CLI Options

CHANGELOG.md

@@ -9,6 +9,9 @@ FIXES:
 
 BREAKING CHANGES:
  * The login handler by default has been switched off, you must enable for --enable-login-handler
+ * Changed the CORS format in the configuration file
+ * Changed the command line options scope -> scopes
+ * Changed the command line options log-json-format -> json-format
 
 #### **1.2.8**
 

cli.go

@@ -19,6 +19,7 @@ import (
 	"fmt"
 	"os"
 	"os/signal"
+	"reflect"
 	"syscall"
 
 	"github.com/urfave/cli"
@@ -92,7 +93,6 @@ func newOauthProxyApp() *cli.App {
 // getCLIOptions returns the command line options
 func getCLIOptions() []cli.Flag {
 	defaults := newDefaultConfig()
-
 	return []cli.Flag{
 		cli.StringFlag{
 			Name:   "config",
@@ -105,6 +105,16 @@ func getCLIOptions() []cli.Flag {
 			Value:  defaults.Listen,
 			EnvVar: "PROXY_LISTEN",
 		},
+		cli.StringFlag{
+			Name:   "listen-http",
+			Usage:  "the interface you want the http-only service to use on",
+			EnvVar: "PROXY_HTTP_LISTEN",
+		},
+		cli.StringFlag{
+			Name:   "discovery-url",
+			Usage:  "the discovery url to retrieve the openid configuration",
+			EnvVar: "PROXY_DISCOVERY_URL",
+		},
 		cli.StringFlag{
 			Name:   "client-secret",
 			Usage:  "the client secret used to authenticate to the oauth server (access_type: confidential)",
@@ -115,13 +125,8 @@ func getCLIOptions() []cli.Flag {
 			Usage:  "the client id used to authenticate to the oauth service",
 			EnvVar: "PROXY_CLIENT_ID",
 		},
-		cli.StringFlag{
-			Name:   "discovery-url",
-			Usage:  "the discovery url to retrieve the openid configuration",
-			EnvVar: "PROXY_DISCOVERY_URL",
-		},
 		cli.StringSliceFlag{
-			Name:  "scope",
+			Name:  "scopes",
 			Usage: "a variable list of scopes requested when authenticating the user",
 		},
 		cli.BoolFlag{
@@ -149,10 +154,6 @@ func getCLIOptions() []cli.Flag {
 			Value:  defaults.Upstream,
 			EnvVar: "PROXY_UPSTREAM_URL",
 		},
-		cli.BoolFlag{
-			Name:  "enable-login-handler",
-			Usage: "this enables the login hanlder /oauth/login, by default this is disabled",
-		},
 		cli.BoolTFlag{
 			Name:  "upstream-keepalives",
 			Usage: "enables or disables the keepalive connections for upstream endpoint",
@@ -167,14 +168,6 @@ func getCLIOptions() []cli.Flag {
 			Usage: "specifies the keep-alive period for an active network connection",
 			Value: defaults.UpstreamKeepaliveTimeout,
 		},
-		cli.BoolTFlag{
-			Name:  "enable-authorization-header",
-			Usage: "adds the authorization header to the proxy request",
-		},
-		cli.BoolFlag{
-			Name:  "enable-refresh-tokens",
-			Usage: "enables the handling of the refresh tokens",
-		},
 		cli.BoolTFlag{
 			Name:  "secure-cookie",
 			Usage: "enforces the cookie to be secure, default to true",
@@ -210,6 +203,18 @@ func getCLIOptions() []cli.Flag {
 			Usage: "a list of hostnames the service will respond to, defaults to all",
 		},
 		cli.BoolFlag{
+			Name:  "enable-login-handler",
+			Usage: "this enables the login hanlder /oauth/login, by default this is disabled",
+		},
+		cli.BoolTFlag{
+			Name:  "enable-authorization-header",
+			Usage: "adds the authorization header to the proxy request",
+		},
+		cli.BoolTFlag{
+			Name:  "enable-refresh-tokens",
+			Usage: "enables the handling of the refresh tokens",
+		},
+		cli.BoolTFlag{
 			Name:  "enable-metrics",
 			Usage: "enable the prometheus metrics collector on /oauth/metrics",
 		},
@@ -225,6 +230,14 @@ func getCLIOptions() []cli.Flag {
 			Name:  "enable-forwarding",
 			Usage: "enables the forwarding proxy mode, signing outbound request",
 		},
+		cli.BoolTFlag{
+			Name:  "enable-profiling",
+			Usage: "switching on the golang profiling via pprof on /debug/pprof, /debug/pprof/heap etc",
+		},
+		cli.BoolTFlag{
+			Name:  "enable-security-filter",
+			Usage: "enables the security filter handler",
+		},
 		cli.StringFlag{
 			Name:  "forwarding-username",
