Skip to content
Snippets Groups Projects
Commit 139bf862 authored by Rohith Jayawardene's avatar Rohith Jayawardene Committed by GitHub
Browse files

Dynamic Config Options (#168)

- changing the cli options to dynamically generated from the Config struct
parent a6258ca1
Branches
Tags
No related merge requests found
...@@ -21,17 +21,14 @@ import ( ...@@ -21,17 +21,14 @@ import (
"os/signal" "os/signal"
"reflect" "reflect"
"syscall" "syscall"
"time"
"github.com/urfave/cli" "github.com/urfave/cli"
) )
//
// newOauthProxyApp creates a new cli application and runs it // newOauthProxyApp creates a new cli application and runs it
//
func newOauthProxyApp() *cli.App { func newOauthProxyApp() *cli.App {
config := newDefaultConfig() config := newDefaultConfig()
// step: create the cli application
app := cli.NewApp() app := cli.NewApp()
app.Name = prog app.Name = prog
app.Usage = description app.Usage = description
...@@ -50,7 +47,6 @@ func newOauthProxyApp() *cli.App { ...@@ -50,7 +47,6 @@ func newOauthProxyApp() *cli.App {
// step: set the default action // step: set the default action
app.Action = func(cx *cli.Context) error { app.Action = func(cx *cli.Context) error {
configFile := cx.String("config") configFile := cx.String("config")
// step: do we have a configuration file? // step: do we have a configuration file?
if configFile != "" { if configFile != "" {
if err := readConfigFile(configFile, config); err != nil { if err := readConfigFile(configFile, config); err != nil {
...@@ -93,278 +89,67 @@ func newOauthProxyApp() *cli.App { ...@@ -93,278 +89,67 @@ func newOauthProxyApp() *cli.App {
// getCLIOptions returns the command line options // getCLIOptions returns the command line options
func getCLIOptions() []cli.Flag { func getCLIOptions() []cli.Flag {
defaults := newDefaultConfig() defaults := newDefaultConfig()
return []cli.Flag{ var flags []cli.Flag
cli.StringFlag{ count := reflect.TypeOf(Config{}).NumField()
Name: "config", for i := 0; i < count; i++ {
Usage: "the path to the configuration file for the keycloak proxy", field := reflect.TypeOf(Config{}).Field(i)
EnvVar: "PROXY_CONFIG_FILE", usage, found := field.Tag.Lookup("usage")
}, if !found {
cli.StringFlag{ continue
Name: "listen",
Usage: "the interface the service should be listening on",
Value: defaults.Listen,
EnvVar: "PROXY_LISTEN",
},
cli.StringFlag{
Name: "listen-http",
Usage: "the interface you want the http-only service to use on",
EnvVar: "PROXY_HTTP_LISTEN",
},
cli.StringFlag{
Name: "discovery-url",
Usage: "the discovery url to retrieve the openid configuration",
EnvVar: "PROXY_DISCOVERY_URL",
},
cli.StringFlag{
Name: "client-secret",
Usage: "the client secret used to authenticate to the oauth server (access_type: confidential)",
EnvVar: "PROXY_CLIENT_SECRET",
},
cli.StringFlag{
Name: "client-id",
Usage: "the client id used to authenticate to the oauth service",
EnvVar: "PROXY_CLIENT_ID",
},
cli.StringSliceFlag{
Name: "scopes",
Usage: "a variable list of scopes requested when authenticating the user",
},
cli.BoolFlag{
Name: "token-validate-only",
Usage: "validate the token and roles only, no required implement oauth",
},
cli.StringFlag{
Name: "redirection-url",
Usage: fmt.Sprintf("redirection url for the oauth callback url (%s is added)", oauthURL),
EnvVar: "PROXY_REDIRECTION_URL",
},
cli.StringFlag{
Name: "revocation-url",
Usage: "the url for the revocation endpoint to revoke refresh token",
EnvVar: "PROXY_REVOCATION_URL",
},
cli.StringFlag{
Name: "store-url",
Usage: "url for the storage subsystem, e.g redis://127.0.0.1:6379, file:///etc/tokens.file",
EnvVar: "PROXY_STORE_URL",
},
cli.StringFlag{
Name: "upstream-url",
Usage: "the url for the upstream endpoint you wish to proxy to",
Value: defaults.Upstream,
EnvVar: "PROXY_UPSTREAM_URL",
},
cli.BoolTFlag{
Name: "upstream-keepalives",
Usage: "enables or disables the keepalive connections for upstream endpoint",
},
cli.DurationFlag{
Name: "upstream-timeout",
