pre-release logging + docs improvements and fixes

+ fix docs

README.md

@@ -16,7 +16,7 @@ A minimal forward authentication service that provides Google oauth based login
 
 # Contents
 
-- [Usage](#installation)
+- [Usage](#usage)
   - [Simple](#simple)
   - [Advanced](#advanced)
   - [OAuth Configuration](#oauth-configuration)
@@ -29,6 +29,8 @@ A minimal forward authentication service that provides Google oauth based login
   - [Operation Modes](#operation-modes)
     - [Overlay Mode](#overlay-mode)
     - [Auth Host Mode](#auth-host-mode)
+- [Copyright](#copyright)
+- [License](#license)
 
 ## Usage
 
@@ -43,7 +45,7 @@ version: '3'
 
 services:
   traefik:
-    image: traefik:1
+    image: traefik:1.7
     ports:
       - "8085:80"
     volumes:
@@ -126,9 +128,9 @@ Application Options:
   --rules.<name>.<param>=                               Rule definitions, param can be: "action" or "rule"
 
 Google Provider:
-  --providers.google.client-id=                         Client ID [$CLIENT_ID]
+  --providers.google.client-id=                         Client ID [$PROVIDERS_GOOGLE_CLIENT_ID]
-  --providers.google.client-secret=                     Client Secret [$CLIENT_SECRET]
+  --providers.google.client-secret=                     Client Secret [$PROVIDERS_GOOGLE_CLIENT_SECRET]
-  --providers.google.prompt=                            Space separated list of OpenID prompt options [$PROMPT]
+  --providers.google.prompt=                            Space separated list of OpenID prompt options [$PROVIDERS_GOOGLE_PROMPT]
 
 Help Options:
   -h, --help                                            Show this help message
@@ -283,7 +285,7 @@ The authenticated user is set in the `X-Forwarded-User` header, to pass this on
 
 ### Operation Modes
 
-#### Overlay
+#### Overlay Mode
 
 Overlay is the default operation mode, in this mode the authorisation endpoint is overlayed onto any domain. By default the `/_oauth` path is used, this can be customised using the `url-path` option.
 
@@ -298,7 +300,7 @@ The user flow will be:
 
 As the hostname in the `redirect_uri` is dynamically generated based on the original request, every hostname must be permitted in the Google OAuth console (e.g. `www.myappp.com` would need to be added in the above example)
 
-#### Auth Host
+#### Auth Host Mode
 
 This is an optional mode of operation that is useful when dealing with a large number of subdomains, it is activated by using the `auth-host` config option (see [this example docker-compose.yml](https://github.com/thomseddon/traefik-forward-auth/blob/master/examples/docker-compose-auth-host.yml)).
 
@@ -321,6 +323,8 @@ Two criteria must be met for an `auth-host` to be used:
 1. Request matches given `cookie-domain`
 2. `auth-host` is also subdomain of same `cookie-domain`
 
+Please note: For Auth Host mode to work, you must ensure that requests to your auth-host are routed to the traefik-forward-auth container, as demonstrated with the service labels in the [docker-compose-auth.yml](https://github.com/thomseddon/traefik-forward-auth/blob/master/examples/docker-compose-auth-host.yml) example.
+
 ## Copyright
 
 2018 Thom Seddon

examples/docker-compose-auth-host.yml

@@ -33,7 +33,7 @@ services:
       - AUTH_HOST=auth.yourdomain.com
     networks:
       - traefik
-    # When using an auth host, adding it here prompts traefik to generate certs
+    # When using an auth host, the below must be added
     labels:
       - traefik.enable=true
       - traefik.port=4181

examples/docker-compose.yml

@@ -23,13 +23,15 @@ services:
       - "traefik.frontend.rule=Host:whoami.localhost.com"
 
   traefik-forward-auth:
-    image: thomseddon/traefik-forward-auth
+    build: ../
+    command: ./traefik-forward-auth --rule.1.action=allow --rule.1.rule="Path(`/`)"
     environment:
       - PROVIDERS_GOOGLE_CLIENT_ID=your-client-id
       - PROVIDERS_GOOGLE_CLIENT_SECRET=your-client-secret
       - SECRET=something-random
       - INSECURE_COOKIE=true
       - DOMAIN=yourcompany.com
+      - LOG_LEVEL=debug
     networks:
       - traefik
 

go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/go-kit/kit v0.8.0 // indirect
 	github.com/gorilla/context v1.1.1 // indirect
 	github.com/gravitational/trace v0.0.0-20190409171327-f30095ced5ff // indirect
-	github.com/jessevdk/go-flags v1.4.0
+	github.com/jessevdk/go-flags v1.4.1-0.20181221193153-c0795c8afcf4
 	github.com/jonboulle/clockwork v0.1.0 // indirect
 	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
 	github.com/kr/pretty v0.1.0 // indirect

