Merge branch 'main' into self-service-password

This commit is contained in:
Michael Quigley 2024-02-16 12:20:13 -05:00
commit 56ed13d96a
No known key found for this signature in database
GPG Key ID: 9B60314A9DD20A62
10 changed files with 64 additions and 35 deletions

View File

@ -6,6 +6,8 @@ FEATURE: Added self service password change. There is a new tab in the `zrok` co
FEATURE: The web console now supports revoking your current account token and generating a new one (https://github.com/openziti/zrok/issues/191) FEATURE: The web console now supports revoking your current account token and generating a new one (https://github.com/openziti/zrok/issues/191)
CHANGE: When specifying OAuth configuration for public shares from the `zrok share public` or `zrok reserve` public commands, the flags and functionality for restricting the allowed email addresses of the authenticating users has changed. The old flag was `--oauth-email-domains`, which took a string value that needed to be contained in the user's email address. The new flag is `--oauth-email-address-patterns`, which accepts a glob-style filter, using https://github.com/gobwas/glob (https://github.com/openziti/zrok/issues/413)
CHANGE: Creating a reserved share checks for token collision and returns a more appropriate error message (https://github.com/openziti/zrok/issues/531) CHANGE: Creating a reserved share checks for token collision and returns a more appropriate error message (https://github.com/openziti/zrok/issues/531)
CHANGE: Update UI to add a 'true' value on `reserved` boolean (https://github.com/openziti/zrok/issues/443) CHANGE: Update UI to add a 'true' value on `reserved` boolean (https://github.com/openziti/zrok/issues/443)

View File

@ -18,15 +18,15 @@ func init() {
} }
type reserveCommand struct { type reserveCommand struct {
uniqueName string uniqueName string
basicAuth []string basicAuth []string
frontendSelection []string frontendSelection []string
backendMode string backendMode string
jsonOutput bool jsonOutput bool
oauthProvider string oauthProvider string
oauthEmailDomains []string oauthEmailAddressPatterns []string
oauthCheckInterval time.Duration oauthCheckInterval time.Duration
cmd *cobra.Command cmd *cobra.Command
} }
func newReserveCommand() *reserveCommand { func newReserveCommand() *reserveCommand {
@ -42,7 +42,7 @@ func newReserveCommand() *reserveCommand {
cmd.Flags().BoolVarP(&command.jsonOutput, "json-output", "j", false, "Emit JSON describing the created reserved share") cmd.Flags().BoolVarP(&command.jsonOutput, "json-output", "j", false, "Emit JSON describing the created reserved share")
cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...)") cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...)")
cmd.Flags().StringVar(&command.oauthProvider, "oauth-provider", "", "Enable OAuth provider [google, github]") cmd.Flags().StringVar(&command.oauthProvider, "oauth-provider", "", "Enable OAuth provider [google, github]")
cmd.Flags().StringArrayVar(&command.oauthEmailDomains, "oauth-email-domains", []string{}, "Allow only these email domains to authenticate via OAuth") cmd.Flags().StringArrayVar(&command.oauthEmailAddressPatterns, "oauth-email-address-patterns", []string{}, "Allow only these email domains to authenticate via OAuth")
cmd.Flags().DurationVar(&command.oauthCheckInterval, "oauth-check-interval", 3*time.Hour, "Maximum lifetime for OAuth authentication; reauthenticate after expiry") cmd.Flags().DurationVar(&command.oauthCheckInterval, "oauth-check-interval", 3*time.Hour, "Maximum lifetime for OAuth authentication; reauthenticate after expiry")
cmd.MarkFlagsMutuallyExclusive("basic-auth", "oauth-provider") cmd.MarkFlagsMutuallyExclusive("basic-auth", "oauth-provider")
@ -139,7 +139,7 @@ func (cmd *reserveCommand) run(_ *cobra.Command, args []string) {
tui.Error("--oauth-provider only supported for public shares", nil) tui.Error("--oauth-provider only supported for public shares", nil)
} }
req.OauthProvider = cmd.oauthProvider req.OauthProvider = cmd.oauthProvider
req.OauthEmailDomains = cmd.oauthEmailDomains req.OauthEmailAddressPatterns = cmd.oauthEmailAddressPatterns
req.OauthAuthorizationCheckInterval = cmd.oauthCheckInterval req.OauthAuthorizationCheckInterval = cmd.oauthCheckInterval
} }
shr, err := sdk.CreateShare(env, req) shr, err := sdk.CreateShare(env, req)

