2017-10-21 14:54:54 +00:00
|
|
|
// Package authproxy implements a connector which relies on external
|
|
|
|
// authentication (e.g. mod_auth in Apache2) and returns an identity with the
|
|
|
|
// HTTP header X-Remote-User as verified email.
|
|
|
|
package authproxy
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"net/http"
|
|
|
|
"net/url"
|
|
|
|
|
2018-09-03 06:44:44 +00:00
|
|
|
"github.com/dexidp/dex/connector"
|
2019-02-22 12:19:23 +00:00
|
|
|
"github.com/dexidp/dex/pkg/log"
|
2017-10-21 14:54:54 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
// Config holds the configuration parameters for a connector which returns an
|
|
|
|
// identity with the HTTP header X-Remote-User as verified email.
|
2020-10-20 08:31:34 +00:00
|
|
|
type Config struct {
|
2020-10-20 09:19:48 +00:00
|
|
|
HeaderName string `json:"headerName"`
|
|
|
|
Groups []string `json:"groups"`
|
2020-10-20 08:31:34 +00:00
|
|
|
}
|
2017-10-21 14:54:54 +00:00
|
|
|
|
|
|
|
// Open returns an authentication strategy which requires no user interaction.
|
2019-02-22 12:19:23 +00:00
|
|
|
func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error) {
|
2020-10-20 08:31:34 +00:00
|
|
|
if c.HeaderName == "" {
|
|
|
|
c.HeaderName = "X-Remote-User"
|
|
|
|
}
|
2020-10-20 09:19:48 +00:00
|
|
|
return &callback{headerName: c.HeaderName, logger: logger, pathSuffix: "/" + id, groups: c.Groups}, nil
|
2017-10-21 14:54:54 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// Callback is a connector which returns an identity with the HTTP header
|
|
|
|
// X-Remote-User as verified email.
|
|
|
|
type callback struct {
|
2020-10-20 08:31:34 +00:00
|
|
|
headerName string
|
2020-10-20 09:19:48 +00:00
|
|
|
groups []string
|
2019-02-22 12:19:23 +00:00
|
|
|
logger log.Logger
|
2017-10-21 14:54:54 +00:00
|
|
|
pathSuffix string
|
|
|
|
}
|
|
|
|
|
|
|
|
// LoginURL returns the URL to redirect the user to login with.
|
|
|
|
func (m *callback) LoginURL(s connector.Scopes, callbackURL, state string) (string, error) {
|
|
|
|
u, err := url.Parse(callbackURL)
|
|
|
|
if err != nil {
|
|
|
|
return "", fmt.Errorf("failed to parse callbackURL %q: %v", callbackURL, err)
|
|
|
|
}
|
2020-10-17 21:54:27 +00:00
|
|
|
u.Path += m.pathSuffix
|
2017-10-21 14:54:54 +00:00
|
|
|
v := u.Query()
|
|
|
|
v.Set("state", state)
|
|
|
|
u.RawQuery = v.Encode()
|
|
|
|
return u.String(), nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// HandleCallback parses the request and returns the user's identity
|
|
|
|
func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connector.Identity, error) {
|
2020-10-20 08:31:34 +00:00
|
|
|
remoteUser := r.Header.Get(m.headerName)
|
2017-10-21 14:54:54 +00:00
|
|
|
if remoteUser == "" {
|
2020-10-20 08:31:34 +00:00
|
|
|
return connector.Identity{}, fmt.Errorf("required HTTP header %s is not set", m.headerName)
|
2017-10-21 14:54:54 +00:00
|
|
|
}
|
|
|
|
// TODO: add support for X-Remote-Group, see
|
|
|
|
// https://kubernetes.io/docs/admin/authentication/#authenticating-proxy
|
|
|
|
return connector.Identity{
|
2017-10-26 17:47:16 +00:00
|
|
|
UserID: remoteUser, // TODO: figure out if this is a bad ID value.
|
2017-10-21 14:54:54 +00:00
|
|
|
Email: remoteUser,
|
|
|
|
EmailVerified: true,
|
2020-10-20 09:19:48 +00:00
|
|
|
Groups: m.groups,
|
2017-10-21 14:54:54 +00:00
|
|
|
}, nil
|
|
|
|
}
|