Usage: "is the maximum amount of time a dial will wait for a connect to complete",
Value: defaults.UpstreamTimeout,
},
cli.DurationFlag{
Name: "upstream-keepalive-timeout",
Usage: "specifies the keep-alive period for an active network connection",
Value: defaults.UpstreamKeepaliveTimeout,
},
cli.BoolTFlag{
Name: "secure-cookie",
Usage: "enforces the cookie to be secure, default to true",
},
cli.BoolFlag{
Name: "http-only-cookie",
Usage: "enforces the cookie is in http only mode, default to false",
},
cli.StringFlag{
Name: "cookie-domain",
Usage: "a domain the access cookie is available to, defaults host header",
},
cli.StringFlag{
Name: "cookie-access-name",
Usage: "the name of the cookie use to hold the access token",
Value: defaults.CookieAccessName,
},
cli.StringFlag{
Name: "cookie-refresh-name",
Usage: "the name of the cookie used to hold the encrypted refresh token",
Value: defaults.CookieRefreshName,
},
cli.StringFlag{
Name: "encryption-key",
Usage: "the encryption key used to encrpytion the session state",
},
cli.BoolFlag{
Name: "no-redirects",
Usage: "do not have back redirects when no authentication is present, 401 them",
},
cli.StringSliceFlag{
Name: "hostname",
Usage: "a list of hostnames the service will respond to, defaults to all",
},
cli.BoolTFlag{
Name: "enable-https-redirection",
Usage: "enable the http to https redirection on the http service",
},
cli.BoolTFlag{
Name: "enable-login-handler",
Usage: "this enables the login hanlder /oauth/login, by default this is disabled",
},
cli.BoolTFlag{
Name: "enable-authorization-header",
Usage: "adds the authorization header to the proxy request",
},
cli.BoolTFlag{
Name: "enable-refresh-tokens",
Usage: "enables the handling of the refresh tokens",
},
cli.BoolTFlag{
Name: "enable-metrics",
Usage: "enable the prometheus metrics collector on /oauth/metrics",
},
cli.BoolFlag{
Name: "enable-proxy-protocol",
Usage: "whether to enable proxy protocol",
},
cli.BoolFlag{
Name: "enable-forwarding",
Usage: "enables the forwarding proxy mode, signing outbound request",
},
cli.BoolTFlag{
Name: "enable-profiling",
Usage: "switching on the golang profiling via pprof on /debug/pprof, /debug/pprof/heap etc",
},
cli.BoolTFlag{
Name: "enable-security-filter",
Usage: "enables the security filter handler",
},
cli.BoolTFlag{
Name: "localhost-only-metrics",
Usage: "enforces the metrics page can only been requested from 127.0.0.1",
},
cli.StringFlag{
Name: "forwarding-username",
Usage: "the username to use when logging into the openid provider",
},
cli.StringFlag{
Name: "forwarding-password",
Usage: "the password to use when logging into the openid provider",
},
cli.StringSliceFlag{
Name: "forwarding-domains",
Usage: "a list of domains which should be signed; everything else is relayed unsigned",
},
cli.StringFlag{
Name: "tls-cert",
Usage: "the path to a certificate file used for TLS",
},
cli.StringFlag{
Name: "tls-private-key",
Usage: "the path to the private key for TLS support",
},
cli.StringFlag{
Name: "tls-ca-certificate",
Usage: "the path to the ca certificate used for mutual TLS",
},
cli.StringFlag{
Name: "tls-ca-key",
Usage: "the path the ca private key, used by the forward signing proxy",
},
cli.StringFlag{
Name: "tls-client-certificate",
Usage: "the path to the client certificate, used to outbound connections in reverse and forwarding proxy modes",
},
cli.BoolTFlag{
Name: "skip-upstream-tls-verify",
Usage: "whether to skip the verification of any upstream TLS (defaults to true)",
},
cli.BoolTFlag{
Name: "skip-openid-provider-tls-verify",
Usage: "whether to skip the verification of any TLS communication with the openid provider (defaults to false)",
},
cli.StringSliceFlag{
Name: "match-claims",
Usage: "keypair values for matching access token claims e.g. aud=myapp, iss=http://example.*",
},
cli.StringSliceFlag{
Name: "add-claims",
Usage: "retrieve extra claims from the token and inject into headers, e.g given_name -> X-Auth-Given-Name",
