From 0ee4513d13d426013b90544db590cedca0992812 Mon Sep 17 00:00:00 2001 From: Jake Moshenko Date: Thu, 28 Apr 2016 15:46:03 -0400 Subject: [PATCH] Allow multiple verifier proxies, for basic authZ --- README.md | 11 ++++++---- cmd/jwtproxy/main.go | 10 ++++++++- config.example.yaml | 4 ++-- config/config.go | 48 ++++++++++++++++++++++++++++---------------- jwtproxy.go | 6 ++++-- 5 files changed, 53 insertions(+), 26 deletions(-) diff --git a/README.md b/README.md index ea118af..8ab25c5 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,10 @@ The configuration yaml file contains a `jwtproxy` top level config flag, which a ```yaml jwtproxy: - + + verifier_proxies: + - + - ``` ### Signer Config @@ -146,12 +149,12 @@ private_key: ### Verifier Config -Configures and enables the JWT verifying reverse proxy. +Configures and enables one or more JWT verifying reverse proxyies. ```yaml jwtproxy: - verifier_proxy: - enabled: + verifier_proxies: + - enabled: # Addr at which to listen for requests # It can either be an HTTP(s) URL or an UNIX socket path prefixed by 'unix:' diff --git a/cmd/jwtproxy/main.go b/cmd/jwtproxy/main.go index b23ac0f..7e7755e 100644 --- a/cmd/jwtproxy/main.go +++ b/cmd/jwtproxy/main.go @@ -60,7 +60,15 @@ func main() { func run(config *config.Config) { // Nothing to run? Abort. - if !config.VerifierProxy.Enabled && !config.SignerProxy.Enabled { + var verifierEnabled bool + for _, verifierCfg := range config.VerifierProxies { + if verifierCfg.Enabled { + verifierEnabled = true + break + } + } + + if !verifierEnabled && !config.SignerProxy.Enabled { log.Error("No proxy is enabled. Terminating.") return } diff --git a/config.example.yaml b/config.example.yaml index b3dd2c2..ed90dbc 100644 --- a/config.example.yaml +++ b/config.example.yaml @@ -47,8 +47,8 @@ jwtproxy: options: registry: http://localhost:8888/ - verifier_proxy: - enabled: true + verifier_proxies: + - enabled: true listen_addr: :8081 shutdown_timeout: 1m diff --git a/config/config.go b/config/config.go index acea4f9..dce1c9c 100644 --- a/config/config.go +++ b/config/config.go @@ -51,6 +51,35 @@ func (u URL) MarshalYAML() (interface{}, error) { return nil, nil } +type DefaultVerifierProxyConfig VerifierProxyConfig + +// UnmarshalYAML implements the yaml.Unmarshaler interface for URLs. +func (cfg *VerifierProxyConfig) UnmarshalYAML(unmarshal func(interface{}) error) error { + tempCfg := DefaultVerifierProxyConfig{ + Enabled: true, + ListenAddr: ":8082", + ShutdownTimeout: 5 * time.Second, + Verifier: VerifierConfig{ + MaxSkew: 5 * time.Minute, + MaxTTL: 5 * time.Minute, + NonceStorage: RegistrableComponentConfig{ + Type: "local", + Options: map[string]interface{}{ + "PurgeInterval": 1 * time.Minute, + }, + }, + }, + } + + if err := unmarshal(&tempCfg); err != nil { + return err + } + + *cfg = VerifierProxyConfig(tempCfg) + + return nil +} + // Represents a config file, which may have configuration for other programs // as a top level key. type configFile struct { @@ -59,8 +88,8 @@ type configFile struct { // Config is the global configuration type Config struct { - SignerProxy SignerProxyConfig `yaml:"signer_proxy"` - VerifierProxy VerifierProxyConfig `yaml:"verifier_proxy"` + SignerProxy SignerProxyConfig `yaml:"signer_proxy"` + VerifierProxies []VerifierProxyConfig `yaml:"verifier_proxies"` } type VerifierProxyConfig struct { @@ -125,21 +154,6 @@ func DefaultConfig() Config { }, }, }, - VerifierProxy: VerifierProxyConfig{ - Enabled: true, - ListenAddr: ":8081", - ShutdownTimeout: 5 * time.Second, - Verifier: VerifierConfig{ - MaxSkew: 5 * time.Minute, - MaxTTL: 5 * time.Minute, - NonceStorage: RegistrableComponentConfig{ - Type: "local", - Options: map[string]interface{}{ - "PurgeInterval": 1 * time.Minute, - }, - }, - }, - }, } } diff --git a/jwtproxy.go b/jwtproxy.go index 4f3f5cb..b72c3da 100644 --- a/jwtproxy.go +++ b/jwtproxy.go @@ -38,8 +38,10 @@ func RunProxies(config *config.Config) (*stop.Group, chan error) { go StartForwardProxy(config.SignerProxy, stopper, abort) } - if config.VerifierProxy.Enabled { - go StartReverseProxy(config.VerifierProxy, stopper, abort) + for _, verifierConfig := range config.VerifierProxies { + if verifierConfig.Enabled { + go StartReverseProxy(verifierConfig, stopper, abort) + } } return stopper, abort