diff options
author | Ercan Ucan <ercan.ucan@siemens.com> | 2021-02-15 03:28:29 +0300 |
---|---|---|
committer | Jaime Martinez <jmartinez@gitlab.com> | 2021-02-15 03:28:29 +0300 |
commit | b41995a13969b2926ad265bcc769f473e48166cb (patch) | |
tree | 2d70d9c1c201a6e9a4bf73cbe06b9b9d792cd825 /main.go | |
parent | 2eefcef73409cf7510d7ecacce76b299a8340a4c (diff) |
fix(auth): make authentication scope for Pages configurable
This MR makes required authentication permission scope for
Pages configurable.
By default, Pages will use `api` scope to authenticate with
Pages Application registered on GitLab.
With this MR, the scope is configurable and can be set to `read_api`
by providing the `auth-scope` variable in the arguments or in
the `gitlab-pages.conf`
/label ~security
Changelog: added
Diffstat (limited to 'main.go')
-rw-r--r-- | main.go | 6 |
1 files changed, 6 insertions, 0 deletions
@@ -73,6 +73,7 @@ var ( clientID = flag.String("auth-client-id", "", "GitLab application Client ID") clientSecret = flag.String("auth-client-secret", "", "GitLab application Client Secret") redirectURI = flag.String("auth-redirect-uri", "", "GitLab application redirect URI") + authScope = flag.String("auth-scope", "api", "Scope to be used for authentication (must match GitLab Pages OAuth application settings)") maxConns = flag.Uint("max-conns", 5000, "Limit on the number of concurrent connections to the HTTP, HTTPS or proxy listeners") insecureCiphers = flag.Bool("insecure-ciphers", false, "Use default list of cipher suites, may contain insecure ones like 3DES and RC4") tlsMinVersion = flag.String("tls-min-version", "tls1.2", tlsconfig.FlagUsage("min")) @@ -205,6 +206,7 @@ func configFromFlags() appConfig { config.ClientID = *clientID config.ClientSecret = *clientSecret config.RedirectURI = *redirectURI + config.AuthScope = *authScope config.SentryDSN = *sentryDSN config.SentryEnvironment = *sentryEnvironment @@ -242,6 +244,9 @@ func assertAuthConfig(config appConfig) { if config.RedirectURI == "" { log.Fatal("auth-redirect-uri must be defined if authentication is supported") } + if config.AuthScope == "" { + log.Fatal("auth-scope must be defined if authentication is supported") + } } func initErrorReporting(sentryDSN, sentryEnvironment string) { @@ -297,6 +302,7 @@ func loadConfig() appConfig { "api-secret-key": *gitLabAPISecretKey, "domain-config-source": config.DomainConfigurationSource, "auth-redirect-uri": config.RedirectURI, + "auth-scope": config.AuthScope, "zip-cache-expiration": config.ZipCacheExpiry, "zip-cache-cleanup": config.ZipCacheCleanup, "zip-cache-refresh": config.ZipCacheRefresh, |