},
cli.StringSliceFlag{
Name: "resource",
Usage: "a list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2'",
},
cli.StringSliceFlag{
Name: "headers",
Usage: "Add custom headers to the upstream request, key=value",
},
cli.StringFlag{
Name: "sign-in-page",
Usage: "a custom template displayed for signin",
},
cli.StringFlag{
Name: "forbidden-page",
Usage: "a custom template used for access forbidden",
},
cli.StringSliceFlag{
Name: "tag",
Usage: "keypair's passed to the templates at render,e.g title='My Page'",
},
cli.StringSliceFlag{
Name: "cors-origins",
Usage: "list of origins to add to the CORE origins control (Access-Control-Allow-Origin)",
},
cli.StringSliceFlag{
Name: "cors-methods",
Usage: "the method permitted in the access control (Access-Control-Allow-Methods)",
},
cli.StringSliceFlag{
Name: "cors-headers",
Usage: "a set of headers to add to the CORS access control (Access-Control-Allow-Headers)",
},
cli.StringSliceFlag{
Name: "cors-exposes-headers",
Usage: "set the expose cors headers access control (Access-Control-Expose-Headers)",
},
cli.DurationFlag{
Name: "cors-max-age",
Usage: "the max age applied to cors headers (Access-Control-Max-Age)",
},
cli.BoolTFlag{
Name: "cors-credentials",
Usage: "the credentials access control header (Access-Control-Allow-Credentials)",
},
cli.BoolTFlag{
Name: "filter-browser-xss",
Usage: "enable the adds the X-XSS-Protection header with mode=block",
},
cli.BoolTFlag{
Name: "filter-content-nosniff",
Usage: "adds the X-Content-Type-Options header with the value nosniff",
},
cli.BoolFlag{
Name: "skip-token-verification",
Usage: "TESTING ONLY; bypass token verification, only expiration and roles enforced",
},
cli.BoolTFlag{
Name: "json-logging",
Usage: "switch on json logging rather than text (defaults true)",
},
cli.BoolTFlag{
Name: "log-requests",
Usage: "switch on logging of all incoming requests (defaults true)",
},
cli.BoolTFlag{
Name: "verbose",
Usage: "switch on debug / verbose logging",
},
} }
envName := field.Tag.Get("env")
if envName != "" {
envName = envPrefix + envName
}
optName := field.Tag.Get("yaml")
switch t := field.Type; t.Kind() {
case reflect.Bool:
dv := reflect.ValueOf(defaults).Elem().FieldByName(field.Name).Bool()
msg := fmt.Sprintf("%s (default: %t)", usage, dv)
flags = append(flags, cli.BoolTFlag{
Name: optName,
Usage: msg,
EnvVar: envName,
})
case reflect.String:
defaultValue := reflect.ValueOf(defaults).Elem().FieldByName(field.Name).String()
flags = append(flags, cli.StringFlag{
Name: optName,
Usage: usage,
EnvVar: envName,
Value: defaultValue,
})
case reflect.Slice:
fallthrough
case reflect.Map:
flags = append(flags, cli.StringSliceFlag{
Name: optName,
Usage: usage,
})
case reflect.Int64:
switch t.String() {
case "time.Duration":
dv := reflect.ValueOf(defaults).Elem().FieldByName(field.Name).Int()
flags = append(flags, cli.DurationFlag{
Name: optName,
Usage: usage,
Value: time.Duration(dv),
})
default:
panic("unknown uint64 type in the Config struct")
}
default:
errMsg := fmt.Sprintf("field: %s, type: %s, kind: %s is not being handled", field.Name, t.String(), t.Kind())
panic(errMsg)
}
}
return flags
} }
//
// parseCLIOptions parses the command line options and constructs a config object // parseCLIOptions parses the command line options and constructs a config object
// @TODO look for a shorter way of doing this, we're maintaining the same options in multiple places, it's tedious! // @TODO look for a shorter way of doing this, we're maintaining the same options in multiple places, it's tedious!
//
func parseCLIOptions(cx *cli.Context, config *Config) (err error) { func parseCLIOptions(cx *cli.Context, config *Config) (err error) {
// step: we can ignore these options in the Config struct // step: we can ignore these options in the Config struct
ignoredOptions := []string{"tag-data", "match-claims", "resources", "headers"} ignoredOptions := []string{"tag-data", "match-claims", "resources", "headers"}
......
