Merge from jordemort/traefik-forward-auth (#5)

* Allow custom key to be used for whitelist and X-Forwarded-User instead of the hardcoded email (#1) * init commit * add github workflow * fix naming * fix missing param * upgrade Go version to 1.14 * tmp remove of tests update error message * add more specific error message * put back tests * rename User ID Key to User ID Path * upgrade dependencies * Revert "upgrade dependencies" This reverts commit 40bd110 It prevents GO 1.12 from working 1.13 + 1.14 still work however. * Revert "upgrade dependencies" This reverts commit 40bd110 * mention the user that is not authorized * mention the user that is not authorized * tidy error message * tidy error message * remove actions * rename UserIDPath to UserID remove UserID type rename comma delimited to comma separated * rename GetUsedID function to GetUser * revert docker golang version to 1.13 * change whitelist comment to indicate userIDs instead of explicitly emails * revert go version * fix conflicts * add tests * push to docker for testing Co-authored-by: Maximilian Mitchell <[email protected]> Co-authored-by: Max Mitchell <[email protected]> Co-authored-by: Maximilian Mitchell <[email protected]> * Domain matching should be case insensitive (#2) * Domain matching should be case insensitive * s/ValidateEmail/ValidateUser/ Co-authored-by: Mal Curtis <[email protected]> * fix too many forward_auth cookies (#3) * fix too many forward_auth cookies * fix missing csrf cookie Co-authored-by: orvice <[email protected]> * feature: trusted ip address ranges skip authentication (#4) Co-authored-by: Alexander Metzner <[email protected]> * Use Go 1.19 in CI (#5) * Update dependencies (#6) * Update dependencies * Stop testing with ancient Go versions * Redo Dockerfile with Go 1.19 and distroless (#7) * Create dependabot.yml * Bump github/codeql-action from 1 to 2 (#8) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 1 to 2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@v1...v2) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump actions/setup-go from 2 to 3 (#9) Bumps [actions/setup-go](https://github.com/actions/setup-go) from 2 to 3. - [Release notes](https://github.com/actions/setup-go/releases) - [Commits](actions/setup-go@v2...v3) --- updated-dependencies: - dependency-name: actions/setup-go dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump actions/checkout from 2 to 3 (#10) Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2...v3) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/stretchr/testify from 1.8.0 to 1.8.1 (#11) Bumps [github.com/stretchr/testify](https://github.com/stretchr/testify) from 1.8.0 to 1.8.1. - [Release notes](https://github.com/stretchr/testify/releases) - [Commits](stretchr/testify@v1.8.0...v1.8.1) --- updated-dependencies: - dependency-name: github.com/stretchr/testify dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Fix most of the issues CodeQL dislikes (#12) * Fix most of the issues CodeQL dislikes * Escape ipAddr closer to source * Validate redirect domain (#13) * Validate redirect domain This change introduces a validation step prior to redirect as discussed in thomseddon#77 * Fix tests * Try harder to make CodeQL happy * Fix tests * Try just a little bit harder to appease CodeQL Co-authored-by: Thom Seddon <[email protected]> * Workflow update: build container, rename master to main (#14) * Run tests as part of container build (#15) * Update README (#16) * Update README * Further README tweaks * Update README.md * Bump docker/setup-buildx-action from 2.0.0 to 2.2.1 (#17) Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 2.0.0 to 2.2.1. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@v2.0.0...v2.2.1) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump github.com/traefik/traefik/v2 from 2.9.4 to 2.9.6 (#21) Bumps [github.com/traefik/traefik/v2](https://github.com/traefik/traefik) from 2.9.4 to 2.9.6. - [Release notes](https://github.com/traefik/traefik/releases) - [Changelog](https://github.com/traefik/traefik/blob/master/CHANGELOG.md) - [Commits](traefik/traefik@v2.9.4...v2.9.6) --- updated-dependencies: - dependency-name: github.com/traefik/traefik/v2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Bump golang.org/x/oauth2 from 0.1.0 to 0.4.0 (#22) Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.1.0 to 0.4.0. - [Release notes](https://github.com/golang/oauth2/releases) - [Commits](golang/oauth2@v0.1.0...v0.4.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Add .github to .dockerignore * Add actions workflow to build and push docker image This workflow builds multi-arch docker image on every push and pull request. Also, this workflow pushes image to docker hub with appropriate semver tags on tag push. * Publish to ghcr * chore(ci): use own registry * Add SameSite option * docs: updates readme * Update README.md * remove docker workflow --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: Jordan Webb <[email protected]> Co-authored-by: Maximilian Mitchell <[email protected]> Co-authored-by: Max Mitchell <[email protected]> Co-authored-by: Maximilian Mitchell <[email protected]> Co-authored-by: Mal Curtis <[email protected]> Co-authored-by: orvice <[email protected]> Co-authored-by: Alexander Metzner <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Thom Seddon <[email protected]> Co-authored-by: Ciffelia <[email protected]> Co-authored-by: Beanow <[email protected]> Co-authored-by: Alexandre Richonnier <[email protected]>
mkska · Aug 22, 2023 · 05eb52c · 05eb52c
1 parent fc1e216
commit 05eb52c
Show file tree

