feat: allow multiple cookie domains via env var

ammmze · ammmze · commit e29ceb4fd4cf · 2022-03-12T11:19:05.000-07:00
diff --git a/internal/configuration/config.go b/internal/configuration/config.go
@@ -36,10 +36,10 @@ type Config struct {
 	ProviderURI             string               `long:"provider-uri" env:"PROVIDER_URI" description:"OIDC Provider URI"`
 	ClientID                string               `long:"client-id" env:"CLIENT_ID" description:"Client ID"`
 	ClientSecret            string               `long:"client-secret" env:"CLIENT_SECRET" description:"Client Secret" json:"-"`
-	Scope                   string               `long:"scope" env:"SCOPE" description:"Define scope"`
+	Scope                   []string             `long:"scope" env:"SCOPE" env-delim:" " description:"Define scope. Space delimited when used as env var."`
 	AuthHost                string               `long:"auth-host" env:"AUTH_HOST" description:"Single host to use when returning from 3rd party auth"`
 	Config                  func(s string) error `long:"config" env:"CONFIG" description:"Path to config file" json:"-"`
-	CookieDomains           []util.CookieDomain  `long:"cookie-domain" env:"COOKIE_DOMAIN" description:"Domain to set auth cookie on, can be set multiple times"`
+	CookieDomains           []util.CookieDomain  `long:"cookie-domain" env:"COOKIE_DOMAIN" env-delim:"," description:"Domain to set auth cookie on, can be set multiple times. Comma delimited when used as env var."`
 	InsecureCookie          bool                 `long:"insecure-cookie" env:"INSECURE_COOKIE" description:"Use insecure cookies"`
 	CookieName              string               `long:"cookie-name" env:"COOKIE_NAME" default:"_forward_auth" description:"ID Cookie Name"`
 	EmailHeaderNames        CommaSeparatedList   `long:"email-header-names" env:"EMAIL_HEADER_NAMES" default:"X-Forwarded-User" description:"Response headers containing the authenticated user's username"`
diff --git a/internal/configuration/config_test.go b/internal/configuration/config_test.go
@@ -38,6 +38,8 @@ func TestConfigParseArgs(t *testing.T) {
 	assert := assert.New(t)
 	c, err := NewConfig([]string{
 		"--cookie-name=cookiename",
+		"--cookie-domain=example.com",
+		"--cookie-domain=example2.com",
 		"--csrf-cookie-name", "\"csrfcookiename\"",
 		"--rule.1.action=allow",
 		"--rule.1.rule=PathPrefix(`/one`)",
@@ -61,6 +63,12 @@ func TestConfigParseArgs(t *testing.T) {
 			Rule:   "Host(`two.com`) && Path(`/two`)",
 		},
 	}, c.Rules)
+
+	// Check cookie domain
+	if assert.Len(c.CookieDomains, 2, "there must be 2 cookie domains") {
+		assert.Equal("example.com", c.CookieDomains[0].Domain, "first cookie domain should be read from environment")
+		assert.Equal("example2.com", c.CookieDomains[1].Domain, "second cookie domain should be read from environment")
+	}
 }
 
 func TestConfigParseUnknownFlags(t *testing.T) {
@@ -116,6 +124,10 @@ func TestConfigParseIni(t *testing.T) {
 			Rule:   "Host(`two.com`) && Path(`/two`)",
 		},
 	}, c.Rules)
+	if assert.Len(c.CookieDomains, 2, "there must be 2 cookie domains") {
+		assert.Equal("example.com", c.CookieDomains[0].Domain, "first cookie domain should be read from environment")
+		assert.Equal("example2.com", c.CookieDomains[1].Domain, "second cookie domain should be read from environment")
+	}
 }
 
 func TestConfigParseEnvironment(t *testing.T) {
@@ -129,6 +141,31 @@ func TestConfigParseEnvironment(t *testing.T) {
 	os.Unsetenv("COOKIE_NAME")
 }
 
+func TestConfigParseCookieDomainFromEnvironment(t *testing.T) {
+	assert := assert.New(t)
+	os.Setenv("COOKIE_DOMAIN", "example.com,example2.com")
+	c, err := NewConfig([]string{})
+	assert.Nil(err)
+
+	if assert.Len(c.CookieDomains, 2, "there must be 2 cookie domains") {
+		assert.Equal("example.com", c.CookieDomains[0].Domain, "first cookie domain should be read from environment")
+		assert.Equal("example2.com", c.CookieDomains[1].Domain, "second cookie domain should be read from environment")
+	}
+
+	os.Unsetenv("COOKIE_DOMAIN")
+}
+
+func TestConfigParseScopeFromEnvironment(t *testing.T) {
+	assert := assert.New(t)
+	os.Setenv("SCOPE", "openid email")
+	c, err := NewConfig([]string{})
+	assert.Nil(err)
+
+	assert.Equal([]string{"openid", "email"}, c.Scope, "scope array should be populated")
+
+	os.Unsetenv("SCOPE")
+}
+
 func TestConfigTransformation(t *testing.T) {
 	assert := assert.New(t)
 	c, err := NewConfig([]string{
diff --git a/internal/handlers/server.go b/internal/handlers/server.go
@@ -284,8 +284,8 @@ func (s *Server) AuthCallbackHandler() http.HandlerFunc {
 
 		// Mapping scope
 		var scope []string
-		if s.config.Scope != "" {
-			scope = []string{s.config.Scope}
+		if len(s.config.Scope) > 0 {
+			scope = s.config.Scope
 		} else {
 			scope = []string{oidc.ScopeOpenID, "profile", "email", "groups"}
 		}
@@ -442,8 +442,8 @@ func (s *Server) authRedirect(logger *logrus.Entry, w http.ResponseWriter, r *ht
 
 	// Mapping scope
 	var scope []string
-	if s.config.Scope != "" {
-		scope = []string{s.config.Scope}
+	if len(s.config.Scope) > 0 {
+		scope = s.config.Scope
 	} else {
 		scope = []string{oidc.ScopeOpenID, "profile", "email", "groups"}
 	}
diff --git a/test/config0 b/test/config0
@@ -3,3 +3,5 @@ csrf-cookie-name=inicsrfcookiename
 url-path=one
 rule.1.action=allow
 rule.1.rule=PathPrefix(`/one`)
+cookie-domain=example.com
+cookie-domain=example2.com
