Merge pull request #57 from ploxiln/options_consistency

rename a few config options for consistency

Author: ploxiln

README.md

@@ -145,7 +145,7 @@ The Azure AD auth provider uses `openid` as it default scope. It uses `https://g
 The GitHub auth provider supports two additional parameters to restrict authentication to Organization or Team level access. Restricting by org and team is normally accompanied with `--email-domain=*`
 
     -github-org="": restrict logins to members of this organisation
-    -github-team="": restrict logins to members of any of these teams (slug), separated by a comma
+    -github-team="": restrict logins to members of this team (slug) (or teams, if this flag is given multiple times)
 
 If you are using GitHub enterprise, make sure you set the following to the appropriate url:
 
@@ -321,8 +321,8 @@ Usage of oauth2_proxy:
   -skip-oidc-discovery: Skip OIDC discovery (login-url, redeem-url and oidc-jwks-url must be configured)
   -skip-provider-button: will skip sign-in-page to directly reach the next step: oauth/start
   -ssl-insecure-skip-verify: skip validation of certificates presented when using HTTPS
-  -tls-cert string: path to certificate file
-  -tls-key string: path to private key file
+  -tls-cert-file string: path to certificate file
+  -tls-key-file string: path to private key file
   -upstream value: the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path
   -validate-url string: Access token validation endpoint
   -version: print version string

main.go

@@ -23,12 +23,13 @@ func mainFlagSet() *flag.FlagSet {
 	skipAuthRegex := StringArray{}
 	googleGroups := StringArray{}
 	gitlabGroups := StringArray{}
+	githubTeams := StringArray{}
 
 	flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")
 	flagSet.String("https-address", ":443", "<addr>:<port> to listen on for HTTPS clients")
 	flagSet.Bool("force-https", false, "redirect http requests to https")
-	flagSet.String("tls-cert", "", "path to certificate file")
-	flagSet.String("tls-key", "", "path to private key file")
+	flagSet.String("tls-cert-file", "", "path to certificate file")
+	flagSet.String("tls-key-file", "", "path to private key file")
 	flagSet.String("redirect-url", "", "the OAuth Redirect URL. ie: \"https://internalapp.yourcompany.com/oauth2/callback\"")
 	flagSet.Var(&upstreams, "upstream", "the http url(s) of the upstream endpoint or file:// paths for static files. Routing is based on the path")
 	flagSet.Bool("set-xauthrequest", false, "set X-Auth-Request-User and X-Auth-Request-Email response headers (useful in Nginx auth_request mode)")
@@ -48,7 +49,7 @@ func mainFlagSet() *flag.FlagSet {
 	flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
 	flagSet.String("bitbucket-team", "", "restrict logins to members of this team")
 	flagSet.String("github-org", "", "restrict logins to members of this organisation")
-	flagSet.String("github-team", "", "restrict logins to members of this team (slug) (may be given multiple times)")
+	flagSet.Var(&githubTeams, "github-team", "restrict logins to members of this team (slug) (may be given multiple times)")
 	flagSet.Var(&gitlabGroups, "gitlab-group", "restrict logins to members of this group (full path) (may be given multiple times)")
 	flagSet.Var(&googleGroups, "google-group", "restrict logins to members of this google group (may be given multiple times)")
 	flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls")

options.go

@@ -18,26 +18,26 @@ import (
 
 // Configuration Options that can be set by Command Line Flag, or Config File
 type Options struct {
-	ProxyPrefix     string `flag:"proxy-prefix" cfg:"proxy-prefix"`
+	ProxyPrefix     string `flag:"proxy-prefix" cfg:"proxy_prefix"`
 	ProxyWebSockets bool   `flag:"proxy-websockets" cfg:"proxy_websockets"`
 	HttpAddress     string `flag:"http-address" cfg:"http_address"`
 	HttpsAddress    string `flag:"https-address" cfg:"https_address"`
 	ForceHTTPS      bool   `flag:"force-https" cfg:"force_https"`
 	RedirectURL     string `flag:"redirect-url" cfg:"redirect_url"`
 	ClientID        string `flag:"client-id" cfg:"client_id" env:"OAUTH2_PROXY_CLIENT_ID"`
 	ClientSecret    string `flag:"client-secret" cfg:"client_secret" env:"OAUTH2_PROXY_CLIENT_SECRET"`
-	TLSCertFile     string `flag:"tls-cert" cfg:"tls_cert_file"`
-	TLSKeyFile      string `flag:"tls-key" cfg:"tls_key_file"`
+	TLSCertFile     string `flag:"tls-cert-file" cfg:"tls_cert_file"`
+	TLSKeyFile      string `flag:"tls-key-file" cfg:"tls_key_file"`
 