Hide file tree

Showing 25 changed files with 827 additions and 747 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,15 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "github-actions" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"
+  - package-ecosystem: "gomod" # See documentation for possible values
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "daily"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,9 +2,9 @@ name: CI
 
 on:
   push:
-    branches: [ master ]
+    branches: [ main ]
   pull_request:
-    branches: [ master ]
+    branches: [ main ]
 
 jobs:
 
@@ -14,12 +14,12 @@ jobs:
     steps:
 
     - name: Set up Go 1.x
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v3
       with:
-        go-version: ^1.13
+        go-version: ^1.19
 
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Get dependencies
       run: |

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -7,10 +7,10 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [master]
+    branches: [main]
   pull_request:
     # The branches below must be a subset of the branches above
-    branches: [master]
+    branches: [main]
   schedule:
     - cron: '0 10 * * 2'
 
@@ -30,7 +30,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
       with:
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
@@ -43,18 +43,18 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file. 
+        # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -68,4 +68,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2
diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
@@ -0,0 +1,70 @@
+name: Build container
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+  # Allow for manually running
+  workflow_dispatch:
+    inputs:
+      container_tag:
+        description: Tag for container
+        default: "latest"
+        required: true
+
+permissions:
+  packages: write
+
+jobs:
+  container:
+    runs-on: ubuntu-20.04
+
+    env:
+      CONTAINER_NAME: ghcr.io/${{ github.repository }}
+      BUILD_PLATFORMS: linux/amd64,linux/arm,linux/arm64,linux/ppc64le,linux/s390x
+      RAW_CONTAINER_TAG: ${{ github.event.inputs.container_tag || github.event.pull_request.head.ref || 'latest' }}
+      RAW_REF_NAME: ${{ github.event.pull_request.head.ref || github.ref }}
+
+    steps:
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/[email protected]
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/checkout@v3
+        with:
+          submodules: recursive
+
+      # Needed for buildx gha cache to work
+      - name: Expose GitHub Runtime
+        uses: crazy-max/ghaction-github-runtime@v2
+
+      - name: Build container
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          CONTAINER_TAG=$(echo "$RAW_CONTAINER_TAG" | sed 's/[^a-zA-Z0-9]\+/-/')
+          REF_NAME=$(echo "$RAW_REF_NAME" | sed -r 's#^refs/(heads|tags)/##')
+          docker buildx build \
+            --platform "$BUILD_PLATFORMS" \
+            --tag "$CONTAINER_NAME:$CONTAINER_TAG" \
+            --label "org.opencontainers.image.source=${{ github.server_url }}/${{ github.repository }}" \
+            --label "org.opencontainers.image.documentation=${{ github.server_url }}/${{ github.repository }}" \
+            --label "org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}/packages" \
+            --label "org.opencontainers.image.ref.name=$REF_NAME" \
+            --label "org.opencontainers.image.revision=${{ github.sha }}" \
+            --label "org.opencontainers.image.vendor=${{ github.repository_owner }}" \
+            --label "org.opencontainers.image.created=$(date -u --rfc-3339=seconds)" \
+            --cache-from type=gha \
+            --cache-to type=gha,mode=max \
+            --pull ${{ github.event_name == 'push' && '--push' || '' }} .
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
@@ -0,0 +1,21 @@
+name: Traefik Forward Auth
+on: [push]
+jobs:
+  test:
+    name: Test with Go version -
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        go: ['1.19']
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: ${{ matrix.go }}
+
+      - name: Run Tests
+        run: go test ./...
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,10 +11,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Check out code into the Go module directory
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
 
     - name: Set up Go 1.x
-      uses: actions/setup-go@v2
+      uses: actions/setup-go@v3
       with:
         go-version: ^1.13
       id: go

diff --git a/Dockerfile b/Dockerfile
@@ -1,18 +1,19 @@
-FROM golang:1.13-alpine as builder
+# Start by building the application.
+FROM golang:1.19 as build
 
-# Setup
-RUN mkdir -p /go/src/github.com/thomseddon/traefik-forward-auth
-WORKDIR /go/src/github.com/thomseddon/traefik-forward-auth
+WORKDIR /usr/src/traefik-forward-auth
+COPY . .
 
-# Add libraries
-RUN apk add --no-cache git
+RUN go test ./...
+RUN CGO_ENABLED=0 go build -o ./traefik-forward-auth ./cmd
 
-# Copy & build
-ADD . /go/src/github.com/thomseddon/traefik-forward-auth/
-RUN CGO_ENABLED=0 GOOS=linux GO111MODULE=on go build -a -installsuffix nocgo -o /traefik-forward-auth github.com/thomseddon/traefik-forward-auth/cmd
+# Now copy it into our base image.
+FROM gcr.io/distroless/static-debian11:nonroot
+COPY --from=build /usr/src/traefik-forward-auth/traefik-forward-auth /usr/bin/traefik-forward-auth
 
-# Copy into scratch container
-FROM scratch
-COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
-COPY --from=builder /traefik-forward-auth ./
-ENTRYPOINT ["./traefik-forward-auth"]
+ENTRYPOINT [ "/usr/bin/traefik-forward-auth" ]
+CMD []
+
+LABEL org.opencontainers.image.title traefik-forward-auth
+LABEL org.opencontainers.image.description "Forward authentication service for the Traefik reverse proxy"
+LABEL org.opencontainers.image.licenses MIT