [
 		}

 		// Add param value to rule
-		switch(parts[2]) {
+		switch parts[2] {
 		case "action":
 			rule.Action = val
 		case "rule":
@ -156,6 +184,27 @@ func (c *Config) parseUnknownFlag(option string, arg flags.SplitArgument, args [
 	return args, nil
 }

+func handlFlagError(err error) error {
+	flagsErr, ok := err.(*flags.Error)
+	if ok && flagsErr.Type == flags.ErrHelp {
+		// Library has just printed cli help
+		os.Exit(0)
+	}
+
+	return err
+}
+
+var legacyFileFormat = regexp.MustCompile(`^([a-z-]+) ([\w\W]+)$`)
+
+func convertLegacyToIni(name string) (io.Reader, error) {
+	b, err := ioutil.ReadFile(name)
+	if err != nil {
+		return nil, err
+	}
+
+	return bytes.NewReader(legacyFileFormat.ReplaceAll(b, []byte("$1=$2"))), nil
+}
+
 func (c *Config) Validate() {
 	// Check for show stopper errors
 	if len(c.Secret) == 0 {
@ -185,7 +234,7 @@ type Rule struct {

 func NewRule() *Rule {
 	return &Rule{
-		Action: "auth",
+		Action:   "auth",
 		Provider: "google", // TODO: Use default provider
 	}
 }
@ -201,32 +250,6 @@ func (r *Rule) Validate() {
 	}
 }

-func (r *Rule) UnmarshalFlag(value string) error {
-	// Format is "action:rule"
-	parts := strings.SplitN(value, ":", 2)
-
-	if len(parts) != 2 {
-		return errors.New("invalid rule format, should be \"action:rule\"")
-	}
-
-	if parts[0] != "auth" && parts[0] != "allow" {
-		return errors.New("invalid rule action, must be \"auth\" or \"allow\"")
-	}
-
-	// Parse rule
-	*r = Rule{
-		Action: parts[0],
-		Rule:   parts[1],
-	}
-
-	return nil
-}
-
-func (r *Rule) MarshalFlag() (string, error) {
-	// TODO: format correctly
-	return fmt.Sprintf("%+v", *r), nil
-}
-
 type CommaSeparatedList []string

 func (c *CommaSeparatedList) UnmarshalFlag(value string) error {
--- a/internal/config_test.go
+++ b/internal/config_test.go
@ -1,6 +1,8 @@
 package tfa

 import (
+	"bytes"
+	"os"
 	"testing"
 	"time"
 )
@ -26,14 +28,11 @@ func TestConfigDefaults(t *testing.T) {
 	if c.AuthHost != "" {
 		t.Error("AuthHost default should be empty, got", c.AuthHost)
 	}
-	if c.ConfigFile != "" {
-		t.Error("ConfigFile default should be empty, got", c.ConfigFile)
-	}
 	if len(c.CookieDomains) != 0 {
 		t.Error("CookieDomains default should be empty, got", c.CookieDomains)
 	}
-	if c.CookieInsecure != false {
-		t.Error("CookieInsecure default should be false, got", c.CookieInsecure)
+	if c.InsecureCookie != false {
+		t.Error("InsecureCookie default should be false, got", c.InsecureCookie)
 	}
 	if c.CookieName != "_forward_auth" {
 		t.Error("CookieName default should be _forward_auth, got", c.CookieName)
@ -41,13 +40,13 @@ func TestConfigDefaults(t *testing.T) {
 	if c.CSRFCookieName != "_forward_auth_csrf" {
 		t.Error("CSRFCookieName default should be _forward_auth_csrf, got", c.CSRFCookieName)
 	}
-	if c.DefaultAction != "allow" {
-		t.Error("DefaultAction default should be allow, got", c.DefaultAction)
+	if c.DefaultAction != "auth" {
+		t.Error("DefaultAction default should be auth, got", c.DefaultAction)
 	}
 	if len(c.Domains) != 0 {
 		t.Error("Domain default should be empty, got", c.Domains)
 	}
-	if c.Lifetime != time.Second * time.Duration(43200) {
+	if c.Lifetime != time.Second*time.Duration(43200) {
 		t.Error("Lifetime default should be 43200, got", c.Lifetime)
 	}
 	if c.Path != "/_oauth" {
@ -60,17 +59,12 @@ func TestConfigDefaults(t *testing.T) {
 	if c.Providers.Google.Prompt != "" {
 		t.Error("Providers.Google.Prompt default should be empty, got", c.Providers.Google.Prompt)
 	}
-
-	// Deprecated options
-	if c.CookieSecure != "true" {
-		t.Error("CookieSecure default should be true, got", c.CookieSecure)
-	}
 }

