From 074b16243841dbfc91e527b8d6fa21aa8c362a7a Mon Sep 17 00:00:00 2001 From: Kenneth Bingham Date: Thu, 29 Feb 2024 16:14:08 -0500 Subject: [PATCH] adopt new oauth email glob patterns --- CHANGELOG.md | 2 ++ .../compose/zrok-public-reserved/compose.yml | 2 +- docker/compose/zrok-public-share/compose.yml | 2 +- docs/guides/_frontdoor-docker.mdx | 2 +- docs/guides/_frontdoor-linux.mdx | 2 +- .../self-hosting/oauth/configuring-oauth.md | 27 ++++++++++--------- nfpm/zrok-share.bash | 2 +- nfpm/zrok-share.env | 2 +- 8 files changed, 22 insertions(+), 19 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c0d5f06c6..53469a5de 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,8 @@ CHANGE: Enhancements to the look and feel of the account actions tab in the web FIX: The regenerate account token dialog incorrectly specified the path `${HOME}/.zrok/environments.yml`. This, was corrected to be `${HOME}/.zrok/environments.json`. +FIX: align zrok frontdoor examples and Linux package (`zrok-share`) with the new OAuth email flag `--oauth-email-address-patterns` introduced in v0.4.25. + ## v0.4.25 FEATURE: New action in the web console that allows changing the password of the logged-in account (https://github.com/openziti/zrok/issues/148) diff --git a/docker/compose/zrok-public-reserved/compose.yml b/docker/compose/zrok-public-reserved/compose.yml index a72f704c2..6abd90207 100644 --- a/docker/compose/zrok-public-reserved/compose.yml +++ b/docker/compose/zrok-public-reserved/compose.yml @@ -43,7 +43,7 @@ services: ZROK_TARGET: # backend target, is a path in container filesystem unless proxy mode ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate ZROK_OAUTH_PROVIDER: # google, github - ZROK_OAUTH_EMAILS: # allow space-separated list of OAuth email addresses or @domain.tld + ZROK_OAUTH_EMAILS: # allow space-separated list of OAuth email address glob patterns ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER # least relevant options diff --git a/docker/compose/zrok-public-share/compose.yml b/docker/compose/zrok-public-share/compose.yml index 86665be95..e1de6e72c 100644 --- a/docker/compose/zrok-public-share/compose.yml +++ b/docker/compose/zrok-public-share/compose.yml @@ -44,7 +44,7 @@ services: ZROK_TARGET: http://zrok-test:9090 # backend target, is a path in container filesystem unless proxy mode ZROK_INSECURE: # "--insecure" if proxy target has unverifiable TLS server certificate ZROK_OAUTH_PROVIDER: # google, github - ZROK_OAUTH_EMAILS: # space-separated list of OAuth email addresses or @domain.tld to allow + ZROK_OAUTH_EMAILS: # allow space-separated list of OAuth email address glob patterns ZROK_BASIC_AUTH: # username:password, mutually-exclusive with ZROK_OAUTH_PROVIDER # least relevant options diff --git a/docs/guides/_frontdoor-docker.mdx b/docs/guides/_frontdoor-docker.mdx index cb7d8a362..c166e8fde 100644 --- a/docs/guides/_frontdoor-docker.mdx +++ b/docs/guides/_frontdoor-docker.mdx @@ -72,7 +72,7 @@ features in [this blog post](https://blog.openziti.io/the-zrok-oauth-public-fron ```bash title=".env" ZROK_OAUTH_PROVIDER="github" -ZROK_SHARE_OPTS="--oauth-email-domains @example.com" +ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com" ``` ## Caddy is Powerful diff --git a/docs/guides/_frontdoor-linux.mdx b/docs/guides/_frontdoor-linux.mdx index e6f4ebfff..23977db9c 100644 --- a/docs/guides/_frontdoor-linux.mdx +++ b/docs/guides/_frontdoor-linux.mdx @@ -157,7 +157,7 @@ You can require that visitors authenticate with an email address that matches at ```bash title="/opt/openziti/etc/zrok/zrok-share.env" ZROK_OAUTH_PROVIDER="github" # or google -ZROK_OAUTH_EMAILS="bob@example.com @acme.example.com" +ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com" ``` ### Password diff --git a/docs/guides/self-hosting/oauth/configuring-oauth.md b/docs/guides/self-hosting/oauth/configuring-oauth.md index