 			Usage: "the username to use when logging into the openid provider",
@@ -282,7 +295,7 @@ func getCLIOptions() []cli.Flag {
 			Usage: "Add custom headers to the upstream request, key=value",
 		},
 		cli.StringFlag{
-			Name:  "signin-page",
+			Name:  "sign-in-page",
 			Usage: "a custom template displayed for signin",
 		},
 		cli.StringFlag{
@@ -318,12 +331,12 @@ func getCLIOptions() []cli.Flag {
 			Usage: "the credentials access control header (Access-Control-Allow-Credentials)",
 		},
 		cli.BoolTFlag{
-			Name:  "enable-profiling",
-			Usage: "switching on the golang profiling via pprof on /debug/pprof, /debug/pprof/heap etc",
+			Name:  "filter-browser-xss",
+			Usage: "enable the adds the X-XSS-Protection header with mode=block",
 		},
 		cli.BoolTFlag{
-			Name:  "enable-security-filter",
-			Usage: "enables the security filter handler",
+			Name:  "filter-content-nosniff",
+			Usage: "adds the X-Content-Type-Options header with the value nosniff",
 		},
 		cli.BoolFlag{
 			Name:  "skip-token-verification",
@@ -349,161 +362,29 @@ func getCLIOptions() []cli.Flag {
 // @TODO look for a shorter way of doing this, we're maintaining the same options in multiple places, it's tedious!
 //
 func parseCLIOptions(cx *cli.Context, config *Config) (err error) {
-	if cx.String("listen") != "" {
-		config.Listen = cx.String("listen")
-	}
-	if cx.String("client-secret") != "" {
-		config.ClientSecret = cx.String("client-secret")
-	}
-	if cx.String("client-id") != "" {
-		config.ClientID = cx.String("client-id")
-	}
-	if cx.String("discovery-url") != "" {
-		config.DiscoveryURL = cx.String("discovery-url")
-	}
-	if cx.String("upstream-url") != "" {
-		config.Upstream = cx.String("upstream-url")
-	}
-	if cx.String("revocation-url") != "" {
-		config.RevocationEndpoint = cx.String("revocation-url")
-	}
-	if cx.IsSet("upstream-keepalives") {
-		config.UpstreamKeepalives = cx.Bool("upstream-keepalives")
-	}
-	if cx.IsSet("upstream-timeout") {
-		config.UpstreamTimeout = cx.Duration("upstream-timeout")
-	}
-	if cx.IsSet("upstream-keepalive-timeout") {
-		config.UpstreamKeepaliveTimeout = cx.Duration("upstream-keepalive-timeout")
-	}
-	if cx.IsSet("skip-token-verification") {
-		config.SkipTokenVerification = cx.Bool("skip-token-verification")
-	}
-	if cx.IsSet("skip-upstream-tls-verify") {
-		config.SkipUpstreamTLSVerify = cx.Bool("skip-upstream-tls-verify")
-	}
-	if cx.IsSet("skip-openid-provider-tls-verify") {
-		config.SkipOpenIDProviderTLSVerify = cx.Bool("skip-openid-provider-tls-verify")
-	}
-	if cx.IsSet("encryption-key") {
-		config.EncryptionKey = cx.String("encryption-key")
-	}
-	if cx.IsSet("secure-cookie") {
-		config.SecureCookie = cx.Bool("secure-cookie")
-	}
-	if cx.IsSet("http-only-cookie") {
-		config.HTTPOnlyCookie = cx.Bool("http-only-cookie")
-	}
-	if cx.IsSet("cookie-access-name") {
-		config.CookieAccessName = cx.String("cookie-access-name")
-	}
-	if cx.IsSet("cookie-refresh-name") {
-		config.CookieRefreshName = cx.String("cookie-refresh-name")
-	}
-	if cx.IsSet("cookie-domain") {
-		config.CookieDomain = cx.String("cookie-domain")
-	}
-	if cx.IsSet("add-claims") {
-		config.AddClaims = append(config.AddClaims, cx.StringSlice("add-claims")...)
-	}
-	if cx.String("store-url") != "" {
-		config.StoreURL = cx.String("store-url")
-	}
-	if cx.IsSet("no-redirects") {
-		config.NoRedirects = cx.Bool("no-redirects")
-	}
-	if cx.String("redirection-url") != "" {
-		config.RedirectionURL = cx.String("redirection-url")
-	}
-	if cx.IsSet("tls-cert") {
-		config.TLSCertificate = cx.String("tls-cert")
-	}
-	if cx.IsSet("tls-private-key") {
-		config.TLSPrivateKey = cx.String("tls-private-key")
-	}
-	if cx.IsSet("tls-ca-certificate") {
-		config.TLSCaCertificate = cx.String("tls-ca-certificate")
-	}
-	if cx.IsSet("tls-ca-key") {
-		config.TLSCaPrivateKey = cx.String("tls-ca-key")
-	}
-	if cx.IsSet("tls-client-certificate") {
-		config.TLSClientCertificate = cx.String("tls-client-certificate")
