Add -bypass-auth-except-for to protect only paths matched by a regex#44
Add -bypass-auth-except-for to protect only paths matched by a regex#44simo5 merged 1 commit intoopenshift:masterfrom
Conversation
openshift-ci-robot
added
the
size/M
|
I noticed login does not work if you don't include the proxy prefix (for {prefix}/start, etc.) in the auth-regex. So we should always include a match for paths under the prefix. |
| ``` | ||
| Usage of oauth2_proxy: | ||
| -approval-prompt string: OAuth approval_prompt (default "force") | ||
| -auth-regex value: provide authentication for request paths that match (may be given multiple times), applied prior to skip-auth-regex |
There was a problem hiding this comment.
I feel like we need to make more clear that when this isused the other paths will be without any authentication, so it "fails open". IE use it only if you really know what you are doing, Maybe we need a scarier name too ?
|
I changed it to error out if both options are set, and fixed the problem with the proxy-prefix paths I mentioned above. I updated the option help as well, hopefully that is clearer.
right, I think these would be most appropriate for the e2e testing. |
|
Why make it exclusive?
I'd expect -auth-regex to be a positive check (only auth check these
things) and -skip-auth-regex to punch holes in -auth-regex.
…On Thu, Jan 4, 2018 at 5:48 PM, Matt Rogers ***@***.***> wrote:
I changed it to error out if both options are set, and fixed the problem
with the proxy-prefix paths I mentioned above. I updated the option help as
well, hopefully that is clearer.
I think we need tests ?
right, I think these would be most appropriate for the e2e testing.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#44 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_pxw-or4LqnH1tJXAlGUnS1wP29Ziks5tHVUugaJpZM4RTubF>
.
|
@smarterclayton I thought it would be best to make them exclusive so there is less chance for a user to configure an insecure endpoint by mistake. |
There was a problem hiding this comment.
I think we really need a scarier name that makes users think twice. They need to realize from the get-go that this command is disabling authentication on all but the listed paths, but still letting everything through on the other paths.
I do not care much for combining the old and new options, ok for me if they stay separate.
Also ok to reconsider using a different regex engine in the original option and drop this new option.
How about renaming (or aliasing for now) skip-auth-regex to something like:
There is https://github.com/dlclark/regexp2 which supports negative lookaheads, but not everything that the standard regex does so switching might break some users. |
You could define another mutually exclusive flag |
|
Or you could add a flag |
This option protects only those paths matching the given regex. Add -bypass-auth-for as an alias to skip-auth-regex to make clear it is the inverse of -bypass-auth-except-for
mrogers950
force-pushed
the
auth-regex
branch
from
2cf661c to
144a66e
Compare
|
/lgtm |
|
@smarterclayton we kept the two options incompatible, and not compuinding them, you expressed surprise at that. If you feel strongly please shout. Otherwise we are going to merge this soon. |
|
Ok I guess we'll have a followup PR is @smarterclayton feels really strongly about this |
simo5
changed the title
|
I'm ok with them being incompatible for now. |
5 participants
This option takes priority over --skip-auth-regex if set. When unset, all paths
are protected by default.
Fixes #42
@smarterclayton @simo5 @enj please review :)