View File

@ -3,6 +3,7 @@ package main
import ( import (
"fmt" "fmt"
tea "github.com/charmbracelet/bubbletea" tea "github.com/charmbracelet/bubbletea"
"github.com/gobwas/glob"
"github.com/openziti/zrok/endpoints" "github.com/openziti/zrok/endpoints"
drive "github.com/openziti/zrok/endpoints/drive" drive "github.com/openziti/zrok/endpoints/drive"
"github.com/openziti/zrok/endpoints/proxy" "github.com/openziti/zrok/endpoints/proxy"
@ -24,15 +25,15 @@ func init() {
} }
type sharePublicCommand struct { type sharePublicCommand struct {
basicAuth []string basicAuth []string
frontendSelection []string frontendSelection []string
backendMode string backendMode string
headless bool headless bool
insecure bool insecure bool
oauthProvider string oauthProvider string
oauthEmailDomains []string oauthEmailAddressPatterns []string
oauthCheckInterval time.Duration oauthCheckInterval time.Duration
cmd *cobra.Command cmd *cobra.Command
} }
func newSharePublicCommand() *sharePublicCommand { func newSharePublicCommand() *sharePublicCommand {
@ -49,7 +50,7 @@ func newSharePublicCommand() *sharePublicCommand {
cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...)") cmd.Flags().StringArrayVar(&command.basicAuth, "basic-auth", []string{}, "Basic authentication users (<username:password>,...)")
cmd.Flags().StringVar(&command.oauthProvider, "oauth-provider", "", "Enable OAuth provider [google, github]") cmd.Flags().StringVar(&command.oauthProvider, "oauth-provider", "", "Enable OAuth provider [google, github]")
cmd.Flags().StringArrayVar(&command.oauthEmailDomains, "oauth-email-domains", []string{}, "Allow only these email domains to authenticate via OAuth") cmd.Flags().StringArrayVar(&command.oauthEmailAddressPatterns, "oauth-email-address-patterns", []string{}, "Allow only these email domain globs to authenticate via OAuth")
cmd.Flags().DurationVar(&command.oauthCheckInterval, "oauth-check-interval", 3*time.Hour, "Maximum lifetime for OAuth authentication; reauthenticate after expiry") cmd.Flags().DurationVar(&command.oauthCheckInterval, "oauth-check-interval", 3*time.Hour, "Maximum lifetime for OAuth authentication; reauthenticate after expiry")
cmd.MarkFlagsMutuallyExclusive("basic-auth", "oauth-provider") cmd.MarkFlagsMutuallyExclusive("basic-auth", "oauth-provider")
@ -114,8 +115,18 @@ func (cmd *sharePublicCommand) run(_ *cobra.Command, args []string) {
} }
if cmd.oauthProvider != "" { if cmd.oauthProvider != "" {
req.OauthProvider = cmd.oauthProvider req.OauthProvider = cmd.oauthProvider
req.OauthEmailDomains = cmd.oauthEmailDomains req.OauthEmailAddressPatterns = cmd.oauthEmailAddressPatterns
req.OauthAuthorizationCheckInterval = cmd.oauthCheckInterval req.OauthAuthorizationCheckInterval = cmd.oauthCheckInterval
for _, g := range cmd.oauthEmailAddressPatterns {
_, err := glob.Compile(g)
if err != nil {
if !panicInstead {
tui.Error(fmt.Sprintf("unable to create share, invalid oauth email glob (%v)", g), err)
}
panic(err)
}
}
} }
shr, err := sdk.CreateShare(root, req) shr, err := sdk.CreateShare(root, req)
if err != nil { if err != nil {

View File

@ -4,6 +4,7 @@ import (
"context" "context"
"crypto/md5" "crypto/md5"
"fmt" "fmt"
"github.com/gobwas/glob"
"github.com/golang-jwt/jwt/v5" "github.com/golang-jwt/jwt/v5"
"github.com/openziti/sdk-golang/ziti" "github.com/openziti/sdk-golang/ziti"
"github.com/openziti/zrok/endpoints" "github.com/openziti/zrok/endpoints"
@ -266,21 +267,33 @@ func authHandler(handler http.Handler, pcfg *Config, key []byte, ctx ziti.Contex
return return
} }
if validDomains, found := oauthCfg.(map[string]interface{})["email_domains"]; found { if validEmailAddressPatterns, found := oauthCfg.(map[string]interface{})["email_domains"]; found {
if castedDomains, ok := validDomains.([]interface{}); !ok { if castedPatterns, ok := validEmailAddressPatterns.([]interface{}); !ok {
logrus.Error("invalid email domain format") logrus.Error("invalid email pattern array format")
return return
} else { } else {
if len(castedDomains) > 0 { if len(castedPatterns) > 0 {
found := false found := false
for _, domain := range castedDomains { for _, pattern := range castedPatterns {
if strings.HasSuffix(claims.Email, domain.(string)) { if castedPattern, ok := pattern.(string); ok {
found = true match, err := glob.Compile(castedPattern)
break if err != nil {
logrus.Errorf("invalid email address pattern glob '%v': %v", pattern.(string), err)
unauthorizedUi.WriteUnauthorized(w)
return
}
if match.Match(claims.Email) {
found = true
break
}
} else {
logrus.Errorf("invalid email address pattern '%v'", pattern)
unauthorizedUi.WriteUnauthorized(w)
return
} }
} }
if !found { if !found {
logrus.Warnf("invalid email domain") logrus.Warnf("unauthorized email '%v' for '%v'", claims.Email, shrToken)
unauthorizedUi.WriteUnauthorized(w) unauthorizedUi.WriteUnauthorized(w)
return return
} }