 	AuthenticatedEmailsFile  string   `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"`
 	AzureTenant              string   `flag:"azure-tenant" cfg:"azure_tenant"`
 	BitbucketTeam            string   `flag:"bitbucket-team" cfg:"bitbucket_team"`
 	EmailDomains             []string `flag:"email-domain" cfg:"email_domains"`
 	WhitelistDomains         []string `flag:"whitelist-domain" cfg:"whitelist_domains" env:"OAUTH2_PROXY_WHITELIST_DOMAINS"`
 	GitHubOrg                string   `flag:"github-org" cfg:"github_org"`
-	GitHubTeam               string   `flag:"github-team" cfg:"github_team"`
+	GitHubTeams              []string `flag:"github-team" cfg:"github_teams"`
 	GitLabGroups             []string `flag:"gitlab-group" cfg:"gitlab_groups"`
-	GoogleGroups             []string `flag:"google-group" cfg:"google_group"`
+	GoogleGroups             []string `flag:"google-group" cfg:"google_groups"`
 	GoogleAdminEmail         string   `flag:"google-admin-email" cfg:"google_admin_email"`
 	GoogleServiceAccountJSON string   `flag:"google-service-account-json" cfg:"google_service_account_json"`
 	HtpasswdFile             string   `flag:"htpasswd-file" cfg:"htpasswd_file"`
@@ -272,7 +272,7 @@ func parseProviderInfo(o *Options, msgs []string) []string {
 	case *providers.BitbucketProvider:
 		p.SetTeam(o.BitbucketTeam)
 	case *providers.GitHubProvider:
-		p.SetOrgTeam(o.GitHubOrg, o.GitHubTeam)
+		p.SetOrgTeam(o.GitHubOrg, o.GitHubTeams)
 	case *providers.GitLabProvider:
 		p.SetGroups(o.GitLabGroups)
 	case *providers.GoogleProvider:

providers/github.go

@@ -10,13 +10,12 @@ import (
 	"path"
 	"regexp"
 	"strconv"
-	"strings"
 )
 
 type GitHubProvider struct {
 	*ProviderData
-	Org  string
-	Team string
+	Org   string
+	Teams []string
 }
 
 func NewGitHubProvider(p *ProviderData) *GitHubProvider {
@@ -56,10 +55,10 @@ func getGitHubHeader(accessToken string) http.Header {
 	return header
 }
 
-func (p *GitHubProvider) SetOrgTeam(org, team string) {
+func (p *GitHubProvider) SetOrgTeam(org string, teams []string) {
 	p.Org = org
-	p.Team = team
-	if org != "" || team != "" {
+	p.Teams = teams
+	if org != "" || len(teams) > 0 {
 		p.Scope += " read:org"
 	}
 }
@@ -178,8 +177,7 @@ func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) {
 			presentOrgs[team.Org.Login] = true
 			if p.Org == team.Org.Login {
 				hasOrg = true
-				ts := strings.Split(p.Team, ",")
-				for _, t := range ts {
+				for _, t := range p.Teams {
 					if t == team.Slug {
 						log.Printf("Found Github Organization:%q Team:%q (Name:%q)",
 							team.Org.Login, team.Slug, team.Name)
@@ -198,13 +196,13 @@ func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) {
 	}
 
 	if hasOrg {
-		log.Printf("Missing Team:%q from Org:%q in teams: %v", p.Team, p.Org, presentTeams)
+		log.Printf("Missing Team:%v from Org:%q in teams: %v", p.Teams, p.Org, presentTeams)
 	} else {
 		var allOrgs []string
 		for org, _ := range presentOrgs {
 			allOrgs = append(allOrgs, org)
 		}
-		log.Printf("Missing Organization:%q in %#v", p.Org, allOrgs)
+		log.Printf("Missing Organization:%q in %v", p.Org, allOrgs)
 	}
 	return false, nil
 }
@@ -219,7 +217,7 @@ func (p *GitHubProvider) GetEmailAddress(s *SessionState) (string, error) {
 
 	// if we require an Org or Team, check that first
 	if p.Org != "" {
-		if p.Team != "" {
+		if len(p.Teams) > 0 {
 			if ok, err := p.hasOrgAndTeam(s.AccessToken); err != nil || !ok {
 				return "", err
 			}