Add dingtalk provider

Gopkg.toml

@@ -4,7 +4,7 @@
 #
 
 [[constraint]]
-  name = "github.com/18F/hmacauth"
+  name = "github.com/mbland/hmacauth"
   version = "~1.0.1"
 
 [[constraint]]
@@ -36,7 +36,7 @@
   name = "google.golang.org/api"
 
 [[constraint]]
-  name = "gopkg.in/fsnotify.v1"
+  name = "gopkg.in/fsnotify/fsnotify.v1"
   version = "~1.2.0"
 
 [[constraint]]

README.md

@@ -37,6 +37,7 @@ Valid providers are :
 * [GitHub](#github-auth-provider)
 * [GitLab](#gitlab-auth-provider)
 * [LinkedIn](#linkedin-auth-provider)
+* [DingTalk](#dingtalk-auth-provider)
 
 The provider can be selected using the `provider` configuration value.
 
@@ -155,6 +156,20 @@ OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many ma
     -cookie-secure=false
     -email-domain example.com
 
+### DingTalk Auth Provider
+
+For DingTalk, the registration steps are:
+
+1. Create a new qrcode login application: https://open-dev.dingtalk.com/#/loginAndShareApp
+2. Get corpid and corpsecret of your organization: https://open-dev.dingtalk.com/#/corpAuthInfo
+3. Run the oauth2_proxy with the following args:
+
+    -provider dingtalk
+    -client-id oauth2_proxy
+    -client-secret proxy
+    -dingtalk-corpid corpid
+    -dingtalk-corpsecret corpsecret
+
 ## Email Authentication
 
 To authorize by email domain use `--email-domain=yourcompany.com`. To authorize individual email addresses use `--authenticated-emails-file=/path/to/file` with one email per line. To authorize all email addresses use `--email-domain=*`.

contrib/oauth2_proxy.cfg.example

@@ -78,3 +78,9 @@
 # cookie_refresh = ""
 # cookie_secure = true
 # cookie_httponly = true
+
+# Additional conf required by DigntTalk provider
+# dingtalk_corpid = "ding07511073f402a4e035c2f4657eb2321f"
+# dingtalk_corpsecret = ""
+# fully qualified name of department separated by '/' if you need limit to be logged in by given departments
+# dingtalk_departments = [ "xx公司/yy部门/zz组" ]

main.go

@@ -21,6 +21,7 @@ func main() {
 	upstreams := StringArray{}
 	skipAuthRegex := StringArray{}
 	googleGroups := StringArray{}
+	dingTalkDepartments := StringArray{}
 
 	config := flagSet.String("config", "", "path to config file")
 	showVersion := flagSet.Bool("version", false, "print version string")
@@ -46,6 +47,9 @@ func main() {
 	flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.")
 	flagSet.String("github-org", "", "restrict logins to members of this organisation")
 	flagSet.String("github-team", "", "restrict logins to members of this team")
+	flagSet.Var(&dingTalkDepartments, "dingtalk-departments", "restrict logins to members of this department(may be given multiple times).")
+	flagSet.String("dingtalk-corpid", "", "corpid of corp in dingtalk")
+	flagSet.String("dingtalk-corpsecret", "", "corp secret of corp in dingtalk")
 	flagSet.Var(&googleGroups, "google-group", "restrict logins to members of this google group (may be given multiple times).")
 	flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls")
 	flagSet.String("google-service-account-json", "", "the path to the service account json credentials")

options.go

@@ -34,6 +34,9 @@ type Options struct {
 	EmailDomains             []string `flag:"email-domain" cfg:"email_domains"`
 	GitHubOrg                string   `flag:"github-org" cfg:"github_org"`
 	GitHubTeam               string   `flag:"github-team" cfg:"github_team"`
+	DingTalkDepartments      []string `flag:"dingtalk-departments" cfg:"dingtalk_departments"`
+	DingTalkCorpID           string   `flag:"dingtalk-corpid" cfg:"dingtalk_corpid" env:"OAUTH2_PROXY_DINGTALK_CORPID"`
+	DingTalkCorpSecret       string   `flag:"dingtalk-corpsecret" cfg:"dingtalk_corpsecret" env:"OAUTH2_PROXY_DINGTALK_CORPSECRET"`
 	GoogleGroups             []string `flag:"google-group" cfg:"google_group"`
 	GoogleAdminEmail         string   `flag:"google-admin-email" cfg:"google_admin_email"`
 	GoogleServiceAccountJSON string   `flag:"google-service-account-json" cfg:"google_service_account_json"`
@@ -278,6 +281,11 @@ func parseProviderInfo(o *Options, msgs []string) []string {
 		} else {
 			p.Verifier = o.oidcVerifier
 		}
+	case *providers.DingTalkProvider:
+		err := p.SetCorpInfoAndDepartments(o.DingTalkCorpID, o.DingTalkCorpSecret, o.DingTalkDepartments)
+		if err != nil {
+			msgs = append(msgs, "invalid DingTalk corp configuration: "+err.Error())
+		}
 	}
 	return msgs
 }