From 575e3848d5f4faa3f0107d1115f26cc54db534e9 Mon Sep 17 00:00:00 2001 From: Lennard <40561724+LennardSchwarz@users.noreply.github.com> Date: Thu, 12 Sep 2024 15:01:32 +0200 Subject: [PATCH 1/2] Allow google provider users to escape 'Not authorized' when their email address is not found on the allow-list (#2) * Clears auth cookies if the user signed in with an email address that isn't on the allow list. * Remove default value, which resulted in config parse error * Simplify code * Add test --------- Co-authored-by: Luis Van Slageren Co-authored-by: Lennard Schwarz --- README.md | 6 ++++++ internal/config.go | 1 + internal/config_test.go | 1 + internal/server.go | 10 +++++++++- 4 files changed, 17 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 90b7497f..6f931198 100644 --- a/README.md +++ b/README.md @@ -303,6 +303,12 @@ All options can be supplied in any of the following ways, in the following prece Please note that when using the default [Overlay Mode](#overlay-mode) requests to this exact path will be intercepted by this service and not forwarded to your application. Use this option (or [Auth Host Mode](#auth-host-mode)) if the default `/_oauth` path will collide with an existing route in your application. +- `logout-if-invalid-email` + + When enabled, logs out users if their email address isn't found on the allow list, allowing them to retry with another email address. + + Default: `false` + - `secret` Used to sign cookies authentication, should be a random (e.g. `openssl rand -hex 16`) diff --git a/internal/config.go b/internal/config.go index 840fb6dc..61a1f583 100644 --- a/internal/config.go +++ b/internal/config.go @@ -40,6 +40,7 @@ type Config struct { SecretString string `long:"secret" env:"SECRET" description:"Secret used for signing (required)" json:"-"` Whitelist CommaSeparatedList `long:"whitelist" env:"WHITELIST" env-delim:"," description:"Only allow given email addresses, can be set multiple times"` Port int `long:"port" env:"PORT" default:"4181" description:"Port to listen on"` + LogoutIfInvalidEmail bool `long:"logout-if-invalid-email" env:"LOGOUT_IF_INVALID_EMAIL" description:"Allow user to retry another email address if their email address isn't found on the allow list"` Providers provider.Providers `group:"providers" namespace:"providers" env-namespace:"PROVIDERS"` Rules map[string]*Rule `long:"rule.." description:"Rule definitions, param can be: \"action\", \"rule\" or \"provider\""` diff --git a/internal/config_test.go b/internal/config_test.go index 27b8fdc8..983f3037 100644 --- a/internal/config_test.go +++ b/internal/config_test.go @@ -38,6 +38,7 @@ func TestConfigDefaults(t *testing.T) { assert.Equal("/_oauth", c.Path) assert.Len(c.Whitelist, 0) assert.Equal(c.Port, 4181) + assert.Equal(false, c.LogoutIfInvalidEmail) assert.Equal("select_account", c.Providers.Google.Prompt) } diff --git a/internal/server.go b/internal/server.go index b8f37a09..cbbfb4c6 100644 --- a/internal/server.go +++ b/internal/server.go @@ -108,7 +108,15 @@ func (s *Server) AuthHandler(providerName, rule string) http.HandlerFunc { valid := ValidateEmail(email, rule) if !valid { logger.WithField("email", email).Warn("Invalid email") - http.Error(w, "Not authorized", 401) + + if config.LogoutIfInvalidEmail { + // The email address isn't valid so display an error and clear the cookie + // Clearing the cookie will allow the user to try another email address and avoid being trapped on 'Not authorized' + http.SetCookie(w, ClearCookie(r)) + http.Error(w, "Not authorized (Refresh to try again with a different email address)", 401) + } else { + http.Error(w, "Not authorized", 401) + } return } From ea03614701388384c78d1d2f33e2218932ae3f3c Mon Sep 17 00:00:00 2001 From: Lennard <40561724+LennardSchwarz@users.noreply.github.com> Date: Thu, 12 Sep 2024 15:41:57 +0200 Subject: [PATCH 2/2] Add ghrc pipeline (#4) * Add pipeline * Add dispatch trigger temporarily * Refine * Trial getting tag * Add tag manually --------- Co-authored-by: Lennard Schwarz Add ghrc pipeline (#5) * Add pipeline * Add dispatch trigger temporarily * Refine * Trial getting tag * Add tag manually * Make lower case * Fix * Upgrade go for 'toolchain' directive * Trial stuff * Fix build push action * Remove unused image --------- Co-authored-by: Lennard Schwarz --- .github/workflows/build-and-push.yml | 38 ++++++++++++++ .github/workflows/codeql-analysis.yml | 71 --------------------------- Dockerfile | 2 +- Dockerfile.arm | 2 +- Dockerfile.arm64 | 2 +- 5 files changed, 41 insertions(+), 74 deletions(-) create mode 100644 .github/workflows/build-and-push.yml delete mode 100644 .github/workflows/codeql-analysis.yml diff --git a/.github/workflows/build-and-push.yml b/.github/workflows/build-and-push.yml new file mode 100644 index 00000000..8a090b9c --- /dev/null +++ b/.github/workflows/build-and-push.yml @@ -0,0 +1,38 @@ +name: Build and Push to ghcr.io + +on: + workflow_dispatch: + inputs: + tag: + description: "Tag to use for the Docker images" + required: true + +jobs: + build_and_push: + name: Build and push Docker images + runs-on: ubuntu-latest + steps: + - name: Check out code into the Go module directory + uses: actions/checkout@v4 + + - name: Log in to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and push Docker images for multiple architectures + run: | + export "REPO=${GITHUB_REPOSITORY@L}" + echo "Using tag name: $REPO" + export TAG=$(echo "${{ github.event.inputs.tag }}") + echo "Using tag: $TAG" + + + docker buildx build --platform linux/amd64 -t ghcr.io/$REPO:$TAG -f Dockerfile --push . + docker buildx build --platform linux/arm/v7 -t ghcr.io/$REPO:$TAG-arm -f Dockerfile.arm --push . + docker buildx build --platform linux/arm64 -t ghcr.io/$REPO:$TAG-arm64 -f Dockerfile.arm64 --push . diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index f8786ef5..00000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,71 +0,0 @@ -# For most projects, this workflow file will not need changing; you simply need -# to commit it to your repository. -# -# You may wish to alter this file to override the set of languages analyzed, -# or to provide custom queries or build logic. -name: "CodeQL" - -on: - push: - branches: [master] - pull_request: - # The branches below must be a subset of the branches above - branches: [master] - schedule: - - cron: '0 10 * * 2' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - # Override automatic language detection by changing the below list - # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] - language: ['go'] - # Learn more... - # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection - - steps: - - name: Checkout repository - uses: actions/checkout@v2 - with: - # We must fetch at least the immediate parents so that if this is - # a pull request then we can checkout the head. - fetch-depth: 2 - - # If this run was triggered by a pull request event, then checkout - # the head of the pull request instead of the merge commit. - - run: git checkout HEAD^2 - if: ${{ github.event_name == 'pull_request' }} - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: ${{ matrix.language }} - # If you wish to specify custom queries, you can do so here or in a config file. - # By default, queries listed here will override any specified in a config file. - # Prefix the list here with "+" to use these queries and those in the config file. - # queries: ./path/to/local/query, your-org/your-repo/queries@main - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v1 - - # ℹī¸ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏ī¸ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 diff --git a/Dockerfile b/Dockerfile index 80fe861c..d68fd446 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.20-alpine as builder +FROM golang:1.22-alpine as builder # Setup RUN mkdir -p /go/src/github.com/thomseddon/traefik-forward-auth diff --git a/Dockerfile.arm b/Dockerfile.arm index e10021e6..d6f5c687 100644 --- a/Dockerfile.arm +++ b/Dockerfile.arm @@ -1,4 +1,4 @@ -FROM golang:1.13-alpine as builder +FROM golang:1.22-alpine as builder # Setup RUN mkdir -p /go/src/github.com/thomseddon/traefik-forward-auth diff --git a/Dockerfile.arm64 b/Dockerfile.arm64 index a9806863..d7a2ba54 100644 --- a/Dockerfile.arm64 +++ b/Dockerfile.arm64 @@ -1,4 +1,4 @@ -FROM golang:1.13-alpine as builder +FROM golang:1.22-alpine as builder # Setup RUN mkdir -p /go/src/github.com/thomseddon/traefik-forward-auth