...@@ -40,6 +40,7 @@ const ( ...@@ -40,6 +40,7 @@ const (
userContextName = "identity" userContextName = "identity"
authorizationHeader = "Authorization" authorizationHeader = "Authorization"
versionHeader = "X-Auth-Proxy-Version" versionHeader = "X-Auth-Proxy-Version"
envPrefix = "PROXY_"
oauthURL = "/oauth" oauthURL = "/oauth"
authorizationURL = "/authorize" authorizationURL = "/authorize"
...@@ -103,142 +104,142 @@ type Cors struct { ...@@ -103,142 +104,142 @@ type Cors struct {
// Config is the configuration for the proxy // Config is the configuration for the proxy
type Config struct { type Config struct {
// ConfigFile is the binding interface
ConfigFile string `json:"config" yaml:"config" usage:"path the a configuration file" env:"CONFIG_FILE"`
// Listen is the binding interface // Listen is the binding interface
Listen string `json:"listen" yaml:"listen"` Listen string `json:"listen" yaml:"listen" usage:"the interface the service should be listening on" env:"LISTEN"`
// ListenHTTP is the interface to bind the http only service on // ListenHTTP is the interface to bind the http only service on
ListenHTTP string `json:"listen-http" yaml:"listen-http"` ListenHTTP string `json:"listen-http" yaml:"listen-http" usage:"interface we should be listening" env:"LISTEN_HTTP"`
// DiscoveryURL is the url for the keycloak server // DiscoveryURL is the url for the keycloak server
DiscoveryURL string `json:"discovery-url" yaml:"discovery-url"` DiscoveryURL string `json:"discovery-url" yaml:"discovery-url" usage:"discovery url to retrieve the openid configuration" env:"DISCOVERY_URL"`
// ClientID is the client id // ClientID is the client id
ClientID string `json:"client-id" yaml:"client-id"` ClientID string `json:"client-id" yaml:"client-id" usage:"client id used to authenticate to the oauth service" env:"CLIENT_ID"`
// ClientSecret is the secret for AS // ClientSecret is the secret for AS
ClientSecret string `json:"client-secret" yaml:"client-secret"` ClientSecret string `json:"client-secret" yaml:"client-secret" usage:"client secret used to authenticate to the oauth service" env:"CLIENT_SECERT"`
// RedirectionURL the redirection url // RedirectionURL the redirection url
RedirectionURL string `json:"redirection-url" yaml:"redirection-url"` RedirectionURL string `json:"redirection-url" yaml:"redirection-url" usage:"redirection url for the oauth callback url" env:"REDIRECTION_URL"`
// RevocationEndpoint is the token revocation endpoint to revoke refresh tokens // RevocationEndpoint is the token revocation endpoint to revoke refresh tokens
RevocationEndpoint string `json:"revocation-url" yaml:"revocation-url"` RevocationEndpoint string `json:"revocation-url" yaml:"revocation-url" usage:"url for the revocation endpoint to revoke refresh token" env:"REVOCATION_URL"`
// SkipOpenIDProviderTLSVerify skips the tls verification for openid provider communication // SkipOpenIDProviderTLSVerify skips the tls verification for openid provider communication
SkipOpenIDProviderTLSVerify bool `json:"skip-openid-provider-tls-verify" yaml:"skip-openid-provider-tls-verify"` SkipOpenIDProviderTLSVerify bool `json:"skip-openid-provider-tls-verify" yaml:"skip-openid-provider-tls-verify" usage:"skip the verification of any TLS communication with the openid provider"`
// Scopes is a list of scope we should request // Scopes is a list of scope we should request
Scopes []string `json:"scopes" yaml:"scopes"` Scopes []string `json:"scopes" yaml:"scopes" usage:"list of scopes requested when authenticating the user"`
// Upstream is the upstream endpoint i.e whom were proxying to // Upstream is the upstream endpoint i.e whom were proxying to
Upstream string `json:"upstream-url" yaml:"upstream-url"` Upstream string `json:"upstream-url" yaml:"upstream-url" usage:"url for the upstream endpoint you wish to proxy" env:"UPSTREAM_URL"`
// Resources is a list of protected resources // Resources is a list of protected resources
Resources []*Resource `json:"resources" yaml:"resources"` Resources []*Resource `json:"resources" yaml:"resources" usage:"list of resources 'uri=/admin|methods=GET,PUT|roles=role1,role2'"`
// Headers permits adding customs headers across the board // Headers permits adding customs headers across the board