-func TestConfigParseFlags(t *testing.T) {
+func TestConfigParseArgs(t *testing.T) {
 	c, err := NewConfig([]string{
-		"--path=_oauthpath",
-		"--cookie-name", "\"cookiename\"",
+		"--cookie-name=cookiename",
+		"--csrf-cookie-name", "\"csrfcookiename\"",
 		"--rule.1.action=allow",
 		"--rule.1.rule=PathPrefix(`/one`)",
 		"--rule.two.action=auth",
@ -81,12 +75,12 @@ func TestConfigParseFlags(t *testing.T) {
 	}

 	// Check normal flags
-	if c.Path != "/_oauthpath" {
-		t.Error("Path default should be /_oauthpath, got", c.Path)
-	}
 	if c.CookieName != "cookiename" {
 		t.Error("CookieName default should be cookiename, got", c.CookieName)
 	}
+	if c.CSRFCookieName != "csrfcookiename" {
+		t.Error("CSRFCookieName default should be csrfcookiename, got", c.CSRFCookieName)
+	}

 	// Check rules
 	if len(c.Rules) != 2 {
@ -124,23 +118,152 @@ func TestConfigParseFlags(t *testing.T) {
 	}
 }

-// func TestConfigParseUnknownFlags(t *testing.T) {
-// 	c := NewConfig([]string{
-// 		"--unknown=_oauthpath",
-// 	})
+func TestConfigParseUnknownFlags(t *testing.T) {
+	_, err := NewConfig([]string{
+		"--unknown=_oauthpath2",
+	})
+	if err.Error() != "unknown flag: unknown" {
+		t.Error("Error should be \"unknown flag: unknown\", got:", err)
+	}
+}

-// }
+func TestConfigFlagBackwardsCompatability(t *testing.T) {
+	c, err := NewConfig([]string{
+		"--client-id=clientid",
+		"--client-secret=verysecret",
+		"--prompt=prompt",
+		"--lifetime=200",
+		"--cookie-secure=false",
+	})
+	if err != nil {
+		t.Error(err)
+	}

-// func TestConfigToml(t *testing.T) {
-//   logrus.SetLevel(logrus.DebugLevel)
-//   flag.CommandLine = flag.NewFlagSet("tfa-test", flag.ContinueOnError)
+	if c.ClientIdLegacy != "clientid" {
+		t.Error("ClientIdLegacy should be clientid, got", c.ClientIdLegacy)
+	}
+	if c.Providers.Google.ClientId != "clientid" {
+		t.Error("Providers.Google.ClientId should be clientid, got", c.Providers.Google.ClientId)
+	}
+	if c.ClientSecretLegacy != "verysecret" {
+		t.Error("ClientSecretLegacy should be verysecret, got", c.ClientSecretLegacy)
+	}
+	if c.Providers.Google.ClientSecret != "verysecret" {
+		t.Error("Providers.Google.ClientSecret should be verysecret, got", c.Providers.Google.ClientSecret)
+	}
+	if c.PromptLegacy != "prompt" {
+		t.Error("PromptLegacy should be prompt, got", c.PromptLegacy)
+	}
+	if c.Providers.Google.Prompt != "prompt" {
+		t.Error("Providers.Google.Prompt should be prompt, got", c.Providers.Google.Prompt)
+	}

