- changing the name of the field from rolesallowed to roles

README.md

@@ -134,9 +134,28 @@ resources:
   - url: /admin
     methods:
       - GET
-    roles_allowed:
-      - <CLIENT_APP_NAME>:<ROLE_NAME>
-      - <CLIENT_APP_NAME>:<ROLE_NAME>
+    roles:
+      - client:test1
+      - client:test2
+  - url: /backend
+    roles:
+      - client:test1
+```
+
+Note, anything defined in the configuration file can also be configured as command line options, so the above would be reflected as;
+
+```shell
+bin/keycloak-proxy \
+    --discovery-url=https://keycloak.example.com/auth/realms/<REALM_NAME> \
+    --client-id=<CLIENT_ID> \
+    --secret=<SECRET> \
+    --listen=127.0.0.1:3000 \
+    --redirection-url=http://127.0.0.3000 \
+    --refresh-sessions=true \
+    --encryption-key=AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j \
+    --upstream=http://127.0.0.1:80 \
+    --resource="uri=/admin|methods=GET|roles=test1,test2" \
+    --resource="uri=/backend|roles=test1"
 ```
 
 #### **Upstream Headers**
@@ -194,7 +213,7 @@ fix this by fixing up the paths, you can add excepts to the protected resources.
   - url: /
     methods:
       - GET
-    roles_allowed:
+    roles:
       - <CLIENT_APP_NAME>:<ROLE_NAME>
       - <CLIENT_APP_NAME>:<ROLE_NAME>
 ```
@@ -204,6 +223,7 @@ Or on the command line
 ```shell
   --resource "uri=/some_white_listed_url,white-listed=true"
   --resource "uri=/"  # requires authentication on the rest
+  --resource "uri=/admin|roles=admin,superuser|methods=POST,DELETE
 ```
 
 #### **Mutual TLS**

config.go

@@ -82,13 +82,13 @@ func (r *Config) isValid() error {
 		if strings.HasSuffix(r.RedirectionURL, "/") {
 			r.RedirectionURL = strings.TrimSuffix(r.RedirectionURL, "/")
 		}
-		if r.EncryptionKey == "" && r.RefreshSession {
+		if r.EncryptionKey == "" && r.RefreshSessions {
 			return fmt.Errorf("you have not specified a encryption key for encoding the session state")
 		}
 		if r.EncryptionKey != "" && len(r.EncryptionKey) < 32 {
 			return fmt.Errorf("the encryption key is too short, must be longer than 32 characters")
 		}
-		if r.MaxSession == 0 && r.RefreshSession {
+		if r.MaxSession == 0 && r.RefreshSessions {
 			r.MaxSession = time.Duration(6) * time.Hour
 		}
 	}
@@ -167,7 +167,7 @@ func readOptions(cx *cli.Context, config *Config) (err error) {
 		config.ProxyProtocol = cx.Bool("proxy-protocol")
 	}
 	if cx.IsSet("refresh-sessions") {
-		config.RefreshSession = cx.Bool("refresh-sessions")
+		config.RefreshSessions = cx.Bool("refresh-sessions")
 	}
 	if cx.IsSet("json-logging") {
 		config.LogJSONFormat = cx.Bool("json-logging")

config_sample.yml

@@ -41,7 +41,7 @@ resources:
     methods:
       - GET
     # a list of roles the user must have in order to accces urls under the above
-    roles_allowed:
+    roles:
       - openvpn:vpn-user
       - openvpn:prod-vpn
   - url: /admin/white_listed
@@ -50,6 +50,6 @@ resources:
   - url: /admin
     methods:
       - GET
-    roles_allowed:
+    roles:
       - openvpn:vpn-user
       - openvpn:prod-vpn

doc.go

@@ -63,8 +63,8 @@ type Resource struct {
 	Methods []string `json:"methods" yaml:"methods"`
 	// WhiteListed permits the prefix through
 	WhiteListed bool `json:"white-listed" yaml:"white-listed"`
-	// RolesAllowed the roles required to access this url
-	RolesAllowed []string `json:"roles_allowed" yaml:"roles_allowed"`
+	// Roles the roles required to access this url
+	Roles []string `json:"roles" yaml:"roles"`
 }
 