Headers map[string]string `json:"headers" yaml:"headers"` Headers map[string]string `json:"headers" yaml:"headers" usage:"custom headers to the upstream request, key=value"`
// EnableForwarding enables the forwarding proxy // EnableForwarding enables the forwarding proxy
EnableForwarding bool `json:"enable-forwarding" yaml:"enable-forwarding"` EnableForwarding bool `json:"enable-forwarding" yaml:"enable-forwarding" usage:"enables the forwarding proxy mode, signing outbound request"`
// EnableSecurityFilter enabled the security handler // EnableSecurityFilter enabled the security handler
EnableSecurityFilter bool `json:"enable-security-filter" yaml:"enable-security-filter"` EnableSecurityFilter bool `json:"enable-security-filter" yaml:"enable-security-filter" usage:"enables the security filter handler"`
// EnableRefreshTokens indicate's you wish to ignore using refresh tokens and re-auth on expiration of access token // EnableRefreshTokens indicate's you wish to ignore using refresh tokens and re-auth on expiration of access token
EnableRefreshTokens bool `json:"enable-refresh-tokens" yaml:"enable-refresh-tokens"` EnableRefreshTokens bool `json:"enable-refresh-tokens" yaml:"enable-refresh-tokens" usage:"nables the handling of the refresh tokens" env:"ENABLE_SECURITY_FILTER"`
// EnableLoginHandler indicates we want the login handler enabled // EnableLoginHandler indicates we want the login handler enabled
EnableLoginHandler bool `json:"enable-login-handler" yaml:"enable-login-handler"` EnableLoginHandler bool `json:"enable-login-handler" yaml:"enable-login-handler" usage:"enables the handling of the refresh tokens" env:"ENABLE_LOGIN_HANDLER"`
// EnableAuthorizationHeader indicates we should pass the authorization header // EnableAuthorizationHeader indicates we should pass the authorization header
EnableAuthorizationHeader bool `json:"enable-authorization-header" yaml:"enable-authorization-header"` EnableAuthorizationHeader bool `json:"enable-authorization-header" yaml:"enable-authorization-header" usage:"adds the authorization header to the proxy request"`
// EnableHTTPSRedirect indicate we should redirection http -> https // EnableHTTPSRedirect indicate we should redirection http -> https
EnableHTTPSRedirect bool `json:"enable-https-redirection" yaml:"enable-https-redirection"` EnableHTTPSRedirect bool `json:"enable-https-redirection" yaml:"enable-https-redirection" usage:"enable the http to https redirection on the http service"`
// EnableProfiling indicates if profiles is switched on // EnableProfiling indicates if profiles is switched on
EnableProfiling bool `json:"enable-profiling" yaml:"enable-profiling"` EnableProfiling bool `json:"enable-profiling" yaml:"enable-profiling" usage:"switching on the golang profiling via pprof on /debug/pprof, /debug/pprof/heap etc"`
// EnableMetrics indicates if the metrics is enabled // EnableMetrics indicates if the metrics is enabled
EnableMetrics bool `json:"enable-metrics" yaml:"enable-metrics"` EnableMetrics bool `json:"enable-metrics" yaml:"enable-metrics" usage:"enable the prometheus metrics collector on /oauth/metrics"`
// EnableURIMetrics indicates we want to keep metrics on uri request times
EnableURIMetrics bool `json:"enable-uri-metrics" yaml:"enable-uri-metrics"`
// EnableBrowserXSSFilter indicates you want the filter on // EnableBrowserXSSFilter indicates you want the filter on
EnableBrowserXSSFilter bool `json:"filter-browser-xss" yaml:"filter-browser-xss"` EnableBrowserXSSFilter bool `json:"filter-browser-xss" yaml:"filter-browser-xss" usage:"enable the adds the X-XSS-Protection header with mode=block"`
// EnableContentNoSniff indicates you want the filter on // EnableContentNoSniff indicates you want the filter on
EnableContentNoSniff bool `json:"filter-content-nosniff" yaml:"filter-content-nosniff"` EnableContentNoSniff bool `json:"filter-content-nosniff" yaml:"filter-content-nosniff" usage:"adds the X-Content-Type-Options header with the value nosniff"`
// EnableFrameDeny indicates the filter is on // EnableFrameDeny indicates the filter is on
EnableFrameDeny bool `json:"filter-frame-deny" yaml:"filter-frame-deny"` EnableFrameDeny bool `json:"filter-frame-deny" yaml:"filter-frame-deny" usage:"enable to the frame deny header"`
// ContentSecurityPolicy allows the Content-Security-Policy header value to be set with a custom value // ContentSecurityPolicy allows the Content-Security-Policy header value to be set with a custom value