-//   flags := []string{
-//     "-config=../test/config.toml",
-//   }
-//   c := NewDefaultConfigWithFlags(flags)
+	// "cookie-secure" used to be a standard go bool flag that could take
+	// true, TRUE, 1, false, FALSE, 0 etc. values.
+	// Here we're checking that format is still suppoted
+	if c.CookieSecureLegacy != "false" || c.InsecureCookie != true {
+		t.Error("Setting cookie-secure=false should set InsecureCookie true, got", c.InsecureCookie)
+	}
+	c, err = NewConfig([]string{"--cookie-secure=TRUE"})
+	if err != nil {
+		t.Error(err)
+	}
+	if c.CookieSecureLegacy != "TRUE" || c.InsecureCookie != false {
+		t.Error("Setting cookie-secure=TRUE should set InsecureCookie false, got", c.InsecureCookie)
+	}
+}

-//   if c == nil {
-//     t.Error(c)
-//   }
-// }
+func TestConfigParseIni(t *testing.T) {
+	c, err := NewConfig([]string{
+		"--config=../test/config0",
+		"--config=../test/config1",
+		"--csrf-cookie-name=csrfcookiename",
+	})
+	if err != nil {
+		t.Error(err)
+	}
+
+	if c.CookieName != "inicookiename" {
+		t.Error("CookieName should be read as inicookiename from ini file, got", c.CookieName)
+	}
+	if c.CSRFCookieName != "csrfcookiename" {
+		t.Error("CSRFCookieName argument should override ini file, got", c.CSRFCookieName)
+	}
+	if c.Path != "/two" {
+		t.Error("Path in second ini file should override first ini file, got", c.Path)
+	}
+}
+
+func TestConfigFileBackwardsCompatability(t *testing.T) {
+	c, err := NewConfig([]string{
+		"--config=../test/config-legacy",
+	})
+	if err != nil {
+		t.Error(err)
+	}
+
+	if c.Path != "/two" {
+		t.Error("Path in legacy config file should be read, got", c.Path)
+	}
+}
+
+func TestConfigParseEnvironment(t *testing.T) {
+	os.Setenv("COOKIE_NAME", "env_cookie_name")
+	c, err := NewConfig([]string{})
+	if err != nil {
+		t.Error(err)
+	}
+
+	if c.CookieName != "env_cookie_name" {
+		t.Error("CookieName should be read as env_cookie_name from environment, got", c.CookieName)
+	}
+}
+
+func TestConfigTransformation(t *testing.T) {
+	c, err := NewConfig([]string{
+		"--url-path=_oauthpath",
+		"--secret=verysecret",
+		"--lifetime=200",
+	})
+	if err != nil {
+		t.Error(err)
+	}
+
+	if c.Path != "/_oauthpath" {
+		t.Error("Path should add slash to front to get /_oauthpath, got:", c.Path)
+	}
+
+	if c.SecretString != "verysecret" {
+		t.Error("SecretString should be verysecret, got:", c.SecretString)
+	}
+	if bytes.Compare(c.Secret, []byte("verysecret")) != 0 {
+		t.Error("Secret should be []byte(verysecret), got:", string(c.Secret))
+	}
+
+	if c.LifetimeString != 200 {
+		t.Error("LifetimeString should be 200, got:", c.LifetimeString)
+	}
+	if c.Lifetime != time.Second*time.Duration(200) {
+		t.Error("Lifetime default should be 200, got", c.Lifetime)
+	}
+}
+
+func TestConfigCommaSeparatedList(t *testing.T) {
+	list := CommaSeparatedList{}
+
+	err := list.UnmarshalFlag("one,two")
+	if err != nil {
+		t.Error(err)
+	}
+	if len(list) != 2 || list[0] != "one" || list[1] != "two" {
+		t.Error("Expected UnmarshalFlag to provide CommaSeparatedList{one,two}, got", list)
+	}
+
+	marshal, err := list.MarshalFlag()
+	if err != nil {
+		t.Error(err)
+	}
+	if marshal != "one,two" {
+		t.Error("Expected MarshalFlag to provide \"one,two\", got", list)
+	}
+}
--- a/internal/provider/google.go
+++ b/internal/provider/google.go
@ -8,10 +8,10 @@ import (
 )