 // Config is the configuration for the proxy
@@ -81,8 +81,8 @@ type Config struct {
 	Secret string `json:"secret" yaml:"secret"`
 	// RedirectionURL the redirection url
 	RedirectionURL string `json:"redirection_url" yaml:"redirection_url"`
-	// RefreshSession enabled refresh access
-	RefreshSession bool `json:"refresh_session" yaml:"refresh_session"`
+	// RefreshSessions enabled refresh access
+	RefreshSessions bool `json:"refresh_sessions" yaml:"refresh_sessions"`
 	// EncryptionKey is the encryption key used to encrypt the refresh token
 	EncryptionKey string `json:"encryption_key" yaml:"encryption_key"`
 	// MaxSession the max session for refreshing

handlers.go

@@ -148,7 +148,7 @@ func (r *KeycloakProxy) authenticationHandler() gin.HandlerFunc {
 		session, isBearer, err := r.getSessionToken(cx)
 		if err != nil {
 			// step: there isn't a session cookie, do we have refresh session cookie?
-			if err == ErrSessionNotFound && r.config.RefreshSession && !isBearer {
+			if err == ErrSessionNotFound && r.config.RefreshSessions && !isBearer {
 				session, err = r.refreshUserSessionToken(cx)
 				if err != nil {
 					log.WithFields(log.Fields{"error": err.Error()}).Errorf("failed to refresh the access token")
@@ -223,7 +223,7 @@ func (r *KeycloakProxy) authenticationHandler() gin.HandlerFunc {
 			}
 
 			// step: are we refreshing the access tokens?
-			if !r.config.RefreshSession {
+			if !r.config.RefreshSessions {
 				log.WithFields(fields).Errorf("the session has expired and token refreshing is disabled")
 				r.redirectToAuthorization(cx)
 				return
@@ -269,8 +269,8 @@ func (r *KeycloakProxy) admissionHandler() gin.HandlerFunc {
 		identity := uc.(*userContext)
 
 		// step: we need to check the roles
-		if roles := len(resource.RolesAllowed); roles > 0 {
-			if !hasRoles(resource.RolesAllowed, identity.roles) {
+		if roles := len(resource.Roles); roles > 0 {
+			if !hasRoles(resource.Roles, identity.roles) {
 				log.WithFields(log.Fields{
 					"access":   "denied",
 					"username": identity.name,
@@ -419,7 +419,7 @@ func (r *KeycloakProxy) oauthAuthorizationHandler(cx *gin.Context) {
 
 	// step: get the access type required
 	accessType := ""
-	if r.config.RefreshSession {
+	if r.config.RefreshSessions {
 		accessType = "offline"
 	}
 
@@ -496,7 +496,7 @@ func (r *KeycloakProxy) oauthCallbackHandler(cx *gin.Context) {
 	}
 
 	// step: do we have session data to persist?
-	if r.config.RefreshSession {
+	if r.config.RefreshSessions {
 		// step: parse the token
 		_, ident, err := r.parseToken(response.RefreshToken)
 		if err != nil {

handlers_test.go

@@ -36,7 +36,7 @@ func TestEntrypointHandlerSecure(t *testing.T) {
 		{
 			URL:     "/",
 			Methods: []string{"POST"},
-			RolesAllowed: []string{"test"},
+			Roles:   []string{"test"},
 		},
 	})
 
@@ -180,17 +180,17 @@ func TestAdmissionHandlerRoles(t *testing.T) {
 		{
 			URL:     "/admin",
 			Methods: []string{"ANY"},
-			RolesAllowed: []string{"admin"},
+			Roles:   []string{"admin"},
 		},
 		{
 			URL:     "/test",
 			Methods: []string{"GET"},
-			RolesAllowed: []string{"test"},
+			Roles:   []string{"test"},
 		},
 		{
 			URL:     "/either",
 			Methods: []string{"ANY"},
-			RolesAllowed: []string{"admin", "test"},
+			Roles:   []string{"admin", "test"},
 		},
 		{
 			URL:     "/",

resource.go

@@ -26,8 +26,8 @@ func (r *Resource) isValid() error {
 	if r.Methods == nil {
 		r.Methods = make([]string, 0)
 	}
-	if r.RolesAllowed == nil {
-		r.RolesAllowed = make([]string, 0)
+	if r.Roles == nil {
+		r.Roles = make([]string, 0)
 	}
 
 	if strings.HasPrefix(r.URL, oauthURL) {
@@ -56,7 +56,7 @@ func (r *Resource) isValid() error {
 