go.sum

@@ -24,6 +24,8 @@ github.com/gravitational/trace v0.0.0-20190409171327-f30095ced5ff h1:xL/fJdlTJL6
 github.com/gravitational/trace v0.0.0-20190409171327-f30095ced5ff/go.mod h1:RvdOUHE4SHqR3oXlFFKnGzms8a5dugHygGw1bqDstYI=
 github.com/jessevdk/go-flags v1.4.0 h1:4IU2WS7AumrZ/40jfhf4QVDMsQwqA7VEHozFRrGARJA=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
+github.com/jessevdk/go-flags v1.4.1-0.20181221193153-c0795c8afcf4 h1:xKkUL6QBojwguhKKetf1SocCAKqc6W7S/mGm9xEGllo=
+github.com/jessevdk/go-flags v1.4.1-0.20181221193153-c0795c8afcf4/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jonboulle/clockwork v0.1.0 h1:VKV+ZcuP6l3yW9doeqz6ziZGgcynBVQO+obU0+0hcPo=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=

internal/config.go

@@ -25,7 +25,7 @@ type Config struct {
 	LogFormat string `long:"log-format"  env:"LOG_FORMAT" default:"text" choice:"text" choice:"json" choice:"pretty" description:"Log format"`
 
 	AuthHost       string               `long:"auth-host" env:"AUTH_HOST" description:"Single host to use when returning from 3rd party auth"`
-	Config         func(s string) error `long:"config" env:"CONFIG" description:"Path to config file"`
+	Config         func(s string) error `long:"config" env:"CONFIG" description:"Path to config file" json:"-"`
 	CookieDomains  []CookieDomain       `long:"cookie-domain" env:"COOKIE_DOMAIN" description:"Domain to set auth cookie on, can be set multiple times"`
 	InsecureCookie bool                 `long:"insecure-cookie" env:"INSECURE_COOKIE" description:"Use insecure cookies"`
 	CookieName     string               `long:"cookie-name" env:"COOKIE_NAME" default:"_forward_auth" description:"Cookie Name"`
@@ -34,23 +34,23 @@ type Config struct {
 	Domains        []string             `long:"domain" env:"DOMAIN" description:"Only allow given email domains, can be set multiple times"`
 	LifetimeString int                  `long:"lifetime" env:"LIFETIME" default:"43200" description:"Lifetime in seconds"`
 	Path           string               `long:"url-path" env:"URL_PATH" default:"/_oauth" description:"Callback URL Path"`
-	SecretString   string               `long:"secret" env:"SECRET" description:"Secret used for signing (required)"`
+	SecretString   string               `long:"secret" env:"SECRET" description:"Secret used for signing (required)" json:"-"`
 	Whitelist      CommaSeparatedList   `long:"whitelist" env:"WHITELIST" description:"Only allow given email addresses, can be set multiple times"`
 
 	Providers provider.Providers `group:"providers" namespace:"providers" env-namespace:"PROVIDERS"`
 	Rules     map[string]*Rule   `long:"rules.<name>.<param>" description:"Rule definitions, param can be: \"action\" or \"rule\""`
 
 	// Filled during transformations
-	Secret   []byte
+	Secret   []byte  `json:"-"`
 	Lifetime time.Duration
 
 	// Legacy
 	CookieDomainsLegacy CookieDomains      `long:"cookie-domains" env:"COOKIE_DOMAINS" description:"DEPRECATED - Use \"cookie-domain\""`
-	CookieSecretLegacy  string             `long:"cookie-secret" env:"COOKIE_SECRET" description:"DEPRECATED - Use \"secret\""`
+	CookieSecretLegacy  string             `long:"cookie-secret" env:"COOKIE_SECRET" description:"DEPRECATED - Use \"secret\""  json:"-"`
 	CookieSecureLegacy  string             `long:"cookie-secure" env:"COOKIE_SECURE" description:"DEPRECATED - Use \"insecure-cookie\""`
 	DomainsLegacy       CommaSeparatedList `long:"domains" env:"DOMAINS" description:"DEPRECATED - Use \"domain\""`
 	ClientIdLegacy      string             `long:"client-id" env:"CLIENT_ID" group:"DEPs" description:"DEPRECATED - Use \"providers.google.client-id\""`
-	ClientSecretLegacy  string             `long:"client-secret" env:"CLIENT_SECRET" description:"DEPRECATED - Use \"providers.google.client-id\""`
+	ClientSecretLegacy  string             `long:"client-secret" env:"CLIENT_SECRET" description:"DEPRECATED - Use \"providers.google.client-id\""  json:"-"`
 	PromptLegacy        string             `long:"prompt" env:"PROMPT" description:"DEPRECATED - Use \"providers.google.prompt\""`
 }
 
@@ -100,6 +100,7 @@ func NewConfig(args []string) (Config, error) {
 
 	// Backwards compatability
 	if c.CookieSecretLegacy != "" && c.SecretString == "" {
+		log.Warn("cookie-secret config option is deprecated, please use secret")
 		c.SecretString = c.CookieSecretLegacy
 	}
 	if c.ClientIdLegacy != "" {
@@ -109,9 +110,11 @@ func NewConfig(args []string) (Config, error) {
 		c.Providers.Google.ClientSecret = c.ClientSecretLegacy
 	}
 	if c.PromptLegacy != "" {
+		log.Warn("prompt config option is deprecated, please use providers.google.prompt")
 		c.Providers.Google.Prompt = c.PromptLegacy
 	}
 	if c.CookieSecureLegacy != "" {
+		log.Warn("cookie-secure config option is deprecated, please use insecure-cookie")
 		secure, err := strconv.ParseBool(c.CookieSecureLegacy)
 		if err != nil {
 			return c, err
@@ -119,9 +122,11 @@ func NewConfig(args []string) (Config, error) {
 		c.InsecureCookie = !secure
 	}
 	if len(c.CookieDomainsLegacy) > 0 {
+		log.Warn("cookie-domains config option is deprecated, please use cookie-domain")
 		c.CookieDomains = append(c.CookieDomains, c.CookieDomainsLegacy...)
 	}
 	if len(c.DomainsLegacy) > 0 {
+		log.Warn("domains config option is deprecated, please use domain")
 		c.Domains = append(c.Domains, c.DomainsLegacy...)
 	}
 

internal/config_test.go

@@ -181,10 +181,12 @@ func TestConfigFileBackwardsCompatability(t *testing.T) {
 func TestConfigParseEnvironment(t *testing.T) {
 	assert := assert.New(t)
 	os.Setenv("COOKIE_NAME", "env_cookie_name")
+	os.Setenv("PROVIDERS_GOOGLE_CLIENT_ID", "env_client_id")
 	c, err := NewConfig([]string{})
 	assert.Nil(err)
 
 	assert.Equal("env_cookie_name", c.CookieName, "variable should be read from environment")
+	assert.Equal("env_client_id", c.Providers.Google.ClientId, "namespace variable should be read from environment")
 }
 
 func TestConfigTransformation(t *testing.T) {

internal/server.go

@@ -26,11 +26,11 @@ func (s *Server) buildRoutes() {
 	}
 
 	// Let's build a router
-	for _, rule := range config.Rules {
+	for name, rule := range config.Rules {
 		if rule.Action == "allow" {
-			s.router.AddRoute(rule.Rule, 1, s.AllowHandler())
+			s.router.AddRoute(rule.Rule, 1, s.AllowHandler(name))
 		} else {
-			s.router.AddRoute(rule.Rule, 1, s.AuthHandler())
+			s.router.AddRoute(rule.Rule, 1, s.AuthHandler(name))
 		}
 	}
 
@@ -39,9 +39,9 @@ func (s *Server) buildRoutes() {
 
 	// Add a default handler
 	if config.DefaultAction == "allow" {
-		s.router.NewRoute().Handler(s.AllowHandler())
+		s.router.NewRoute().Handler(s.AllowHandler("default"))
 	} else {
-		s.router.NewRoute().Handler(s.AuthHandler())
+		s.router.NewRoute().Handler(s.AuthHandler("default"))
 	}
 }
 
@@ -54,18 +54,18 @@ func (s *Server) RootHandler(w http.ResponseWriter, r *http.Request) {
 }
 
 // Handler that allows requests
-func (s *Server) AllowHandler() http.HandlerFunc {
+func (s *Server) AllowHandler(rule string) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		s.logger(r, "Allowing request")
+		s.logger(r, rule, "Allowing request")
 		w.WriteHeader(200)
 	}
 }
 
 // Authenticate requests
-func (s *Server) AuthHandler() http.HandlerFunc {
+func (s *Server) AuthHandler(rule string) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		// Logging setup
-		logger := s.logger(r, "Authenticating request")
+		logger := s.logger(r, rule, "Authenticating request")
 
 		// Get auth cookie
 		c, err := r.Cookie(config.CookieName)
@@ -118,7 +118,7 @@ func (s *Server) AuthHandler() http.HandlerFunc {
 func (s *Server) AuthCallbackHandler() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		// Logging setup
-		logger := s.logger(r, "Handling callback")
+		logger := s.logger(r, "default", "Handling callback")
 
 		// Check for CSRF cookie
 		c, err := r.Cookie(config.CSRFCookieName)
@@ -165,16 +165,17 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc {
 	}
 }
 
-func (s *Server) logger(r *http.Request, msg string) *logrus.Entry {
+func (s *Server) logger(r *http.Request, rule, msg string) *logrus.Entry {
 	// Create logger
 	logger := log.WithFields(logrus.Fields{
-		"SourceIP": r.Header.Get("X-Forwarded-For"),
+		"source_ip": r.Header.Get("X-Forwarded-For"),
 	})
 
 	// Log request
 	logger.WithFields(logrus.Fields{
-		"Headers": r.Header,
+		"rule": rule,
-	}).Debugf(msg)
+		"headers": r.Header,
+	}).Debug(msg)
 
 	return logger
 }