Implement the “authproxy” connector (for Apache2 mod_auth etc.)

connector/authproxy/authproxy.go

@@ -0,0 +1,56 @@
+// Package authproxy implements a connector which relies on external
+// authentication (e.g. mod_auth in Apache2) and returns an identity with the
+// HTTP header X-Remote-User as verified email.
+package authproxy
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/coreos/dex/connector"
+	"github.com/sirupsen/logrus"
+)
+
+// Config holds the configuration parameters for a connector which returns an
+// identity with the HTTP header X-Remote-User as verified email.
+type Config struct{}
+
+// Open returns an authentication strategy which requires no user interaction.
+func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) {
+	return &callback{logger: logger, pathSuffix: "/" + id}, nil
+}
+
+// Callback is a connector which returns an identity with the HTTP header
+// X-Remote-User as verified email.
+type callback struct {
+	logger     logrus.FieldLogger
+	pathSuffix string
+}
+
+// LoginURL returns the URL to redirect the user to login with.
+func (m *callback) LoginURL(s connector.Scopes, callbackURL, state string) (string, error) {
+	u, err := url.Parse(callbackURL)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse callbackURL %q: %v", callbackURL, err)
+	}
+	u.Path = u.Path + m.pathSuffix
+	v := u.Query()
+	v.Set("state", state)
+	u.RawQuery = v.Encode()
+	return u.String(), nil
+}
+
+// HandleCallback parses the request and returns the user's identity
+func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connector.Identity, error) {
+	remoteUser := r.Header.Get("X-Remote-User")
+	if remoteUser == "" {
+		return connector.Identity{}, fmt.Errorf("required HTTP header X-Remote-User is not set")
+	}
+	// TODO: add support for X-Remote-Group, see
+	// https://kubernetes.io/docs/admin/authentication/#authenticating-proxy
+	return connector.Identity{
+		Email:         remoteUser,
+		EmailVerified: true,
+	}, nil
+}

connector/github/github.go

@@ -63,7 +63,7 @@ type Org struct {
 }
 
 // Open returns a strategy for logging in through GitHub.
-func (c *Config) Open(logger logrus.FieldLogger) (connector.Connector, error) {
+func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) {
 
 	if c.Org != "" {
 		// Return error if both 'org' and 'orgs' fields are used.

connector/gitlab/gitlab.go

@@ -51,7 +51,7 @@ type gitlabGroup struct {
 }
 
 // Open returns a strategy for logging in through GitLab.
-func (c *Config) Open(logger logrus.FieldLogger) (connector.Connector, error) {
+func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) {
 	if c.BaseURL == "" {
 		c.BaseURL = "https://www.gitlab.com"
 	}

connector/ldap/ldap.go

@@ -153,7 +153,7 @@ func parseScope(s string) (int, bool) {
 }
 
 // Open returns an authentication strategy using LDAP.
-func (c *Config) Open(logger logrus.FieldLogger) (connector.Connector, error) {
+func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) {
 	conn, err := c.OpenConnector(logger)
 	if err != nil {
 		return nil, err

connector/mock/connectortest.go

@@ -69,7 +69,7 @@ func (m *Callback) Refresh(ctx context.Context, s connector.Scopes, identity con
 type CallbackConfig struct{}
 
 // Open returns an authentication strategy which requires no user interaction.
-func (c *CallbackConfig) Open(logger logrus.FieldLogger) (connector.Connector, error) {
+func (c *CallbackConfig) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) {
 	return NewCallbackConnector(logger), nil
 }
 
@@ -81,7 +81,7 @@ type PasswordConfig struct {
 }
 
 // Open returns an authentication strategy which prompts for a predefined username and password.
-func (c *PasswordConfig) Open(logger logrus.FieldLogger) (connector.Connector, error) {
+func (c *PasswordConfig) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) {
 	if c.Username == "" {
 		return nil, errors.New("no username supplied")
 	}

connector/oidc/oidc.go

@@ -75,7 +75,7 @@ func registerBrokenAuthHeaderProvider(url string) {
 
 // Open returns a connector which can be used to login users through an upstream
 // OpenID Connect provider.
-func (c *Config) Open(logger logrus.FieldLogger) (conn connector.Connector, err error) {
+func (c *Config) Open(id string, logger logrus.FieldLogger) (conn connector.Connector, err error) {
 	ctx, cancel := context.WithCancel(context.Background())
 
 	provider, err := oidc.NewProvider(ctx, c.Issuer)

connector/oidc/oidc_test.go

@@ -1,12 +1,13 @@
 package oidc
 
 import (
-	"github.com/coreos/dex/connector"
-	"github.com/sirupsen/logrus"
 	"net/url"
 	"os"
 	"reflect"
 	"testing"
+
+	"github.com/coreos/dex/connector"
+	"github.com/sirupsen/logrus"
 )
 
 func TestKnownBrokenAuthHeaderProvider(t *testing.T) {
@@ -73,7 +74,7 @@ func TestOidcConnector_LoginURL(t *testing.T) {
 			HostedDomains: test.hostedDomains,
 		}
 
-		conn, err := config.Open(logger)
+		conn, err := config.Open("oidc", logger)
 		if err != nil {
 			t.Errorf("failed to open connector: %v", err)
 			continue

connector/saml/saml.go

@@ -125,7 +125,7 @@ func (c certStore) Certificates() (roots []*x509.Certificate, err error) {
 
 // Open validates the config and returns a connector. It does not actually
 // validate connectivity with the provider.
-func (c *Config) Open(logger logrus.FieldLogger) (connector.Connector, error) {
+func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector, error) {
 	return c.openConnector(logger)
 }