 // getRoles gets a list of roles
 func (r Resource) getRoles() string {
-	return strings.Join(r.RolesAllowed, ",")
+	return strings.Join(r.Roles, ",")
 }
 
 func (r Resource) String() string {
@@ -67,10 +67,10 @@ func (r Resource) String() string {
 		return fmt.Sprintf("uri: %s, white-listed", r.URL)
 	}
 
-	if len(r.RolesAllowed) <= 0 {
+	if len(r.Roles) <= 0 {
 		roles = "authentication only"
 	} else {
-		methods = strings.Join(r.RolesAllowed, ",")
+		methods = strings.Join(r.Roles, ",")
 	}
 
 	if len(r.Methods) <= 0 {

resource_test.go

@@ -53,7 +53,7 @@ func TestIsValid(t *testing.T) {
 
 func TestResourceString(t *testing.T) {
 	resource := &Resource{
-		RolesAllowed: []string{"1", "2", "3"},
+		Roles: []string{"1", "2", "3"},
 	}
 	if s := resource.String(); s == "" {
 		t.Errorf("we should have recieved a string")
@@ -62,7 +62,7 @@ func TestResourceString(t *testing.T) {
 
 func TestGetRoles(t *testing.T) {
 	resource := &Resource{
-		RolesAllowed: []string{"1", "2", "3"},
+		Roles: []string{"1", "2", "3"},
 	}
 
 	if resource.getRoles() != "1,2,3" {

server_test.go

@@ -58,39 +58,39 @@ func newFakeKeycloakProxy(t *testing.T) *KeycloakProxy {
 			EncryptionKey:         "AgXa7xRcoClDEU0ZDSH4X0XhL5Qy2Z2j",
 			SkipTokenVerification: true,
 			Scopes:                []string{},
-			RefreshSession:        false,
+			RefreshSessions:       false,
 			Resources: []*Resource{
 				{
 					URL:     fakeAdminRoleURL,
 					Methods: []string{"GET"},
-					RolesAllowed: []string{fakeAdminRole},
+					Roles:   []string{fakeAdminRole},
 				},
 				{
 					URL:     fakeTestRoleURL,
 					Methods: []string{"GET"},
-					RolesAllowed: []string{fakeTestRole},
+					Roles:   []string{fakeTestRole},
 				},
 				{
 					URL:     fakeTestAdminRolesURL,
 					Methods: []string{"GET"},
-					RolesAllowed: []string{fakeAdminRole, fakeTestRole},
+					Roles:   []string{fakeAdminRole, fakeTestRole},
 				},
 				{
 					URL:         fakeTestWhitelistedURL,
 					WhiteListed: true,
 					Methods:     []string{},
-					RolesAllowed: []string{},
+					Roles:       []string{},
 				},
 				{
 					URL:     fakeAuthAllURL,
 					Methods: []string{"ANY"},
-					RolesAllowed: []string{},
+					Roles:   []string{},
 				},
 				{
 					URL:         fakeTestWhitelistedURL,
 					WhiteListed: true,
 					Methods:     []string{},
-					RolesAllowed: []string{},
+					Roles:       []string{},
 				},
 			},
 		},

util_test.go

@@ -223,7 +223,7 @@ func TestDecodeResource(t *testing.T) {
 			Ok:     true,
 			Resource: &Resource{
 				URL:   "/admin/sso",
-				RolesAllowed: []string{"test", "test1"},
+				Roles: []string{"test", "test1"},
 			},
 		},
 		{
@@ -231,7 +231,7 @@ func TestDecodeResource(t *testing.T) {
 			Ok:     true,
 			Resource: &Resource{
 				URL:     "/admin/sso",
-				RolesAllowed: []string{"test", "test1"},
+				Roles:   []string{"test", "test1"},
 				Methods: []string{"GET", "POST"},
 			},
 		},

utils.go

@@ -305,7 +305,7 @@ func decodeResource(v string) (*Resource, error) {
 		case "methods":
 			resource.Methods = strings.Split(kp[1], ",")
 		case "roles":
-			resource.RolesAllowed = strings.Split(kp[1], ",")
+			resource.Roles = strings.Split(kp[1], ",")
 		case "white-listed":
 			value, err := strconv.ParseBool(kp[1])
 			if err != nil {