Merge pull request #572 from openziti/adopt-email-patterns

adopt oauth email glob patterns
openziti · Mar 5, 2024 · 362a0fa · 362a0fa
2 parents 00a5622 + 074b162
commit 362a0fa
Show file tree

Hide file tree

Showing 8 changed files with 22 additions and 19 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,8 @@ CHANGE: Enhancements to the look and feel of the account actions tab in the web
 
 FIX: The regenerate account token dialog incorrectly specified the path `${HOME}/.zrok/environments.yml`. This, was corrected to be `${HOME}/.zrok/environments.json`.
 
+FIX: align zrok frontdoor examples and Linux package (`zrok-share`) with the new OAuth email flag `--oauth-email-address-patterns` introduced in v0.4.25.
+
 ## v0.4.25
 
 FEATURE: New action in the web console that allows changing the password of the logged-in account (https://github.com/openziti/zrok/issues/148)

diff --git a/docker/compose/zrok-public-reserved/compose.yml b/docker/compose/zrok-public-reserved/compose.yml
@@ -43,7 +43,7 @@ services:
       ZROK_TARGET:          # backend target, is a path in container filesystem unless proxy mode
       ZROK_INSECURE:        # "--insecure" if proxy target has unverifiable TLS server certificate
       ZROK_OAUTH_PROVIDER:  # google, github
-      ZROK_OAUTH_EMAILS:    # allow space-separated list of OAuth email addresses or @domain.tld
+      ZROK_OAUTH_EMAILS:    # allow space-separated list of OAuth email address glob patterns
       ZROK_BASIC_AUTH:      # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
 
       # least relevant options

diff --git a/docker/compose/zrok-public-share/compose.yml b/docker/compose/zrok-public-share/compose.yml
@@ -44,7 +44,7 @@ services:
       ZROK_TARGET: http://zrok-test:9090  # backend target, is a path in container filesystem unless proxy mode
       ZROK_INSECURE:        # "--insecure" if proxy target has unverifiable TLS server certificate
       ZROK_OAUTH_PROVIDER:  # google, github
-      ZROK_OAUTH_EMAILS:    # space-separated list of OAuth email addresses or @domain.tld to allow
+      ZROK_OAUTH_EMAILS:    # allow space-separated list of OAuth email address glob patterns
       ZROK_BASIC_AUTH:      # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER
 
       # least relevant options

diff --git a/docs/guides/_frontdoor-docker.mdx b/docs/guides/_frontdoor-docker.mdx
@@ -72,7 +72,7 @@ features in [this blog post](https://blog.openziti.io/the-zrok-oauth-public-fron
 
 ```bash title=".env"
 ZROK_OAUTH_PROVIDER="github"
-ZROK_SHARE_OPTS="--oauth-email-domains @example.com"
+ZROK_OAUTH_EMAILS="[email protected] *@acme.example.com"
 ```
 
 ## Caddy is Powerful

diff --git a/docs/guides/_frontdoor-linux.mdx b/docs/guides/_frontdoor-linux.mdx
@@ -157,7 +157,7 @@ You can require that visitors authenticate with an email address that matches at
 
 ```bash title="/opt/openziti/etc/zrok/zrok-share.env"
 ZROK_OAUTH_PROVIDER="github"  # or google
-ZROK_OAUTH_EMAILS="bob@example.com @acme.example.com"
+ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com"
 ```
 
 ### Password

diff --git a/docs/guides/self-hosting/oauth/configuring-oauth.md b/docs/guides/self-hosting/oauth/configuring-oauth.md
@@ -121,21 +121,22 @@ Both the `google` and `github` providers accept a `client_id` and `client_secret
 With your public frontend configured to support OAuth, you can test this by creating a public share. There are new command line options to support this:
 
 ```text
-$ zrok share public
-Error: accepts 1 arg(s), received 0
+$ zrok share public --help
+Share a target resource publicly
+
 Usage:
   zrok share public <target> [flags]
 
 Flags:
-  -b, --backend-mode string               The backend mode {proxy, web, caddy, drive} (default "proxy")
-      --basic-auth stringArray            Basic authentication users (<username:password>,...)
-      --frontends stringArray             Selected frontends to use for the share (default [public])
-      --headless                          Disable TUI and run headless
-  -h, --help                              help for public
-      --insecure                          Enable insecure TLS certificate validation for <target>
-      --oauth-check-interval duration     Maximum lifetime for OAuth authentication; reauthenticate after expiry (default 3h0m0s)
-      --oauth-email-domains stringArray   Allow only these email domains to authenticate via OAuth
-      --oauth-provider string             Enable OAuth provider [google, github]
+  -b, --backend-mode string                        The backend mode {proxy, web, caddy, drive} (default "proxy")
+      --basic-auth stringArray                     Basic authentication users (<username:password>,...)
+      --frontends stringArray                      Selected frontends to use for the share (default [public])
+      --headless                                   Disable TUI and run headless
+  -h, --help                                       help for public
+      --insecure                                   Enable insecure TLS certificate validation for <target>
+      --oauth-check-interval duration              Maximum lifetime for OAuth authentication; reauthenticate after expiry (default 3h0m0s)
+      --oauth-email-address-patterns stringArray   Allow only these email domain globs to authenticate via OAuth
+      --oauth-provider string                      Enable OAuth provider [google, github]
 
 Global Flags:
   -p, --panic     Panic instead of showing pretty errors
@@ -144,12 +145,12 @@ Global Flags:
 
 The `--oauth-provider` flag enables OAuth for the share using the specified provider.
 
-The `--oauth-email-domains` flag accepts a comma-separated list of authenticated email address domains that are allowed to access the share.
+The `--oauth-email-address-patterns` flag accepts a single glob pattern that matches an authenticated email address that is allowed to access the share. Use this flag multiple times to allow different patterns.
 
 The `--oauth-check-interval` flag specifies how frequently the authentication must be checked.
 
 An example public share:
 
 ```text
-zrok share public --backend-mode web --oauth-provider github --oauth-email-domains zrok.io ~/public
+zrok share public --backend-mode web --oauth-provider github --oauth-email-address-patterns '*@zrok.io' ~/public
 ```
diff --git a/nfpm/zrok-share.bash b/nfpm/zrok-share.bash
@@ -133,7 +133,7 @@ if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then
   ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}"
   if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then
     for EMAIL in ${ZROK_OAUTH_EMAILS}; do
-      ZROK_CMD+=" --oauth-email-domains ${EMAIL}"
+      ZROK_CMD+=" --oauth-email-address-patterns '${EMAIL}'"
     done
   fi
 elif [[ -n "${ZROK_BASIC_AUTH:-}" ]]; then

diff --git a/nfpm/zrok-share.env b/nfpm/zrok-share.env
@@ -76,7 +76,7 @@ ZROK_SHARE_OPTS=""
 
 # you MAY restrict access to one or more email addresses or domains; must be a space-separate list
 # WARNING: changes take effect the next time the frontend URL is reserved
-#ZROK_OAUTH_EMAILS="[email protected] alice@forge.example.com @corp.example.com"
+#ZROK_OAUTH_EMAILS="[email protected] *@acme.example.com"
 
 # you MAY require a password with HTTP basic authentication
 # WARNING: changes take effect the next time the frontend URL is reserved