ContentSecurityPolicy string `json:"content-security-policy" yaml:"content-security-policy"` ContentSecurityPolicy string `json:"content-security-policy" yaml:"content-security-policy" usage:"specify the content security policy"`
// LocalhostMetrics indicated the metrics can only be consume via localhost // LocalhostMetrics indicated the metrics can only be consume via localhost
LocalhostMetrics bool `json:"localhost-metrics" yaml:"localhost-metrics"` LocalhostMetrics bool `json:"localhost-metrics" yaml:"localhost-metrics" usage:"enforces the metrics page can only been requested from 127.0.0.1"`
// CookieDomain is a list of domains the cookie is available to // CookieDomain is a list of domains the cookie is available to
CookieDomain string `json:"cookie-domain" yaml:"cookie-domain"` CookieDomain string `json:"cookie-domain" yaml:"cookie-domain" usage:"domain the access cookie is available to, defaults host header"`
// CookieAccessName is the name of the access cookie holding the access token // CookieAccessName is the name of the access cookie holding the access token
CookieAccessName string `json:"cookie-access-name" yaml:"cookie-access-name"` CookieAccessName string `json:"cookie-access-name" yaml:"cookie-access-name" usage:"name of the cookie use to hold the access token"`
// CookieRefreshName is the name of the refresh cookie // CookieRefreshName is the name of the refresh cookie
CookieRefreshName string `json:"cookie-refresh-name" yaml:"cookie-refresh-name"` CookieRefreshName string `json:"cookie-refresh-name" yaml:"cookie-refresh-name" usage:"name of the cookie used to hold the encrypted refresh token"`
// SecureCookie enforces the cookie as secure // SecureCookie enforces the cookie as secure
SecureCookie bool `json:"secure-cookie" yaml:"secure-cookie"` SecureCookie bool `json:"secure-cookie" yaml:"secure-cookie" usage:"enforces the cookie to be secure"`
// HTTPOnlyCookie enforces the cookie as http only // HTTPOnlyCookie enforces the cookie as http only
HTTPOnlyCookie bool `json:"http-only-cookie" yaml:"http-only-cookie"` HTTPOnlyCookie bool `json:"http-only-cookie" yaml:"http-only-cookie" usage:"enforces the cookie is in http only mode"`
// MatchClaims is a series of checks, the claims in the token must match those here // MatchClaims is a series of checks, the claims in the token must match those here
MatchClaims map[string]string `json:"match-claims" yaml:"match-claims"` MatchClaims map[string]string `json:"match-claims" yaml:"match-claims" usage:"keypair values for matching access token claims e.g. aud=myapp, iss=http://example.*"`
// AddClaims is a series of claims that should be added to the auth headers // AddClaims is a series of claims that should be added to the auth headers
AddClaims []string `json:"add-claims" yaml:"add-claims"` AddClaims []string `json:"add-claims" yaml:"add-claims" usage:"extra claims from the token and inject into headers, e.g given_name -> X-Auth-Given-Name"`
// TLSCertificate is the location for a tls certificate // TLSCertificate is the location for a tls certificate
TLSCertificate string `json:"tls-cert" yaml:"tls-cert"` TLSCertificate string `json:"tls-cert" yaml:"tls-cert" usage:"path to ths TLS certificate"`
// TLSPrivateKey is the location of a tls private key // TLSPrivateKey is the location of a tls private key
TLSPrivateKey string `json:"tls-private-key" yaml:"tls-private-key"` TLSPrivateKey string `json:"tls-private-key" yaml:"tls-private-key" usage:"path to the private key for TLS"`
// TLSCaCertificate is the CA certificate which the client cert must be signed // TLSCaCertificate is the CA certificate which the client cert must be signed
TLSCaCertificate string `json:"tls-ca-certificate" yaml:"tls-ca-certificate"` TLSCaCertificate string `json:"tls-ca-certificate" yaml:"tls-ca-certificate" usage:"path to the ca certificate used for signing requests"`
// TLSCaPrivateKey is the CA private key used for signing // TLSCaPrivateKey is the CA private key used for signing
TLSCaPrivateKey string `json:"tls-ca-key" yaml:"tls-ca-key"` TLSCaPrivateKey string `json:"tls-ca-key" yaml:"tls-ca-key" usage:"path the ca private key, used by the forward signing proxy"`