1
go.mod
View File

@ -106,6 +106,7 @@ require (
github.com/go-resty/resty/v2 v2.11.0 // indirect github.com/go-resty/resty/v2 v2.11.0 // indirect
github.com/go-sql-driver/mysql v1.7.1 // indirect github.com/go-sql-driver/mysql v1.7.1 // indirect
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/golang/glog v1.1.2 // indirect github.com/golang/glog v1.1.2 // indirect
github.com/golang/protobuf v1.5.3 // indirect github.com/golang/protobuf v1.5.3 // indirect
github.com/golang/snappy v0.0.4 // indirect github.com/golang/snappy v0.0.4 // indirect

2
go.sum
View File

@ -299,6 +299,8 @@ github.com/go-stack/stack v1.8.0 h1:5SgMzNM5HxrEjV0ww2lTmX6E2Izsfxas4+YHWRs3Lsk=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8=
github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw= github.com/gofrs/uuid v4.0.0+incompatible h1:1SD/1F5pU8p29ybwgQSwpQk+mwdRrXCYuPhW6m+TnJw=
github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM= github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRxnplIgP/c0N/04lM=

View File

@ -29,7 +29,7 @@ type ShareRequest struct {
Frontends []string Frontends []string
BasicAuth []string BasicAuth []string
OauthProvider string OauthProvider string
OauthEmailDomains []string OauthEmailAddressPatterns []string
OauthAuthorizationCheckInterval time.Duration OauthAuthorizationCheckInterval time.Duration
} }

View File

@ -84,7 +84,7 @@ func newPublicShare(root env_core.Root, request *ShareRequest) *share.ShareParam
BackendMode: string(request.BackendMode), BackendMode: string(request.BackendMode),
BackendProxyEndpoint: request.Target, BackendProxyEndpoint: request.Target,
AuthScheme: string(None), AuthScheme: string(None),
OauthEmailDomains: request.OauthEmailDomains, OauthEmailDomains: request.OauthEmailAddressPatterns,
OauthProvider: request.OauthProvider, OauthProvider: request.OauthProvider,
OauthAuthorizationCheckInterval: request.OauthAuthorizationCheckInterval.String(), OauthAuthorizationCheckInterval: request.OauthAuthorizationCheckInterval.String(),
} }

View File

@ -22,7 +22,7 @@ class ShareRequest:
Frontends: list[str] = field(default_factory=list[str]) Frontends: list[str] = field(default_factory=list[str])
BasicAuth: list[str] = field(default_factory=list[str]) BasicAuth: list[str] = field(default_factory=list[str])
OauthProvider: str = "" OauthProvider: str = ""
OauthEmailDomains: list[str] = field(default_factory=list[str]) OauthEmailAddressPatterns: list[str] = field(default_factory=list[str])
OauthAuthorizationCheckInterval: str = "" OauthAuthorizationCheckInterval: str = ""
Reserved: bool = False Reserved: bool = False
UniqueName: str = "" UniqueName: str = ""

View File

@ -78,7 +78,7 @@ def __newPublicShare(root: Root, request: model.ShareRequest) -> ShareRequest:
backend_mode=request.BackendMode, backend_mode=request.BackendMode,
backend_proxy_endpoint=request.Target, backend_proxy_endpoint=request.Target,
auth_scheme=model.AUTH_SCHEME_NONE, auth_scheme=model.AUTH_SCHEME_NONE,
oauth_email_domains=request.OauthEmailDomains, oauth_email_domains=request.OauthEmailAddressPatterns,
oauth_authorization_check_interval=request.OauthAuthorizationCheckInterval oauth_authorization_check_interval=request.OauthAuthorizationCheckInterval
) )
if request.OauthProvider != "": if request.OauthProvider != "":