 type Google struct {
-	ClientId     string `long:"providers.google.client-id" description:"Client ID"`
-	ClientSecret string `long:"providers.google.client-secret" description:"Client Secret" json:"-"`
+	ClientId     string `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
+	ClientSecret string `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
 	Scope        string
-	Prompt       string `long:"providers.google.prompt" description:"Space separated list of OpenID prompt options"`
+	Prompt       string `long:"prompt" env:"PROMPT" description:"Space separated list of OpenID prompt options"`

 	LoginURL *url.URL
 	TokenURL *url.URL
--- a/internal/provider/providers.go
+++ b/internal/provider/providers.go
@ -1,7 +1,7 @@
 package provider

 type Providers struct {
-	Google Google `group:"Google Provider"`
+	Google Google `group:"Google Provider" namespace:"google" env-namespace:"GOOGLE"`
 }

 type Token struct {
--- a/internal/server.go
+++ b/internal/server.go
@ -38,7 +38,11 @@ func (s *Server) buildRoutes() {
 	s.router.Handle(config.Path, s.AuthCallbackHandler())

 	// Add a default handler
-	s.router.NewRoute().Handler(s.AuthHandler())
+	if config.DefaultAction == "allow" {
+		s.router.NewRoute().Handler(s.AllowHandler())
+	} else {
+		s.router.NewRoute().Handler(s.AuthHandler())
+	}
 }

 func (s *Server) RootHandler(w http.ResponseWriter, r *http.Request) {
--- a/internal/server_test.go
+++ b/internal/server_test.go
@ -2,16 +2,12 @@ package tfa

 import (
 	"fmt"
-	"time"
-	// "reflect"
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"strings"
 	"testing"
-
-	"github.com/thomseddon/traefik-forward-auth/internal/provider"
 )