-	}
-	if cx.IsSet("enable-login-handler") {
-		config.EnableLoginHandler = cx.Bool("enable-login-handler")
-	}
-	if cx.IsSet("enable-profiling") {
-		config.EnableProfiling = cx.Bool("enable-profiling")
-	}
-	if cx.IsSet("enable-metrics") {
-		config.EnableMetrics = cx.Bool("enable-metrics")
-	}
-	if cx.IsSet("localhost-only-metrics") {
-		config.LocalhostMetrics = cx.Bool("localhost-only-metrics")
-	}
-	if cx.IsSet("enable-proxy-protocol") {
-		config.EnableProxyProtocol = cx.Bool("enable-proxy-protocol")
-	}
-	if cx.IsSet("enable-forwarding") {
-		config.EnableForwarding = cx.Bool("enable-forwarding")
-	}
-	if cx.IsSet("enable-authorization-header") {
-		config.EnableAuthorizationHeader = cx.Bool("enable-authorization-header")
-	}
-	if cx.IsSet("enable-refresh-tokens") {
-		config.EnableRefreshTokens = cx.Bool("enable-refresh-tokens")
-	}
-	if cx.IsSet("forwarding-username") {
-		config.ForwardingUsername = cx.String("forwarding-username")
-	}
-	if cx.IsSet("forwarding-password") {
-		config.ForwardingPassword = cx.String("forwarding-password")
-	}
-	if cx.IsSet("forwarding-domains") {
-		config.ForwardingDomains = append(config.ForwardingDomains, cx.StringSlice("forwarding-domains")...)
-	}
-	if cx.IsSet("signin-page") {
-		config.SignInPage = cx.String("signin-page")
-	}
-	if cx.IsSet("forbidden-page") {
-		config.ForbiddenPage = cx.String("forbidden-page")
-	}
-	if cx.IsSet("enable-security-filter") {
-		config.EnableSecurityFilter = true
-	}
-	if cx.IsSet("json-logging") {
-		config.LogJSONFormat = cx.Bool("json-logging")
-	}
-	if cx.IsSet("log-requests") {
-		config.LogRequests = cx.Bool("log-requests")
-	}
-	if cx.IsSet("verbose") {
-		config.Verbose = cx.Bool("verbose")
-	}
-	if cx.IsSet("scope") {
-		config.Scopes = cx.StringSlice("scope")
-	}
-	if cx.IsSet("hostname") {
-		config.Hostnames = append(config.Hostnames, cx.StringSlice("hostname")...)
-	}
-	if cx.IsSet("cors-origins") {
-		config.CrossOrigin.Origins = append(config.CrossOrigin.Origins, cx.StringSlice("cors-origins")...)
-	}
-	if cx.IsSet("cors-methods") {
-		config.CrossOrigin.Methods = append(config.CrossOrigin.Methods, cx.StringSlice("cors-methods")...)
-	}
-	if cx.IsSet("cors-headers") {
-		config.CrossOrigin.Headers = append(config.CrossOrigin.Headers, cx.StringSlice("cors-headers")...)
-	}
-	if cx.IsSet("cors-exposed-headers") {
-		config.CrossOrigin.ExposedHeaders = append(config.CrossOrigin.ExposedHeaders, cx.StringSlice("cors-exposed-headers")...)
-	}
-	if cx.IsSet("cors-max-age") {
-		config.CrossOrigin.MaxAge = cx.Duration("cors-max-age")
-	}
-	if cx.IsSet("cors-credentials") {
-		config.CrossOrigin.Credentials = cx.BoolT("cors-credentials")
+	// step: we can ignore these options in the Config struct
+	ignoredOptions := []string{"tag-data", "match-claims", "resources", "headers"}
+	// step: iterate the Config and grab command line options via reflection
+	count := reflect.TypeOf(config).Elem().NumField()
+	for i := 0; i < count; i++ {
+		field := reflect.TypeOf(config).Elem().Field(i)
+		name := field.Tag.Get("yaml")
+		if containedIn(name, ignoredOptions) {
+			continue
+		}
+
+		if cx.IsSet(name) {
+			switch field.Type.Kind() {
+			case reflect.Bool:
+				reflect.ValueOf(config).Elem().FieldByName(field.Name).SetBool(cx.Bool(name))
+			case reflect.String:
+				reflect.ValueOf(config).Elem().FieldByName(field.Name).SetString(cx.String(name))
+			case reflect.Slice:
+				for _, x := range cx.StringSlice(name) {
+					reflect.Append(reflect.ValueOf(config).Elem().FieldByName(field.Name), reflect.ValueOf(x))
+				}
+			}
+		}
 	}
 	if cx.IsSet("tag") {
 		tags, err := decodeKeyPairs(cx.StringSlice("tag"))

config.go

@@ -38,7 +38,6 @@ func newDefaultConfig() *Config {
 		SecureCookie:                true,
 		SkipUpstreamTLSVerify:       true,
 		SkipOpenIDProviderTLSVerify: false,
-		CrossOrigin:                 CORS{},
 	}
 }