feat: allow multiple cookie domains via env var

mesosphere · Mar 12, 2022 · 4416574 · 4416574
1 parent 732b480
commit 4416574
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 6 deletions.
diff --git a/internal/configuration/config.go b/internal/configuration/config.go
@@ -36,10 +36,10 @@ type Config struct {
 	ProviderURI             string               `long:"provider-uri" env:"PROVIDER_URI" description:"OIDC Provider URI"`
 	ClientID                string               `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
 	ClientSecret            string               `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
-	Scope                   string               `long:"scope" env:"SCOPE" description:"Define scope"`
+	Scope                   []string             `long:"scope" env:"SCOPE" env-delim:" " description:"Define scope"`
 	AuthHost                string               `long:"auth-host" env:"AUTH_HOST" description:"Single host to use when returning from 3rd party auth"`
 	Config                  func(s string) error `long:"config" env:"CONFIG" description:"Path to config file" json:"-"`
-	CookieDomains           []util.CookieDomain  `long:"cookie-domain" env:"COOKIE_DOMAIN" description:"Domain to set auth cookie on, can be set multiple times"`
+	CookieDomains           []util.CookieDomain  `long:"cookie-domain" env:"COOKIE_DOMAIN" env-delim:"," description:"Domain to set auth cookie on, can be set multiple times"`
 	InsecureCookie          bool                 `long:"insecure-cookie" env:"INSECURE_COOKIE" description:"Use insecure cookies"`
 	CookieName              string               `long:"cookie-name" env:"COOKIE_NAME" default:"_forward_auth" description:"ID Cookie Name"`
 	EmailHeaderNames        CommaSeparatedList   `long:"email-header-names" env:"EMAIL_HEADER_NAMES" default:"X-Forwarded-User" description:"Response headers containing the authenticated user's username"`

diff --git a/internal/configuration/config_test.go b/internal/configuration/config_test.go
@@ -129,6 +129,31 @@ func TestConfigParseEnvironment(t *testing.T) {
 	os.Unsetenv("COOKIE_NAME")
 }
 
+func TestConfigParseCookieDomainFromEnvironment(t *testing.T) {
+	assert := assert.New(t)
+	os.Setenv("COOKIE_DOMAIN", "example.com,example2.com")
+	c, err := NewConfig([]string{})
+	assert.Nil(err)
+
+	if assert.Len(c.CookieDomains, 2, "there must be 2 cookie domains") {
+		assert.Equal("example.com", c.CookieDomains[0].Domain, "first cookie domain should be read from environment")
+		assert.Equal("example2.com", c.CookieDomains[1].Domain, "second cookie domain should be read from environment")
+	}
+
+	os.Unsetenv("COOKIE_DOMAIN")
+}
+
+func TestConfigParseScopeFromEnvironment(t *testing.T) {
+	assert := assert.New(t)
+	os.Setenv("SCOPE", "openid email")
+	c, err := NewConfig([]string{})
+	assert.Nil(err)
+
+	assert.Equal([]string{"openid", "email"}, c.Scope, "scope array should be populated")
+
+	os.Unsetenv("SCOPE")
+}
+
 func TestConfigTransformation(t *testing.T) {
 	assert := assert.New(t)
 	c, err := NewConfig([]string{

diff --git a/internal/handlers/server.go b/internal/handlers/server.go
@@ -284,8 +284,8 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc {
 
 		// Mapping scope
 		var scope []string
-		if s.config.Scope != "" {
-			scope = []string{s.config.Scope}
+		if len(s.config.Scope) > 0 {
+			scope = s.config.Scope
 		} else {
 			scope = []string{oidc.ScopeOpenID, "profile", "email", "groups"}
 		}
@@ -442,8 +442,8 @@ func (s *Server) authRedirect(logger *logrus.Entry, w http.ResponseWriter, r *ht
 
 	// Mapping scope
 	var scope []string
-	if s.config.Scope != "" {
-		scope = []string{s.config.Scope}
+	if len(s.config.Scope) > 0 {
+		scope = s.config.Scope
 	} else {
 		scope = []string{oidc.ScopeOpenID, "profile", "email", "groups"}
 	}