Merge pull request #90 from coreos/plural

Allow multiple verifier proxies, for basic authZ

README.md

@@ -54,7 +54,10 @@ The configuration yaml file contains a `jwtproxy` top level config flag, which a
 ```yaml
 jwtproxy:
   <Signer Config>
-  <Verifier Config>
+
+  verifier_proxies:
+  - <Verifier Config>
+  - <Verifier Config>
 ```
 
 ### Signer Config
@@ -146,12 +149,12 @@ private_key:
 
 ### Verifier Config
 
-Configures and enables the JWT verifying reverse proxy.
+Configures and enables one or more JWT verifying reverse proxyies.
 
 ```yaml
 jwtproxy:
-  verifier_proxy:
-    enabled: <bool|true>
+  verifier_proxies:
+  - enabled: <bool|true>
 
     # Addr at which to listen for requests
     # It can either be an HTTP(s) URL or an UNIX socket path prefixed by 'unix:'

cmd/jwtproxy/main.go

@@ -60,7 +60,15 @@ func main() {
 
 func run(config *config.Config) {
 	// Nothing to run? Abort.
-	if !config.VerifierProxy.Enabled && !config.SignerProxy.Enabled {
+	var verifierEnabled bool
+	for _, verifierCfg := range config.VerifierProxies {
+		if verifierCfg.Enabled {
+			verifierEnabled = true
+			break
+		}
+	}
+
+	if !verifierEnabled && !config.SignerProxy.Enabled {
 		log.Error("No proxy is enabled. Terminating.")
 		return
 	}

config.example.yaml

@@ -47,8 +47,8 @@ jwtproxy:
             options:
               registry: http://localhost:8888/
 
-  verifier_proxy:
-    enabled: true
+  verifier_proxies:
+  - enabled: true
     listen_addr: :8081
     shutdown_timeout: 1m
 

config/config.go

@@ -51,6 +51,35 @@ func (u URL) MarshalYAML() (interface{}, error) {
 	return nil, nil
 }
 
+type DefaultVerifierProxyConfig VerifierProxyConfig
+
+// UnmarshalYAML implements the yaml.Unmarshaler interface for URLs.
+func (cfg *VerifierProxyConfig) UnmarshalYAML(unmarshal func(interface{}) error) error {
+	tempCfg := DefaultVerifierProxyConfig{
+		Enabled:         true,
+		ListenAddr:      ":8082",
+		ShutdownTimeout: 5 * time.Second,
+		Verifier: VerifierConfig{
+			MaxSkew: 5 * time.Minute,
+			MaxTTL:  5 * time.Minute,
+			NonceStorage: RegistrableComponentConfig{
+				Type: "local",
+				Options: map[string]interface{}{
+					"PurgeInterval": 1 * time.Minute,
+				},
+			},
+		},
+	}
+
+	if err := unmarshal(&tempCfg); err != nil {
+		return err
+	}
+
+	*cfg = VerifierProxyConfig(tempCfg)
+
+	return nil
+}
+
 // Represents a config file, which may have configuration for other programs
 // as a top level key.
 type configFile struct {
@@ -59,8 +88,8 @@ type configFile struct {
 
 // Config is the global configuration
 type Config struct {
-	SignerProxy   SignerProxyConfig   `yaml:"signer_proxy"`
-	VerifierProxy VerifierProxyConfig `yaml:"verifier_proxy"`
+	SignerProxy     SignerProxyConfig     `yaml:"signer_proxy"`
+	VerifierProxies []VerifierProxyConfig `yaml:"verifier_proxies"`
 }
 
 type VerifierProxyConfig struct {
@@ -125,21 +154,6 @@ func DefaultConfig() Config {
 				},
 			},
 		},
-		VerifierProxy: VerifierProxyConfig{
-			Enabled:         true,
-			ListenAddr:      ":8081",
-			ShutdownTimeout: 5 * time.Second,
-			Verifier: VerifierConfig{
-				MaxSkew: 5 * time.Minute,
-				MaxTTL:  5 * time.Minute,
-				NonceStorage: RegistrableComponentConfig{
-					Type: "local",
-					Options: map[string]interface{}{
-						"PurgeInterval": 1 * time.Minute,
-					},
-				},
-			},
-		},
 	}
 }
 

jwtproxy.go

@@ -38,8 +38,10 @@ func RunProxies(config *config.Config) (*stop.Group, chan error) {
 		go StartForwardProxy(config.SignerProxy, stopper, abort)
 	}
 
-	if config.VerifierProxy.Enabled {
-		go StartReverseProxy(config.VerifierProxy, stopper, abort)
+	for _, verifierConfig := range config.VerifierProxies {
+		if verifierConfig.Enabled {
+			go StartReverseProxy(verifierConfig, stopper, abort)
+		}
 	}
 
 	return stopper, abort