a8f983592..f51283ace 100644 --- a/docs/guides/self-hosting/oauth/configuring-oauth.md +++ b/docs/guides/self-hosting/oauth/configuring-oauth.md @@ -121,21 +121,22 @@ Both the `google` and `github` providers accept a `client_id` and `client_secret With your public frontend configured to support OAuth, you can test this by creating a public share. There are new command line options to support this: ```text -$ zrok share public -Error: accepts 1 arg(s), received 0 +$ zrok share public --help +Share a target resource publicly + Usage: zrok share public [flags] Flags: - -b, --backend-mode string The backend mode {proxy, web, caddy, drive} (default "proxy") - --basic-auth stringArray Basic authentication users (,...) - --frontends stringArray Selected frontends to use for the share (default [public]) - --headless Disable TUI and run headless - -h, --help help for public - --insecure Enable insecure TLS certificate validation for - --oauth-check-interval duration Maximum lifetime for OAuth authentication; reauthenticate after expiry (default 3h0m0s) - --oauth-email-domains stringArray Allow only these email domains to authenticate via OAuth - --oauth-provider string Enable OAuth provider [google, github] + -b, --backend-mode string The backend mode {proxy, web, caddy, drive} (default "proxy") + --basic-auth stringArray Basic authentication users (,...) + --frontends stringArray Selected frontends to use for the share (default [public]) + --headless Disable TUI and run headless + -h, --help help for public + --insecure Enable insecure TLS certificate validation for + --oauth-check-interval duration Maximum lifetime for OAuth authentication; reauthenticate after expiry (default 3h0m0s) + --oauth-email-address-patterns stringArray Allow only these email domain globs to authenticate via OAuth + --oauth-provider string Enable OAuth provider [google, github] Global Flags: -p, --panic Panic instead of showing pretty errors @@ -144,12 +145,12 @@ Global Flags: The `--oauth-provider` flag enables OAuth for the share using the specified provider. -The `--oauth-email-domains` flag accepts a comma-separated list of authenticated email address domains that are allowed to access the share. +The `--oauth-email-address-patterns` flag accepts a single glob pattern that matches an authenticated email address that is allowed to access the share. Use this flag multiple times to allow different patterns. The `--oauth-check-interval` flag specifies how frequently the authentication must be checked. An example public share: ```text -zrok share public --backend-mode web --oauth-provider github --oauth-email-domains zrok.io ~/public +zrok share public --backend-mode web --oauth-provider github --oauth-email-address-patterns '*@zrok.io' ~/public ``` diff --git a/nfpm/zrok-share.bash b/nfpm/zrok-share.bash index c99463f8f..a119b7c9a 100644 --- a/nfpm/zrok-share.bash +++ b/nfpm/zrok-share.bash @@ -133,7 +133,7 @@ if [[ -n "${ZROK_OAUTH_PROVIDER:-}" ]]; then ZROK_CMD+=" --oauth-provider ${ZROK_OAUTH_PROVIDER}" if [[ -n "${ZROK_OAUTH_EMAILS:-}" ]]; then for EMAIL in ${ZROK_OAUTH_EMAILS}; do - ZROK_CMD+=" --oauth-email-domains ${EMAIL}" + ZROK_CMD+=" --oauth-email-address-patterns '${EMAIL}'" done fi elif [[ -n "${ZROK_BASIC_AUTH:-}" ]]; then diff --git a/nfpm/zrok-share.env b/nfpm/zrok-share.env index 55df7d33a..323f5b8cd 100644 --- a/nfpm/zrok-share.env +++ b/nfpm/zrok-share.env @@ -76,7 +76,7 @@ ZROK_SHARE_OPTS="" # you MAY restrict access to one or more email addresses or domains; must be a space-separate list # WARNING: changes take effect the next time the frontend URL is reserved -#ZROK_OAUTH_EMAILS="bob@acme.example.com alice@forge.example.com @corp.example.com" +#ZROK_OAUTH_EMAILS="alice@example.com *@acme.example.com" # you MAY require a password with HTTP basic authentication # WARNING: changes take effect the next time the frontend URL is reserved