 /**
@ -23,6 +19,152 @@ func init() {
 	log = NewDefaultLogger()
 }

+/**
+ * Tests
+ */
+
+func TestServerAuthHandler(t *testing.T) {
+	config, _ = NewConfig([]string{})
+
+	// Should redirect vanilla request to login url
+	req := newHttpRequest("/foo")
+
+	res, _ := httpRequest(req, nil)
+	if res.StatusCode != 307 {
+		t.Error("Vanilla request should be redirected with 307, got:", res.StatusCode)
+	}
+	fwd, _ := res.Location()
+	if fwd.Scheme != "https" || fwd.Host != "accounts.google.com" || fwd.Path != "/o/oauth2/auth" {
+		t.Error("Vanilla request should be redirected to login url, got:", fwd)
+	}
+
+	// Should catch invalid cookie
+	req = newHttpRequest("/foo")
+	c := MakeCookie(req, "test@example.com")
+	parts := strings.Split(c.Value, "|")
+	c.Value = fmt.Sprintf("bad|%s|%s", parts[1], parts[2])
+
+	res, _ = httpRequest(req, c)
+	if res.StatusCode != 401 {
+		t.Error("Request with invalid cookie shound't be authorised", res.StatusCode)
+	}
+
+	// Should validate email
+	req = newHttpRequest("/foo")
+	c = MakeCookie(req, "test@example.com")
+	config.Domains = []string{"test.com"}
+
+	res, _ = httpRequest(req, c)
+	if res.StatusCode != 401 {
+		t.Error("Request with invalid email shound't be authorised", res.StatusCode)
+	}
+
+	// Should allow valid request email
+	req = newHttpRequest("/foo")
+
+	c = MakeCookie(req, "test@example.com")
+	config.Domains = []string{}
+
+	res, _ = httpRequest(req, c)
+	if res.StatusCode != 200 {
+		t.Error("Valid request should be allowed, got:", res.StatusCode)
+	}
+
+	// Should pass through user
+	users := res.Header["X-Forwarded-User"]
+	if len(users) != 1 {
+		t.Error("Valid request missing X-Forwarded-User header")
+	} else if users[0] != "test@example.com" {
+		t.Error("X-Forwarded-User should match user, got: ", users)
+	}
+}
+
+func TestServerAuthCallback(t *testing.T) {
+	config, _ = NewConfig([]string{})
+
+	// Setup token server
+	tokenServerHandler := &TokenServerHandler{}
+	tokenServer := httptest.NewServer(tokenServerHandler)
+	defer tokenServer.Close()
+	tokenUrl, _ := url.Parse(tokenServer.URL)
+	config.Providers.Google.TokenURL = tokenUrl
+
+	// Setup user server
+	userServerHandler := &UserServerHandler{}
+	userServer := httptest.NewServer(userServerHandler)
+	defer userServer.Close()
+	userUrl, _ := url.Parse(userServer.URL)
+	config.Providers.Google.UserURL = userUrl
+
+	// Should pass auth response request to callback
+	req := newHttpRequest("/_oauth")
+	res, _ := httpRequest(req, nil)
+	if res.StatusCode != 401 {
+		t.Error("Auth callback without cookie shound't be authorised, got:", res.StatusCode)
+	}
+
+	// Should catch invalid csrf cookie
+	req = newHttpRequest("/_oauth?state=12345678901234567890123456789012:http://redirect")
+	c := MakeCSRFCookie(req, "nononononononononononononononono")
+	res, _ = httpRequest(req, c)
+	if res.StatusCode != 401 {
+		t.Error("Auth callback with invalid cookie shound't be authorised, got:", res.StatusCode)
+	}
+
+	// Should redirect valid request
+	req = newHttpRequest("/_oauth?state=12345678901234567890123456789012:http://redirect")
+	c = MakeCSRFCookie(req, "12345678901234567890123456789012")
+	res, _ = httpRequest(req, c)
+	if res.StatusCode != 307 {
+		t.Error("Valid callback should be allowed, got:", res.StatusCode)
+	}
+	fwd, _ := res.Location()
+	if fwd.Scheme != "http" || fwd.Host != "redirect" || fwd.Path != "" {
+		t.Error("Valid request should be redirected to return url, got:", fwd)
+	}
+}
+
+func TestServerDefaultAction(t *testing.T) {
+	config, _ = NewConfig([]string{})
+
+	req := newHttpRequest("/random")
+	res, _ := httpRequest(req, nil)
+	if res.StatusCode != 307 {
+		t.Error("Request should require auth with auth default handler, got:", res.StatusCode)
+	}
+
+	config.DefaultAction = "allow"
+	req = newHttpRequest("/random")
+	res, _ = httpRequest(req, nil)
+	if res.StatusCode != 200 {
+		t.Error("Request should be allowed with allow default handler, got:", res.StatusCode)
+	}
+}
+
+func TestServerRoutePathPrefix(t *testing.T) {
+	config, _ = NewConfig([]string{})
+	config.Rules = map[string]*Rule{
+		"web1": {
+			Action: "allow",
+			Rule:   "PathPrefix(`/api`)",
+		},
+	}
+
+	// Should block any request
+	req := newHttpRequest("/random")
+	res, _ := httpRequest(req, nil)
+	if res.StatusCode != 307 {
+		t.Error("Request not matching any rule should require auth, got:", res.StatusCode)
+	}
+
+	// Should allow /api request
+	req = newHttpRequest("/api")
+	res, _ = httpRequest(req, nil)
+	if res.StatusCode != 200 {
+		t.Error("Request matching allowed rule should be allowed, got:", res.StatusCode)
+	}
+}
+
 /**
 * Utilities
 */
@ -44,7 +186,7 @@ func (t *UserServerHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
  }`)
 }