// TLSClientCertificate is path to a client certificate to use for outbound connections // TLSClientCertificate is path to a client certificate to use for outbound connections
TLSClientCertificate string `json:"tls-client-certificate" yaml:"tls-client-certificate"` TLSClientCertificate string `json:"tls-client-certificate" yaml:"tls-client-certificate" usage:"path to the client certificate for outbound connections in reverse and forwarding proxy modes"`
// SkipUpstreamTLSVerify skips the verification of any upstream tls // SkipUpstreamTLSVerify skips the verification of any upstream tls
SkipUpstreamTLSVerify bool `json:"skip-upstream-tls-verify" yaml:"skip-upstream-tls-verify"` SkipUpstreamTLSVerify bool `json:"skip-upstream-tls-verify" yaml:"skip-upstream-tls-verify" usage:"skip the verification of any upstream TLS"`
// CorsOrigins is a list of origins permitted // CorsOrigins is a list of origins permitted
CorsOrigins []string `json:"cors-origins" yaml:"cors-origins"` CorsOrigins []string `json:"cors-origins" yaml:"cors-origins" usage:"origins to add to the CORE origins control (Access-Control-Allow-Origin)"`
// CorsMethods is a set of access control methods // CorsMethods is a set of access control methods
CorsMethods []string `json:"cors-methods" yaml:"cors-methods"` CorsMethods []string `json:"cors-methods" yaml:"cors-methods" usage:"methods permitted in the access control (Access-Control-Allow-Methods)"`
// CorsHeaders is a set of cors headers // CorsHeaders is a set of cors headers
CorsHeaders []string `json:"cors-headers" yaml:"cors-headers"` CorsHeaders []string `json:"cors-headers" yaml:"cors-headers" usage:"set of headers to add to the CORS access control (Access-Control-Allow-Headers)"`
// CorsExposedHeaders are the exposed header fields // CorsExposedHeaders are the exposed header fields
CorsExposedHeaders []string `json:"cors-exposed-headers" yaml:"cors-exposed-headers"` CorsExposedHeaders []string `json:"cors-exposed-headers" yaml:"cors-exposed-headers" usage:"expose cors headers access control (Access-Control-Expose-Headers)"`
// CorsCredentials set the creds flag // CorsCredentials set the creds flag
CorsCredentials bool `json:"cors-credentials" yaml:"cors-credentials"` CorsCredentials bool `json:"cors-credentials" yaml:"cors-credentials" usage:"credentials access control header (Access-Control-Allow-Credentials)"`
// CorsMaxAge is the age for CORS // CorsMaxAge is the age for CORS
CorsMaxAge time.Duration `json:"cors-max-age" yaml:"cors-max-age"` CorsMaxAge time.Duration `json:"cors-max-age" yaml:"cors-max-age" usage:"max age applied to cors headers (Access-Control-Max-Age)"`
// Hostname is a list of hostname's the service should response to // Hostname is a list of hostname's the service should response to
Hostnames []string `json:"hostnames" yaml:"hostnames"` Hostnames []string `json:"hostnames" yaml:"hostnames" usage:"list of hostnames the service will respond to"`
// Store is a url for a store resource, used to hold the refresh tokens // Store is a url for a store resource, used to hold the refresh tokens
StoreURL string `json:"store-url" yaml:"store-url"` StoreURL string `json:"store-url" yaml:"store-url" usage:"url for the storage subsystem, e.g redis://127.0.0.1:6379, file:///etc/tokens.file"`
// EncryptionKey is the encryption key used to encrypt the refresh token // EncryptionKey is the encryption key used to encrypt the refresh token
EncryptionKey string `json:"encryption-key" yaml:"encryption-key"` EncryptionKey string `json:"encryption-key" yaml:"encryption-key" usage:"encryption key used to encrpytion the session state"`
// LogRequests indicates if we should log all the requests // LogRequests indicates if we should log all the requests
LogRequests bool `json:"log-requests" yaml:"log-requests"` LogRequests bool `json:"log-requests" yaml:"log-requests" usage:"enable http logging of the requests"`
// LogFormat is the logging format // LogFormat is the logging format
LogJSONFormat bool `json:"json-format" yaml:"json-format"` LogJSONFormat bool `json:"json-format" yaml:"json-format" usage:"switch on json logging rather than text"`
// NoRedirects informs we should hand back a 401 not a redirect // NoRedirects informs we should hand back a 401 not a redirect
NoRedirects bool `json:"no-redirects" yaml:"no-redirects"` NoRedirects bool `json:"no-redirects" yaml:"no-redirects" usage:"do not have back redirects when no authentication is present, 401 them"`
