Merge pull request #572 from openziti/adopt-email-patterns

adopt oauth email glob patterns
This commit is contained in:
Kenneth Bingham 2024-03-05 07:55:37 -05:00 committed by GitHub
commit 362a0faf5f
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 22 additions and 19 deletions

View File

@ -8,6 +8,8 @@ CHANGE: Enhancements to the look and feel of the account actions tab in the web
FIX: The regenerate account token dialog incorrectly specified the path `${HOME}/.zrok/environments.yml`. This, was corrected to be `${HOME}/.zrok/environments.json`. FIX: The regenerate account token dialog incorrectly specified the path `${HOME}/.zrok/environments.yml`. This, was corrected to be `${HOME}/.zrok/environments.json`.
FIX: align zrok frontdoor examples and Linux package (`zrok-share`) with the new OAuth email flag `--oauth-email-address-patterns` introduced in v0.4.25.
## v0.4.25 ## v0.4.25
FEATURE: New action in the web console that allows changing the password of the logged-in account (https://github.com/openziti/zrok/issues/148) FEATURE: New action in the web console that allows changing the password of the logged-in account (https://github.com/openziti/zrok/issues/148)

View File

@ -43,7 +43,7 @@ services:
ZROK_TARGET: # backend target, is a path in container filesystem unless proxy mode ZROK_TARGET: # backend target, is a path in container filesystem unless proxy mode
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
ZROK_OAUTH_PROVIDER: # google, github ZROK_OAUTH_PROVIDER: # google, github
ZROK_OAUTH_EMAILS: # allow space-separated list of OAuth email addresses or @domain.tld ZROK_OAUTH_EMAILS: # allow space-separated list of OAuth email address glob patterns
ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
# least relevant options # least relevant options

View File

@ -44,7 +44,7 @@ services:
ZROK_TARGET: http://zrok-test:9090 # backend target, is a path in container filesystem unless proxy mode ZROK_TARGET: http://zrok-test:9090 # backend target, is a path in container filesystem unless proxy mode
ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate
ZROK_OAUTH_PROVIDER: # google, github ZROK_OAUTH_PROVIDER: # google, github
ZROK_OAUTH_EMAILS: # space-separated list of OAuth email addresses or @domain.tld to allow ZROK_OAUTH_EMAILS: # allow space-separated list of OAuth email address glob patterns
ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
# least relevant options # least relevant options

View File

@ -72,7 +72,7 @@ features in [this blog post](https://blog.openziti.io/the-zrok-oauth-public-fron
```bash title=".env" ```bash title=".env"
ZROK_OAUTH_PROVIDER="github" ZROK_OAUTH_PROVIDER="github"
ZROK_SHARE_OPTS="--oauth-email-domains @example.com" ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com"
``` ```
## Caddy is Powerful ## Caddy is Powerful

View File

@ -157,7 +157,7 @@ You can require that visitors authenticate with an email address that matches at
```bash title="/opt/openziti/etc/zrok/zrok-share.env" ```bash title="/opt/openziti/etc/zrok/zrok-share.env"
ZROK_OAUTH_PROVIDER="github" # or google ZROK_OAUTH_PROVIDER="github" # or google
ZROK_OAUTH_EMAILS="bob@example.com @acme.example.com" ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com"
``` ```
### Password ### Password

View File

@ -121,21 +121,22 @@ Both the `google` and `github` providers accept a `client_id` and `client_secret
With your public frontend configured to support OAuth, you can test this by creating a public share. There are new command line options to support this: With your public frontend configured to support OAuth, you can test this by creating a public share. There are new command line options to support this:
```text ```text
$ zrok share public $ zrok share public --help
Error: accepts 1 arg(s), received 0 Share a target resource publicly
Usage: Usage:
zrok share public <target> [flags] zrok share public <target> [flags]
Flags: Flags:
-b, --backend-mode string The backend mode {proxy, web, caddy, drive} (default "proxy") -b, --backend-mode string The backend mode {proxy, web, caddy, drive} (default "proxy")
--basic-auth stringArray Basic authentication users (<username:password>,...) --basic-auth stringArray Basic authentication users (<username:password>,...)
--frontends stringArray Selected frontends to use for the share (default [public]) --frontends stringArray Selected frontends to use for the share (default [public])
--headless Disable TUI and run headless --headless Disable TUI and run headless
-h, --help help for public -h, --help help for public
--insecure Enable insecure TLS certificate validation for <target> --insecure Enable insecure TLS certificate validation for <target>
--oauth-check-interval duration Maximum lifetime for OAuth authentication; reauthenticate after expiry (default 3h0m0s) --oauth-check-interval duration Maximum lifetime for OAuth authentication; reauthenticate after expiry (default 3h0m0s)
--oauth-email-domains stringArray Allow only these email domains to authenticate via OAuth --oauth-email-address-patterns stringArray Allow only these email domain globs to authenticate via OAuth
--oauth-provider string Enable OAuth provider [google, github] --oauth-provider string Enable OAuth provider [google, github]
Global Flags: Global Flags:
-p, --panic Panic instead of showing pretty errors -p, --panic Panic instead of showing pretty errors
@ -144,12 +145,12 @@ Global Flags:
The `--oauth-provider` flag enables OAuth for the share using the specified provider. The `--oauth-provider` flag enables OAuth for the share using the specified provider.
The `--oauth-email-domains` flag accepts a comma-separated list of authenticated email address domains that are allowed to access the share. The `--oauth-email-address-patterns` flag accepts a single glob pattern that matches an authenticated email address that is allowed to access the share. Use this flag multiple times to allow different patterns.
The `--oauth-check-interval` flag specifies how frequently the authentication must be checked. The `--oauth-check-interval` flag specifies how frequently the authentication must be checked.
An example public share: An example public share:
```text ```text
zrok share public --backend-mode web --oauth-provider github --oauth-email-domains zrok.io ~/public zrok share public --backend-mode web --oauth-provider github --oauth-email-address-patterns '*@zrok.io' ~/public
``` ```

View File

@ -133,7 +133,7 @@ if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}" ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then
for EMAIL in ${ZROK_OAUTH_EMAILS}; do for EMAIL in ${ZROK_OAUTH_EMAILS}; do
ZROK_CMD+=" --oauth-email-domains ${EMAIL}" ZROK_CMD+=" --oauth-email-address-patterns '${EMAIL}'"
done done
fi fi
elif [[ -n "${ZROK_BASIC_AUTH:-}" ]]; then elif [[ -n "${ZROK_BASIC_AUTH:-}" ]]; then

View File

@ -76,7 +76,7 @@ ZROK_SHARE_OPTS=""
# you MAY restrict access to one or more email addresses or domains; must be a space-separate list # you MAY restrict access to one or more email addresses or domains; must be a space-separate list
# WARNING: changes take effect the next time the frontend URL is reserved # WARNING: changes take effect the next time the frontend URL is reserved
#ZROK_OAUTH_EMAILS="bob@acme.example.com alice@forge.example.com @corp.example.com" #ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com"
# you MAY require a password with HTTP basic authentication # you MAY require a password with HTTP basic authentication
# WARNING: changes take effect the next time the frontend URL is reserved # WARNING: changes take effect the next time the frontend URL is reserved