-func httpRequest(s *Server, r *http.Request, c *http.Cookie) (*http.Response, string) {
+func httpRequest(r *http.Request, c *http.Cookie) (*http.Response, string) {
 	w := httptest.NewRecorder()

 	// Set cookies on recorder
@ -57,7 +199,8 @@ func httpRequest(s *Server, r *http.Request, c *http.Cookie) (*http.Response, st
 		r.Header.Add("Cookie", c)
 	}

-	s.RootHandler(w, r)
+
+	NewServer().RootHandler(w, r)

 	res := w.Result()
 	body, _ := ioutil.ReadAll(res.Body)
@ -92,186 +235,3 @@ func qsDiff(t *testing.T, one, two url.Values) []string {
 	}
 	return errs
 }
-
-/**
- * Tests
- */
-
-func TestServerHandler(t *testing.T) {
-	server := NewServer()
-
-	config = Config{
-		Path:       "/_oauth",
-		CookieName: "cookie_test",
-		Lifetime:   time.Second * time.Duration(10),
-		Providers: provider.Providers{
-			Google: provider.Google{
-				ClientId:     "idtest",
-				ClientSecret: "sectest",
-				Scope:        "scopetest",
-				LoginURL: &url.URL{
-					Scheme: "http",
-					Host:   "test.com",
-					Path:   "/auth",
-				},
-			},
-		},
-	}
-
-	// Should redirect vanilla request to login url
-	req := newHttpRequest("/foo")
-	res, _ := httpRequest(server, req, nil)
-	if res.StatusCode != 307 {
-		t.Error("Vanilla request should be redirected with 307, got:", res.StatusCode)
-	}
-	fwd, _ := res.Location()
-	if fwd.Scheme != "http" || fwd.Host != "test.com" || fwd.Path != "/auth" {
-		t.Error("Vanilla request should be redirected to login url, got:", fwd)
-	}
-
-	// Should catch invalid cookie
-	req = newHttpRequest("/foo")
-
-	c := MakeCookie(req, "test@example.com")
-	parts := strings.Split(c.Value, "|")
-	c.Value = fmt.Sprintf("bad|%s|%s", parts[1], parts[2])
-
-	res, _ = httpRequest(server, req, c)
-	if res.StatusCode != 401 {
-		t.Error("Request with invalid cookie shound't be authorised", res.StatusCode)
-	}
-
-	// Should validate email
-	req = newHttpRequest("/foo")
-
-	c = MakeCookie(req, "test@example.com")
-	config.Domains = []string{"test.com"}
-
-	res, _ = httpRequest(server, req, c)
-	if res.StatusCode != 401 {
-		t.Error("Request with invalid cookie shound't be authorised", res.StatusCode)
-	}
-
-	// Should allow valid request email
-	req = newHttpRequest("/foo")
-
-	c = MakeCookie(req, "test@example.com")
-	config.Domains = []string{}
-
-	res, _ = httpRequest(server, req, c)
-	if res.StatusCode != 200 {
-		t.Error("Valid request should be allowed, got:", res.StatusCode)
-	}
-
-	// Should pass through user
-	users := res.Header["X-Forwarded-User"]
-	if len(users) != 1 {
-		t.Error("Valid request missing X-Forwarded-User header")
-	} else if users[0] != "test@example.com" {
-		t.Error("X-Forwarded-User should match user, got: ", users)
-	}
-}
-
-func TestServerAuthCallback(t *testing.T) {
-	server := NewServer()
-	config = Config{
-		Path:           "/_oauth",
-		CookieName:     "cookie_test",
-		Lifetime:       time.Second * time.Duration(10),
-		CSRFCookieName: "csrf_test",
-		Providers: provider.Providers{
-			Google: provider.Google{
-				ClientId:     "idtest",
-				ClientSecret: "sectest",