// SkipTokenVerification tells the service to skipp verifying the access token - for testing purposes // SkipTokenVerification tells the service to skipp verifying the access token - for testing purposes
SkipTokenVerification bool `json:"skip-token-verification" yaml:"skip-token-verification"` SkipTokenVerification bool `json:"skip-token-verification" yaml:"skip-token-verification" usage:"TESTING ONLY; bypass token verification, only expiration and roles enforced"`
// UpstreamKeepalives specifies whether we use keepalives on the upstream // UpstreamKeepalives specifies whether we use keepalives on the upstream
UpstreamKeepalives bool `json:"upstream-keepalives" yaml:"upstream-keepalives"` UpstreamKeepalives bool `json:"upstream-keepalives" yaml:"upstream-keepalives" usage:"enables or disables the keepalive connections for upstream endpoint"`
// UpstreamTimeout is the maximum amount of time a dial will wait for a connect to complete // UpstreamTimeout is the maximum amount of time a dial will wait for a connect to complete
UpstreamTimeout time.Duration `json:"upstream-timeout" yaml:"upstream-timeout"` UpstreamTimeout time.Duration `json:"upstream-timeout" yaml:"upstream-timeout" usage:"maximum amount of time a dial will wait for a connect to complete"`
// UpstreamKeepaliveTimeout // UpstreamKeepaliveTimeout
UpstreamKeepaliveTimeout time.Duration `json:"upstream-keepalive-timeout" yaml:"upstream-keepalive-timeout"` UpstreamKeepaliveTimeout time.Duration `json:"upstream-keepalive-timeout" yaml:"upstream-keepalive-timeout" usage:"specifies the keep-alive period for an active network connection"`
// Verbose switches on debug logging // Verbose switches on debug logging
Verbose bool `json:"verbose" yaml:"verbose"` Verbose bool `json:"verbose" yaml:"verbose" usage:"switch on debug / verbose logging"`
// EnableProxyProtocol controls the proxy protocol // EnableProxyProtocol controls the proxy protocol
EnableProxyProtocol bool `json:"enabled-proxy-protocol" yaml:"enabled-proxy-protocol"` EnableProxyProtocol bool `json:"enabled-proxy-protocol" yaml:"enabled-proxy-protocol" usage:"enable proxy protocol"`
// SignInPage is the relative url for the sign in page // SignInPage is the relative url for the sign in page
SignInPage string `json:"sign-in-page" yaml:"sign-in-page"` SignInPage string `json:"sign-in-page" yaml:"sign-in-page" usage:"path to custom template displayed for signin"`
// ForbiddenPage is a access forbidden page // ForbiddenPage is a access forbidden page
ForbiddenPage string `json:"forbidden-page" yaml:"forbidden-page"` ForbiddenPage string `json:"forbidden-page" yaml:"forbidden-page" usage:"path to custom template used for access forbidden"`
// TagData is passed to the templates // TagData is passed to the templates
TagData map[string]string `json:"tag-data" yaml:"tag-data"` TagData map[string]string `json:"tag-data" yaml:"tag-data" usage:"keypair's passed to the templates at render,e.g title=Page"`
// ForwardingUsername is the username to login to the oauth service // ForwardingUsername is the username to login to the oauth service
ForwardingUsername string `json:"forwarding-username" yaml:"forwarding-username"` ForwardingUsername string `json:"forwarding-username" yaml:"forwarding-username" usage:"username to use when logging into the openid provider"`
// ForwardingPassword is the password to use for the above // ForwardingPassword is the password to use for the above
ForwardingPassword string `json:"forwarding-password" yaml:"forwarding-password"` ForwardingPassword string `json:"forwarding-password" yaml:"forwarding-password" usage:"password to use when logging into the openid provider"`
// ForwardingDomains is a collection of domains to signs // ForwardingDomains is a collection of domains to signs
ForwardingDomains []string `json:"forwarding-domains" yaml:"forwarding-domains"` ForwardingDomains []string `json:"forwarding-domains" yaml:"forwarding-domains" usage:"list of domains which should be signed; everything else is relayed unsigned"`
} }
// store is used to hold the offline refresh token, assuming you don't want to use // store is used to hold the offline refresh token, assuming you don't want to use
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment