Add releases info to README

Make rule parsing more robust
- check args length before popping - ensure rule has name
2019-06-10 12:19:53 +01:00 · 2019-06-10 11:38:50 +01:00 · 2019-06-10 11:24:14 +01:00 · 2019-05-13 11:56:43 +01:00 · 2019-05-13 11:27:31 +01:00 · 2019-05-07 19:17:42 +01:00
11 changed files with 268 additions and 60 deletions
--- a/README.md
+++ b/README.md
@ -4,7 +4,6 @@

 A minimal forward authentication service that provides Google oauth based login and authentication for the [traefik](https://github.com/containous/traefik) reverse proxy/load balancer.

-
 ## Why?

 - Seamlessly overlays any http service with a single endpoint (see: `url-path` in [Configuration](#configuration))
@ -16,7 +15,8 @@ A minimal forward authentication service that provides Google oauth based login

 # Contents

- [Usage](#installation)
+- [Releases](#releases)
+- [Usage](#usage)
  - [Simple](#simple)
  - [Advanced](#advanced)
  - [OAuth Configuration](#oauth-configuration)
@ -29,6 +29,18 @@ A minimal forward authentication service that provides Google oauth based login
  - [Operation Modes](#operation-modes)
    - [Overlay Mode](#overlay-mode)
    - [Auth Host Mode](#auth-host-mode)
+- [Copyright](#copyright)
+- [License](#license)
+
+## Releases
+
+We recommend using the `2` tag on docker hub.
+
+You can also use the latest incremental releases found on [docker hub](https://hub.docker.com/r/thomseddon/traefik-forward-auth/tags) and [github](https://github.com/thomseddon/traefik-forward-auth/releases).
+
+#### Upgrade Guide
+
+v2 was released in June 2019, whilst this is fully backwards compatible, a number of configuration options were modified, please see the [upgrade guide](https://github.com/thomseddon/traefik-forward-auth/wiki/v2-Upgrade-Guide) to prevent warnings on startup and ensure you are using the current configuration.

 ## Usage

@ -43,7 +55,7 @@ version: '3'

 services:
  traefik:
-    image: traefik:1
+    image: traefik:1.7
    ports:
      - "8085:80"
    volumes:
@ -94,10 +106,6 @@ Create a new project then search for and select "Credentials" in the search bar.

 Click "Create Credentials" > "OAuth client ID". Select "Web Application", fill in the name of your app, skip "Authorized JavaScript origins" and fill "Authorized redirect URIs" with all the domains you will allow authentication from, appended with the `url-path` (e.g. https://app.test.com/_oauth)

-#### Upgrade Guide
-
-v2 was released in April 2019, whilst this is fully backwards compatibile, a number of configuration options were modified, please see the [upgrade guide](https://github.com/thomseddon/traefik-forward-auth/wiki/v2-Upgrade-Guide) to prevent warnings on startup and ensure you are using the current configuration.
-
 ## Configuration

 ### Overview
@ -126,12 +134,12 @@ Application Options:
  --rules.<name>.<param>=                               Rule definitions, param can be: "action" or "rule"

 Google Provider:
-  --providers.google.client-id=                         Client ID [$CLIENT_ID]
-  --providers.google.client-secret=                     Client Secret [$CLIENT_SECRET]
-  --providers.google.prompt=                            Space separated list of OpenID prompt options [$PROMPT]
+  --providers.google.client-id=                         Client ID [$PROVIDERS_GOOGLE_CLIENT_ID]
+  --providers.google.client-secret=                     Client Secret [$PROVIDERS_GOOGLE_CLIENT_SECRET]
+  --providers.google.prompt=                            Space separated list of OpenID prompt options [$PROVIDERS_GOOGLE_PROMPT]

 Help Options:
-  -h, --help                                                Show this help message
+  -h, --help                                            Show this help message
 ```

 All options can be supplied in any of the following ways, in the following precedence (first is highest precedence):
@ -283,7 +291,7 @@ The authenticated user is set in the `X-Forwarded-User` header, to pass this on

 ### Operation Modes

-#### Overlay
+#### Overlay Mode

 Overlay is the default operation mode, in this mode the authorisation endpoint is overlayed onto any domain. By default the `/_oauth` path is used, this can be customised using the `url-path` option.

@ -298,7 +306,7 @@ The user flow will be:

 As the hostname in the `redirect_uri` is dynamically generated based on the original request, every hostname must be permitted in the Google OAuth console (e.g. `www.myappp.com` would need to be added in the above example)

-#### Auth Host
+#### Auth Host Mode

 This is an optional mode of operation that is useful when dealing with a large number of subdomains, it is activated by using the `auth-host` config option (see [this example docker-compose.yml](https://github.com/thomseddon/traefik-forward-auth/blob/master/examples/docker-compose-auth-host.yml)).

@ -321,6 +329,8 @@ Two criteria must be met for an `auth-host` to be used:
 1. Request matches given `cookie-domain`
 2. `auth-host` is also subdomain of same `cookie-domain`

+Please note: For Auth Host mode to work, you must ensure that requests to your auth-host are routed to the traefik-forward-auth container, as demonstrated with the service labels in the [docker-compose-auth.yml](https://github.com/thomseddon/traefik-forward-auth/blob/master/examples/docker-compose-auth-host.yml) example.
+
 ## Copyright

 2018 Thom Seddon
--- a/examples/docker-compose-auth-host.yml
+++ b/examples/docker-compose-auth-host.yml
@ -33,7 +33,7 @@ services:
      - AUTH_HOST=auth.yourdomain.com
    networks:
      - traefik
-    # When using an auth host, adding it here prompts traefik to generate certs
+    # When using an auth host, the below must be added
    labels:
      - traefik.enable=true
      - traefik.port=4181
--- a/examples/docker-compose.yml
+++ b/examples/docker-compose.yml
@ -23,13 +23,15 @@ services:
      - "traefik.frontend.rule=Host:whoami.localhost.com"

  traefik-forward-auth:
-    image: thomseddon/traefik-forward-auth
+    build: ../
+    command: ./traefik-forward-auth --rule.1.action=allow --rule.1.rule="Path(`/`)"
    environment:
      - PROVIDERS_GOOGLE_CLIENT_ID=your-client-id
      - PROVIDERS_GOOGLE_CLIENT_SECRET=your-client-secret
      - SECRET=something-random
      - INSECURE_COOKIE=true
      - DOMAIN=yourcompany.com
+      - LOG_LEVEL=debug
    networks:
      - traefik

--- a/go.mod
+++ b/go.mod
@ -13,7 +13,7 @@ require (
 	github.com/go-kit/kit v0.8.0 // indirect
 	github.com/gorilla/context v1.1.1 // indirect
 	github.com/gravitational/trace v0.0.0-20190409171327-f30095ced5ff // indirect
-	github.com/jessevdk/go-flags v1.4.0
+	github.com/jessevdk/go-flags v1.4.1-0.20181221193153-c0795c8afcf4
 	github.com/jonboulle/clockwork v0.1.0 // indirect
 	github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect
 	github.com/kr/pretty v0.1.0 // indirect
@ -25,6 +25,7 @@ require (
 	github.com/sirupsen/logrus v1.4.1
 	github.com/stretchr/objx v0.2.0 // indirect
 	github.com/stretchr/testify v1.3.0
+	github.com/thomseddon/go-flags v1.4.1-0.20190507184247-a3629c504486
 	github.com/vulcand/predicate v1.1.0 // indirect
 	golang.org/x/crypto v0.0.0-20190422183909-d864b10871cd // indirect
 	golang.org/x/net v0.0.0-20190420063019-afa5a82059c6 // indirect
--- a/go.sum
+++ b/go.sum
@ -24,6 +24,8 @@ github.com/gravitational/trace v0.0.0-20190409171327-f30095ced5ff h1:xL/fJdlTJL6
 github.com/gravitational/trace v0.0.0-20190409171327-f30095ced5ff/go.mod h1:RvdOUHE4SHqR3oXlFFKnGzms8a5dugHygGw1bqDstYI=
 github.com/jessevdk/go-flags v1.4.0 h1:4IU2WS7AumrZ/40jfhf4QVDMsQwqA7VEHozFRrGARJA=
 github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
+github.com/jessevdk/go-flags v1.4.1-0.20181221193153-c0795c8afcf4 h1:xKkUL6QBojwguhKKetf1SocCAKqc6W7S/mGm9xEGllo=
+github.com/jessevdk/go-flags v1.4.1-0.20181221193153-c0795c8afcf4/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI=
 github.com/jonboulle/clockwork v0.1.0 h1:VKV+ZcuP6l3yW9doeqz6ziZGgcynBVQO+obU0+0hcPo=
 github.com/jonboulle/clockwork v0.1.0/go.mod h1:Ii8DK3G1RaLaWxj9trq07+26W01tbo22gdxWY5EU2bo=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
@ -53,6 +55,12 @@ github.com/stretchr/objx v0.2.0/go.mod h1:qt09Ya8vawLte6SNmTgCsAVtYtaKzEcn8ATUoH
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0 h1:TivCn/peBQ7UY8ooIcPgZFpTNSz0Q2U6UrFlUfqbe0Q=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/thomseddon/go-flags v1.4.0 h1:cHj56pbnQxlGo2lx2P8f0Dph4TRYKBJzoPuF2lqNvW4=
+github.com/thomseddon/go-flags v1.4.0/go.mod h1:NK9eZpNBmSKVxvyB/MExg6jW0Bo9hQyAuCP+b8MJFow=
+github.com/thomseddon/go-flags v1.4.1-0.20190507181358-ce437f05b7fb h1:L311/fJ7WXmFDDtuhf22PkVJqZpqLbEsmGSTEGv7ZQY=
+github.com/thomseddon/go-flags v1.4.1-0.20190507181358-ce437f05b7fb/go.mod h1:NK9eZpNBmSKVxvyB/MExg6jW0Bo9hQyAuCP+b8MJFow=
+github.com/thomseddon/go-flags v1.4.1-0.20190507184247-a3629c504486 h1:hk17f4niAl4e6viTj2uf/fpfACa6QPmrtMDAo+1tifE=
+github.com/thomseddon/go-flags v1.4.1-0.20190507184247-a3629c504486/go.mod h1:NK9eZpNBmSKVxvyB/MExg6jW0Bo9hQyAuCP+b8MJFow=
 github.com/vulcand/predicate v1.1.0 h1:Gq/uWopa4rx/tnZu2opOSBqHK63Yqlou/SzrbwdJiNg=
 github.com/vulcand/predicate v1.1.0/go.mod h1:mlccC5IRBoc2cIFmCB8ZM62I3VDb6p2GXESMHa3CnZg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
--- a/internal/config.go
+++ b/internal/config.go
@ -14,7 +14,7 @@ import (
 	"strings"
 	"time"

-	"github.com/jessevdk/go-flags"
+	"github.com/thomseddon/go-flags"
 	"github.com/thomseddon/traefik-forward-auth/internal/provider"
 )

@ -25,7 +25,7 @@ type Config struct {
 	LogFormat string `long:"log-format"  env:"LOG_FORMAT" default:"text" choice:"text" choice:"json" choice:"pretty" description:"Log format"`

 	AuthHost       string               `long:"auth-host" env:"AUTH_HOST" description:"Single host to use when returning from 3rd party auth"`
-	Config         func(s string) error `long:"config" env:"CONFIG" description:"Path to config file"`
+	Config         func(s string) error `long:"config" env:"CONFIG" description:"Path to config file" json:"-"`
 	CookieDomains  []CookieDomain       `long:"cookie-domain" env:"COOKIE_DOMAIN" description:"Domain to set auth cookie on, can be set multiple times"`
 	InsecureCookie bool                 `long:"insecure-cookie" env:"INSECURE_COOKIE" description:"Use insecure cookies"`
 	CookieName     string               `long:"cookie-name" env:"COOKIE_NAME" default:"_forward_auth" description:"Cookie Name"`
@ -34,23 +34,23 @@ type Config struct {
 	Domains        []string             `long:"domain" env:"DOMAIN" description:"Only allow given email domains, can be set multiple times"`
 	LifetimeString int                  `long:"lifetime" env:"LIFETIME" default:"43200" description:"Lifetime in seconds"`
 	Path           string               `long:"url-path" env:"URL_PATH" default:"/_oauth" description:"Callback URL Path"`
-	SecretString   string               `long:"secret" env:"SECRET" description:"Secret used for signing (required)"`
+	SecretString   string               `long:"secret" env:"SECRET" description:"Secret used for signing (required)" json:"-"`
 	Whitelist      CommaSeparatedList   `long:"whitelist" env:"WHITELIST" description:"Only allow given email addresses, can be set multiple times"`

 	Providers provider.Providers `group:"providers" namespace:"providers" env-namespace:"PROVIDERS"`
 	Rules     map[string]*Rule   `long:"rules.<name>.<param>" description:"Rule definitions, param can be: \"action\" or \"rule\""`

 	// Filled during transformations
-	Secret   []byte
+	Secret   []byte `json:"-"`
 	Lifetime time.Duration

 	// Legacy
 	CookieDomainsLegacy CookieDomains      `long:"cookie-domains" env:"COOKIE_DOMAINS" description:"DEPRECATED - Use \"cookie-domain\""`
-	CookieSecretLegacy  string             `long:"cookie-secret" env:"COOKIE_SECRET" description:"DEPRECATED - Use \"secret\""`
+	CookieSecretLegacy  string             `long:"cookie-secret" env:"COOKIE_SECRET" description:"DEPRECATED - Use \"secret\""  json:"-"`
 	CookieSecureLegacy  string             `long:"cookie-secure" env:"COOKIE_SECURE" description:"DEPRECATED - Use \"insecure-cookie\""`
 	DomainsLegacy       CommaSeparatedList `long:"domains" env:"DOMAINS" description:"DEPRECATED - Use \"domain\""`
 	ClientIdLegacy      string             `long:"client-id" env:"CLIENT_ID" group:"DEPs" description:"DEPRECATED - Use \"providers.google.client-id\""`
-	ClientSecretLegacy  string             `long:"client-secret" env:"CLIENT_SECRET" description:"DEPRECATED - Use \"providers.google.client-id\""`
+	ClientSecretLegacy  string             `long:"client-secret" env:"CLIENT_SECRET" description:"DEPRECATED - Use \"providers.google.client-id\""  json:"-"`
 	PromptLegacy        string             `long:"prompt" env:"PROMPT" description:"DEPRECATED - Use \"providers.google.prompt\""`
 }

@ -100,6 +100,7 @@ func NewConfig(args []string) (Config, error) {

 	// Backwards compatability
 	if c.CookieSecretLegacy != "" && c.SecretString == "" {
+		fmt.Println("cookie-secret config option is deprecated, please use secret")
 		c.SecretString = c.CookieSecretLegacy
 	}
 	if c.ClientIdLegacy != "" {
@ -109,9 +110,11 @@ func NewConfig(args []string) (Config, error) {
 		c.Providers.Google.ClientSecret = c.ClientSecretLegacy
 	}
 	if c.PromptLegacy != "" {
+		fmt.Println("prompt config option is deprecated, please use providers.google.prompt")
 		c.Providers.Google.Prompt = c.PromptLegacy
 	}
 	if c.CookieSecureLegacy != "" {
+		fmt.Println("cookie-secure config option is deprecated, please use insecure-cookie")
 		secure, err := strconv.ParseBool(c.CookieSecureLegacy)
 		if err != nil {
 			return c, err
@ -119,9 +122,11 @@ func NewConfig(args []string) (Config, error) {
 		c.InsecureCookie = !secure
 	}
 	if len(c.CookieDomainsLegacy) > 0 {
+		fmt.Println("cookie-domains config option is deprecated, please use cookie-domain")
 		c.CookieDomains = append(c.CookieDomains, c.CookieDomainsLegacy...)
 	}
 	if len(c.DomainsLegacy) > 0 {
+		fmt.Println("domains config option is deprecated, please use domain")
 		c.Domains = append(c.Domains, c.DomainsLegacy...)
 	}

@ -136,7 +141,7 @@ func NewConfig(args []string) (Config, error) {
 }

 func (c *Config) parseFlags(args []string) error {
-	p := flags.NewParser(c, flags.Default)
+	p := flags.NewParser(c, flags.Default|flags.IniUnknownOptionHandler)
 	p.UnknownOptionHandler = c.parseUnknownFlag

 	i := flags.NewIniParser(p)
@ -152,6 +157,7 @@ func (c *Config) parseFlags(args []string) error {
 				return err
 			}

+			fmt.Println("config format deprecated, please use ini format")
 			return i.Parse(converted)
 		}

@ -170,16 +176,15 @@ func (c *Config) parseUnknownFlag(option string, arg flags.SplitArgument, args [
 	// Parse rules in the format "rule.<name>.<param>"
 	parts := strings.Split(option, ".")
 	if len(parts) == 3 && parts[0] == "rule" {
-		// Get or create rule
-		rule, ok := c.Rules[parts[1]]
-		if !ok {
-			rule = NewRule()
-			c.Rules[parts[1]] = rule
+		// Ensure there is a name
+		name := parts[1]
+		if len(name) == 0 {
+			return args, errors.New("route name is required")
 		}

 		// Get value, or pop the next arg
 		val, ok := arg.Value()
-		if !ok {
+		if !ok && len(args) > 1 {
 			val = args[0]
 			args = args[1:]
 		}
@ -198,6 +203,13 @@ func (c *Config) parseUnknownFlag(option string, arg flags.SplitArgument, args [
 			}
 		}

+		// Get or create rule
+		rule, ok := c.Rules[name]
+		if !ok {
+			rule = NewRule()
+			c.Rules[name] = rule
+		}
+
 		// Add param value to rule
 		switch parts[2] {
 		case "action":
@ -244,7 +256,7 @@ func (c *Config) Validate() {
 	}

 	if c.Providers.Google.ClientId == "" || c.Providers.Google.ClientSecret == "" {
-		log.Fatal("google.providers.client-id, google.providers.client-secret must be set")
+		log.Fatal("providers.google.client-id, providers.google.client-secret must be set")
 	}

 	// Check rules
@ -271,6 +283,12 @@ func NewRule() *Rule {
 	}
 }

+func (r *Rule) formattedRule() string {
+	// Traefik implements their own "Host" matcher and then offers "HostRegexp"
+	// to invoke the mux "Host" matcher. This ensures the mux version is used
+	return strings.ReplaceAll(r.Rule, "Host(", "HostRegexp(")
+}
+
 func (r *Rule) Validate() {
 	if r.Action != "auth" && r.Action != "allow" {
 		log.Fatal("invalid rule action, must be \"auth\" or \"allow\"")
--- a/internal/config_test.go
+++ b/internal/config_test.go
@ -98,6 +98,29 @@ func TestConfigParseUnknownFlags(t *testing.T) {
 	}
 }

+func TestConfigParseRuleError(t *testing.T) {
+	assert := assert.New(t)
+
+	// Rule without name
+	_, err := NewConfig([]string{
+		"--rule..action=auth",
+	})
+	if assert.Error(err) {
+		assert.Equal("route name is required", err.Error())
+	}
+
+	// Rule without value
+	c, err := NewConfig([]string{
+		"--rule.one.action=",
+	})
+	if assert.Error(err) {
+		assert.Equal("route param value is required", err.Error())
+	}
+	// Check rules
+	assert.Equal(map[string]*Rule{}, c.Rules)
+}
+
+
 func TestConfigFlagBackwardsCompatability(t *testing.T) {
 	assert := assert.New(t)
 	c, err := NewConfig([]string{
@ -165,6 +188,18 @@ func TestConfigParseIni(t *testing.T) {
 	assert.Equal("inicookiename", c.CookieName, "should be read from ini file")
 	assert.Equal("csrfcookiename", c.CSRFCookieName, "should be read from ini file")
 	assert.Equal("/two", c.Path, "variable in second ini file should override first ini file")
+	assert.Equal(map[string]*Rule{
+		"1": {
+			Action:   "allow",
+			Rule:     "PathPrefix(`/one`)",
+			Provider: "google",
+		},
+		"two": {
+			Action:   "auth",
+			Rule:     "Host(`two.com`) && Path(`/two`)",
+			Provider: "google",
+		},
+	}, c.Rules)
 }

 func TestConfigFileBackwardsCompatability(t *testing.T) {
@ -181,10 +216,12 @@ func TestConfigFileBackwardsCompatability(t *testing.T) {
 func TestConfigParseEnvironment(t *testing.T) {
 	assert := assert.New(t)
 	os.Setenv("COOKIE_NAME", "env_cookie_name")
+	os.Setenv("PROVIDERS_GOOGLE_CLIENT_ID", "env_client_id")
 	c, err := NewConfig([]string{})
 	assert.Nil(err)

 	assert.Equal("env_cookie_name", c.CookieName, "variable should be read from environment")
+	assert.Equal("env_client_id", c.Providers.Google.ClientId, "namespace variable should be read from environment")
 }

 func TestConfigTransformation(t *testing.T) {
--- a/internal/server.go
+++ b/internal/server.go
@ -26,11 +26,11 @@ func (s *Server) buildRoutes() {
 	}

 	// Let's build a router
-	for _, rule := range config.Rules {
+	for name, rule := range config.Rules {
 		if rule.Action == "allow" {
-			s.router.AddRoute(rule.Rule, 1, s.AllowHandler())
+			s.router.AddRoute(rule.formattedRule(), 1, s.AllowHandler(name))
 		} else {
-			s.router.AddRoute(rule.Rule, 1, s.AuthHandler())
+			s.router.AddRoute(rule.formattedRule(), 1, s.AuthHandler(name))
 		}
 	}

@ -39,14 +39,16 @@ func (s *Server) buildRoutes() {

 	// Add a default handler
 	if config.DefaultAction == "allow" {
-		s.router.NewRoute().Handler(s.AllowHandler())
+		s.router.NewRoute().Handler(s.AllowHandler("default"))
 	} else {
-		s.router.NewRoute().Handler(s.AuthHandler())
+		s.router.NewRoute().Handler(s.AuthHandler("default"))
 	}
 }

 func (s *Server) RootHandler(w http.ResponseWriter, r *http.Request) {
 	// Modify request
+	r.Method = r.Header.Get("X-Forwarded-Method")
+	r.Host = r.Header.Get("X-Forwarded-Host")
 	r.URL, _ = url.Parse(r.Header.Get("X-Forwarded-Uri"))

 	// Pass to mux
@ -54,18 +56,18 @@ func (s *Server) RootHandler(w http.ResponseWriter, r *http.Request) {
 }

 // Handler that allows requests
-func (s *Server) AllowHandler() http.HandlerFunc {
+func (s *Server) AllowHandler(rule string) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		s.logger(r, "Allowing request")
+		s.logger(r, rule, "Allowing request")
 		w.WriteHeader(200)
 	}
 }

 // Authenticate requests
-func (s *Server) AuthHandler() http.HandlerFunc {
+func (s *Server) AuthHandler(rule string) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		// Logging setup
-		logger := s.logger(r, "Authenticating request")
+		logger := s.logger(r, rule, "Authenticating request")

 		// Get auth cookie
 		c, err := r.Cookie(config.CookieName)
@ -118,7 +120,7 @@ func (s *Server) AuthHandler() http.HandlerFunc {
 func (s *Server) AuthCallbackHandler() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		// Logging setup
-		logger := s.logger(r, "Handling callback")
+		logger := s.logger(r, "default", "Handling callback")

 		// Check for CSRF cookie
 		c, err := r.Cookie(config.CSRFCookieName)
@ -165,16 +167,17 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc {
 	}
 }

-func (s *Server) logger(r *http.Request, msg string) *logrus.Entry {
+func (s *Server) logger(r *http.Request, rule, msg string) *logrus.Entry {
 	// Create logger
 	logger := log.WithFields(logrus.Fields{
-		"SourceIP": r.Header.Get("X-Forwarded-For"),
+		"source_ip": r.Header.Get("X-Forwarded-For"),
 	})

 	// Log request
 	logger.WithFields(logrus.Fields{
-		"Headers": r.Header,
-	}).Debugf(msg)
+		"rule":    rule,
+		"headers": r.Header,
+	}).Debug(msg)

 	return logger
 }
--- a/internal/server_test.go
+++ b/internal/server_test.go
@ -32,7 +32,7 @@ func TestServerAuthHandler(t *testing.T) {
 	config, _ = NewConfig([]string{})

 	// Should redirect vanilla request to login url
-	req := newHttpRequest("/foo")
+	req := newDefaultHttpRequest("/foo")
 	res, _ := doHttpRequest(req, nil)
 	assert.Equal(307, res.StatusCode, "vanilla request should be redirected")

@ -42,7 +42,7 @@ func TestServerAuthHandler(t *testing.T) {
 	assert.Equal("/o/oauth2/auth", fwd.Path, "vanilla request should be redirected to google")

 	// Should catch invalid cookie
-	req = newHttpRequest("/foo")
+	req = newDefaultHttpRequest("/foo")
 	c := MakeCookie(req, "test@example.com")
 	parts := strings.Split(c.Value, "|")
 	c.Value = fmt.Sprintf("bad|%s|%s", parts[1], parts[2])
@ -51,7 +51,7 @@ func TestServerAuthHandler(t *testing.T) {
 	assert.Equal(401, res.StatusCode, "invalid cookie should not be authorised")

 	// Should validate email
-	req = newHttpRequest("/foo")
+	req = newDefaultHttpRequest("/foo")
 	c = MakeCookie(req, "test@example.com")
 	config.Domains = []string{"test.com"}

@ -59,7 +59,7 @@ func TestServerAuthHandler(t *testing.T) {
 	assert.Equal(401, res.StatusCode, "invalid email should not be authorised")

 	// Should allow valid request email
-	req = newHttpRequest("/foo")
+	req = newDefaultHttpRequest("/foo")
 	c = MakeCookie(req, "test@example.com")
 	config.Domains = []string{}

@ -91,18 +91,18 @@ func TestServerAuthCallback(t *testing.T) {
 	config.Providers.Google.UserURL = userUrl

 	// Should pass auth response request to callback
-	req := newHttpRequest("/_oauth")
+	req := newDefaultHttpRequest("/_oauth")
 	res, _ := doHttpRequest(req, nil)
 	assert.Equal(401, res.StatusCode, "auth callback without cookie shouldn't be authorised")

 	// Should catch invalid csrf cookie
-	req = newHttpRequest("/_oauth?state=12345678901234567890123456789012:http://redirect")
+	req = newDefaultHttpRequest("/_oauth?state=12345678901234567890123456789012:http://redirect")
 	c := MakeCSRFCookie(req, "nononononononononononononononono")
 	res, _ = doHttpRequest(req, c)
 	assert.Equal(401, res.StatusCode, "auth callback with invalid cookie shouldn't be authorised")

 	// Should redirect valid request
-	req = newHttpRequest("/_oauth?state=12345678901234567890123456789012:http://redirect")
+	req = newDefaultHttpRequest("/_oauth?state=12345678901234567890123456789012:http://redirect")
 	c = MakeCSRFCookie(req, "12345678901234567890123456789012")
 	res, _ = doHttpRequest(req, c)
 	assert.Equal(307, res.StatusCode, "valid auth callback should be allowed")
@ -117,33 +117,151 @@ func TestServerDefaultAction(t *testing.T) {
 	assert := assert.New(t)
 	config, _ = NewConfig([]string{})

-	req := newHttpRequest("/random")
+	req := newDefaultHttpRequest("/random")
 	res, _ := doHttpRequest(req, nil)
 	assert.Equal(307, res.StatusCode, "request should require auth with auth default handler")

 	config.DefaultAction = "allow"
-	req = newHttpRequest("/random")
+	req = newDefaultHttpRequest("/random")
 	res, _ = doHttpRequest(req, nil)
 	assert.Equal(200, res.StatusCode, "request should be allowed with default handler")
 }

-func TestServerRoutePathPrefix(t *testing.T) {
+func TestServerRouteHeaders(t *testing.T) {
 	assert := assert.New(t)
 	config, _ = NewConfig([]string{})
 	config.Rules = map[string]*Rule{
-		"web1": {
+		"1": {
 			Action: "allow",
-			Rule:   "PathPrefix(`/api`)",
+			Rule:   "Headers(`X-Test`, `test123`)",
+		},
+		"2": {
+			Action: "allow",
+			Rule:   "HeadersRegexp(`X-Test`, `test(456|789)`)",
 		},
 	}

 	// Should block any request
-	req := newHttpRequest("/random")
+	req := newDefaultHttpRequest("/random")
+	req.Header.Add("X-Random", "hello")
+	res, _ := doHttpRequest(req, nil)
+	assert.Equal(307, res.StatusCode, "request not matching any rule should require auth")
+
+	// Should allow matching
+	req = newDefaultHttpRequest("/api")
+	req.Header.Add("X-Test", "test123")
+	res, _ = doHttpRequest(req, nil)
+	assert.Equal(200, res.StatusCode, "request matching allow rule should be allowed")
+
+	// Should allow matching
+	req = newDefaultHttpRequest("/api")
+	req.Header.Add("X-Test", "test789")
+	res, _ = doHttpRequest(req, nil)
+	assert.Equal(200, res.StatusCode, "request matching allow rule should be allowed")
+}
+
+func TestServerRouteHost(t *testing.T) {
+	assert := assert.New(t)
+	config, _ = NewConfig([]string{})
+	config.Rules = map[string]*Rule{
+		"1": {
+			Action: "allow",
+			Rule:   "Host(`api.example.com`)",
+		},
+		"2": {
+			Action: "allow",
+			Rule:   "HostRegexp(`sub{num:[0-9]}.example.com`)",
+		},
+	}
+
+	// Should block any request
+	req := newHttpRequest("GET", "https://example.com/", "/")
+	res, _ := doHttpRequest(req, nil)
+	assert.Equal(307, res.StatusCode, "request not matching any rule should require auth")
+
+	// Should allow matching request
+	req = newHttpRequest("GET", "https://api.example.com/", "/")
+	res, _ = doHttpRequest(req, nil)
+	assert.Equal(200, res.StatusCode, "request matching allow rule should be allowed")
+
+	// Should allow matching request
+	req = newHttpRequest("GET", "https://sub8.example.com/", "/")
+	res, _ = doHttpRequest(req, nil)
+	assert.Equal(200, res.StatusCode, "request matching allow rule should be allowed")
+}
+
+func TestServerRouteMethod(t *testing.T) {
+	assert := assert.New(t)
+	config, _ = NewConfig([]string{})
+	config.Rules = map[string]*Rule{
+		"1": {
+			Action: "allow",
+			Rule:   "Method(`PUT`)",
+		},
+	}
+
+	// Should block any request
+	req := newHttpRequest("GET", "https://example.com/", "/")
+	res, _ := doHttpRequest(req, nil)
+	assert.Equal(307, res.StatusCode, "request not matching any rule should require auth")
+
+	// Should allow matching request
+	req = newHttpRequest("PUT", "https://example.com/", "/")
+	res, _ = doHttpRequest(req, nil)
+	assert.Equal(200, res.StatusCode, "request matching allow rule should be allowed")
+}
+
+func TestServerRoutePath(t *testing.T) {
+	assert := assert.New(t)
+	config, _ = NewConfig([]string{})
+	config.Rules = map[string]*Rule{
+		"1": {
+			Action: "allow",
+			Rule:   "Path(`/api`)",
+		},
+		"2": {
+			Action: "allow",
+			Rule:   "PathPrefix(`/private`)",
+		},
+	}
+
+	// Should block any request
+	req := newDefaultHttpRequest("/random")
 	res, _ := doHttpRequest(req, nil)
 	assert.Equal(307, res.StatusCode, "request not matching any rule should require auth")

 	// Should allow /api request
-	req = newHttpRequest("/api")
+	req = newDefaultHttpRequest("/api")
+	res, _ = doHttpRequest(req, nil)
+	assert.Equal(200, res.StatusCode, "request matching allow rule should be allowed")
+
+	// Should allow /private request
+	req = newDefaultHttpRequest("/private")
+	res, _ = doHttpRequest(req, nil)
+	assert.Equal(200, res.StatusCode, "request matching allow rule should be allowed")
+
+	req = newDefaultHttpRequest("/private/path")
+	res, _ = doHttpRequest(req, nil)
+	assert.Equal(200, res.StatusCode, "request matching allow rule should be allowed")
+}
+
+func TestServerRouteQuery(t *testing.T) {
+	assert := assert.New(t)
+	config, _ = NewConfig([]string{})
+	config.Rules = map[string]*Rule{
+		"1": {
+			Action: "allow",
+			Rule:   "Query(`q=test123`)",
+		},
+	}
+
+	// Should block any request
+	req := newHttpRequest("GET", "https://example.com/", "/?q=no")
+	res, _ := doHttpRequest(req, nil)
+	assert.Equal(307, res.StatusCode, "request not matching any rule should require auth")
+
+	// Should allow matching request
+	req = newHttpRequest("GET", "https://api.example.com/", "/?q=test123")
 	res, _ = doHttpRequest(req, nil)
 	assert.Equal(200, res.StatusCode, "request matching allow rule should be allowed")
 }
@ -194,8 +312,15 @@ func doHttpRequest(r *http.Request, c *http.Cookie) (*http.Response, string) {
 	return res, string(body)
 }

-func newHttpRequest(uri string) *http.Request {
-	r := httptest.NewRequest("", "http://example.com/", nil)
+func newDefaultHttpRequest(uri string) *http.Request {
+	return newHttpRequest("", "http://example.com/", uri)
+}
+
+func newHttpRequest(method, dest, uri string) *http.Request {
+	r := httptest.NewRequest("", "http://should-use-x-forwarded.com", nil)
+	p, _ := url.Parse(dest)
+	r.Header.Add("X-Forwarded-Method", method)
+	r.Header.Add("X-Forwarded-Host", p.Host)
 	r.Header.Add("X-Forwarded-Uri", uri)
 	return r
 }
--- a/test/config0
+++ b/test/config0
@ -1,3 +1,5 @@
 cookie-name=inicookiename
 csrf-cookie-name=inicsrfcookiename
 url-path=one
+rule.1.action=allow
+rule.1.rule=PathPrefix(`/one`)
--- a/test/config1
+++ b/test/config1
@ -1 +1,3 @@
 url-path=two
+rule.two.action=auth
+rule.two.rule=Host(`two.com`) && Path(`/two`)
Author	SHA1	Message	Date
Thom Seddon	2c148d3a23	Add releases info to README	2019-06-10 12:19:53 +01:00
Thom Seddon	d33ecc0654	Make rule parsing more robust - check args length before popping - ensure rule has name	2019-06-10 11:38:50 +01:00
Thom Seddon	41a3f2a5a9	Fix missing client id/secret log message	2019-06-10 11:24:14 +01:00
Thom Seddon	5a17187855	Fix go-flags dep + formatting	2019-05-13 11:56:43 +01:00
Thom Seddon	e7b567bc92	Fix typos. Inspired by #43	2019-05-13 11:27:31 +01:00
Thom Seddon	a4a34dcd76	Handle unknown ini options	2019-05-07 19:17:42 +01:00
Thom Seddon	d1b12e4ffb	Fix host/method rule matching + tests	2019-05-07 14:16:38 +01:00
Thom Seddon	6f3ac5efe5	pre-release logging + docs improvements and fixes	2019-05-07 12:05:47 +01:00
Thom Seddon	b0e4b6333d	Use updated go-flags version for env-namespace support + fix docs	2019-05-07 10:39:29 +01:00
Thom Seddon	dd13f42ddf	Update README + examples for v2	2019-04-24 10:09:35 +01:00