-				Scope:        "scopetest",
-				LoginURL: &url.URL{
-					Scheme: "http",
-					Host:   "test.com",
-					Path:   "/auth",
-				},
-			},
-		},
-	}
-
-	// Setup token server
-	tokenServerHandler := &TokenServerHandler{}
-	tokenServer := httptest.NewServer(tokenServerHandler)
-	defer tokenServer.Close()
-	tokenUrl, _ := url.Parse(tokenServer.URL)
-	config.Providers.Google.TokenURL = tokenUrl
-
-	// Setup user server
-	userServerHandler := &UserServerHandler{}
-	userServer := httptest.NewServer(userServerHandler)
-	defer userServer.Close()
-	userUrl, _ := url.Parse(userServer.URL)
-	config.Providers.Google.UserURL = userUrl
-
-	// Should pass auth response request to callback
-	req := newHttpRequest("/_oauth")
-	res, _ := httpRequest(server, req, nil)
-	if res.StatusCode != 401 {
-		t.Error("Auth callback without cookie shound't be authorised, got:", res.StatusCode)
-	}
-
-	// Should catch invalid csrf cookie
-	req = newHttpRequest("/_oauth?state=12345678901234567890123456789012:http://redirect")
-	c := MakeCSRFCookie(req, "nononononononononononononononono")
-	res, _ = httpRequest(server, req, c)
-	if res.StatusCode != 401 {
-		t.Error("Auth callback with invalid cookie shound't be authorised, got:", res.StatusCode)
-	}
-
-	// Should redirect valid request
-	req = newHttpRequest("/_oauth?state=12345678901234567890123456789012:http://redirect")
-	c = MakeCSRFCookie(req, "12345678901234567890123456789012")
-	res, _ = httpRequest(server, req, c)
-	if res.StatusCode != 307 {
-		t.Error("Valid callback should be allowed, got:", res.StatusCode)
-	}
-	fwd, _ := res.Location()
-	if fwd.Scheme != "http" || fwd.Host != "redirect" || fwd.Path != "" {
-		t.Error("Valid request should be redirected to return url, got:", fwd)
-	}
-}
-
-func TestServerRoutePathPrefix(t *testing.T) {
-	config = Config{
-		Path:       "/_oauth",
-		CookieName: "cookie_test",
-		Lifetime:   time.Second * time.Duration(10),
-		Providers: provider.Providers{
-			Google: provider.Google{
-				ClientId:     "idtest",
-				ClientSecret: "sectest",
-				Scope:        "scopetest",
-				LoginURL: &url.URL{
-					Scheme: "http",
-					Host:   "test.com",
-					Path:   "/auth",
-				},
-			},
-		},
-		Rules: map[string]*Rule{
-			"web1": &Rule{
-				Action: "allow",
-				Rule:   "PathPrefix(`/api`)",
-			},
-		},
-	}
-	server := NewServer()
-
-	// Should block any request
-	req := newHttpRequest("/random")
-	res, _ := httpRequest(server, req, nil)
-	if res.StatusCode != 307 {
-		t.Error("Request not matching any rule should require auth, got:", res.StatusCode)
-	}
-
-	// Should allow /api request
-	req = newHttpRequest("/api")
-	res, _ = httpRequest(server, req, nil)
-	if res.StatusCode != 200 {
-		t.Error("Request matching allowed rule should be allowed, got:", res.StatusCode)
-	}
-}
--- a/test/config-legacy
+++ b/test/config-legacy
@ -0,0 +1 @@
+url-path two
--- a/test/config0
+++ b/test/config0
@ -0,0 +1,3 @@
+cookie-name=inicookiename
+csrf-cookie-name=inicsrfcookiename
+url-path=one
--- a/test/config1
+++ b/test/config1
@ -0,0 +1 @@
+url-path=two