Customizable redirect default path

CHANGELOG.md

@@ -1,3 +1,8 @@
+0.4.1 (2019-09-24)
+==================
+* Make it possible to customize LDAP filter (UserFilter, GroupFilter)
+* Make it possible to customize redirect path when sign-in success
+
 0.4.0 (2018-11-23)
 ==================
 * URGENT SECURITY FIX: authentication bypass via LDAP passwordless auth LDAP permits passwordless Bind operations by clients - this application verified authentication without checking specifically for an empty password, thus allowing authentication as any valid user by leaving the password field blank. This issue has been present since the first release of this application.

ldap_proxy.go

@@ -51,12 +51,13 @@ type LdapProxy struct {
 	SignOutPath  string
 	AuthOnlyPath string
 
-	ProxyPrefix     string
-	SignInMessage   string
-	HtpasswdFile    *HtpasswdFile
-	serveMux        http.Handler
-	SetXAuthRequest bool
-	PassBasicAuth   bool
+	ProxyPrefix         string
+	SignInMessage       string
+	HtpasswdFile        *HtpasswdFile
+	serveMux            http.Handler
+	SetXAuthRequest     bool
+	PassBasicAuth       bool
+	RedirectDefaultPath string
 
 	PassUserHeaders   bool
 	BasicAuthPassword string
@@ -140,8 +141,8 @@ func NewLdapProxy(opts *Options, validator func(string) bool) *LdapProxy {
 		InsecureSkipVerify: true,
 		BindDN:             opts.LdapBindDn,
 		BindPassword:       opts.LdapBindDnPassword,
-		UserFilter:         "(&(objectClass=User)(uid=%s))",
-		GroupFilter:        "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%s))",
+		UserFilter:         opts.LdapUserFilter,
+		GroupFilter:        opts.LdapGroupFilter,
 		Attributes:         []string{"mail", "cn"},
 	}
 
@@ -162,10 +163,11 @@ func NewLdapProxy(opts *Options, validator func(string) bool) *LdapProxy {
 		SignOutPath:  fmt.Sprintf("%s/sign_out", opts.ProxyPrefix),
 		AuthOnlyPath: fmt.Sprintf("%s/auth", opts.ProxyPrefix),
 
-		ProxyPrefix:     opts.ProxyPrefix,
-		serveMux:        serveMux,
-		SetXAuthRequest: opts.SetXAuthRequest,
-		PassBasicAuth:   opts.PassBasicAuth,
+		ProxyPrefix:         opts.ProxyPrefix,
+		serveMux:            serveMux,
+		SetXAuthRequest:     opts.SetXAuthRequest,
+		PassBasicAuth:       opts.PassBasicAuth,
+		RedirectDefaultPath: opts.RedirectDefaultPath,
 
 		PassUserHeaders:   opts.PassUserHeaders,
 		BasicAuthPassword: opts.BasicAuthPassword,
@@ -255,7 +257,7 @@ func (p *LdapProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code i
 		redirectURL = req.Header.Get("X-Auth-Request-Redirect")
 	}
 	if redirectURL == p.SignInPath {
-		redirectURL = "/"
+		redirectURL = p.RedirectDefaultPath
 	}
 
 	t := struct {

main.go

@@ -44,6 +44,7 @@ func main() {
 	flagSet.Bool("ssl-insecure-skip-verify", false, "skip validation of certificates presented when using HTTPS")
 	flagSet.String("real-ip-header", "X-Real-IP", "The header which specifies the real IP of the request. Caution: This header may allow a malicious actor to spoof an internal IP, bypassing whitelists. Set to the empty string to ignore")
 	flagSet.String("proxy-ip-header", "X-Forwarded-For", "The header which specifies the real IP of the proxied request. Caution: This header may allow a malicious actor to spoof an internal IP, bypassing whitelists. Set to the empty string to ignore")
+	flagSet.String("redirect-default-path", "/", "Default redirect path when sign-in success")
 
 	flagSet.Var(&emailDomains, "email-domain", "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email")
 	flagSet.String("authenticated-emails-file", "", "authenticate against emails via file (one per line)")
@@ -75,6 +76,8 @@ func main() {
 	flagSet.String("ldap-bind-dn", "", "Bind DN for LDAP bind")
 	flagSet.String("ldap-bind-dn-password", "", "Bind DN password for LDAP bind")
 	flagSet.Var(&ldapGroups, "ldap-groups", "Groups a user must be in")
+	flagSet.String("ldap-user-filter", "(&(objectClass=User)(uid=%s))", "Search filter for user")
+	flagSet.String("ldap-group-filter", "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%s))", "Search filter for group")
 
 	flagSet.Parse(os.Args[1:])
 

options.go

@@ -51,6 +51,7 @@ type Options struct {
 	SkipAuthPreflight     bool     `flag:"skip-auth-preflight" cfg:"skip_auth_preflight"`
 	RealIPHeader          string   `flag:"real-ip-header" cfg:"real_ip_header"`
 	ProxyIPHeader         string   `flag:"proxy-ip-header" cfg:"proxy_ip_header"`
+	RedirectDefaultPath   string   `flag:"redirect-default-path" cfg:"redirect_default_path"`
 
 	RequestLogging bool `flag:"request-logging" cfg:"request_logging"`
 
@@ -64,6 +65,8 @@ type Options struct {
 	LdapBindDn         string   `flag:"ldap-bind-dn" cfg:"ldap_bind_dn"`
 	LdapBindDnPassword string   `flag:"ldap-bind-dn-password" cfg:"ldap_bind_dn_password"`
 	LdapGroups         []string `flag:"ldap-groups" cfg:"ldap_groups"`
+	LdapUserFilter     string   `flag:"ldap-user-filter" cfg:"ldap_user_filter"`
+	LdapGroupFilter    string   `flag:"ldap-group-filter" cfg:"ldap_group_filter"`
 
 	// internal values that are set after config validation
 	proxyURLs         []*url.URL
@@ -94,6 +97,8 @@ func NewOptions() *Options {
 		PassUserHeaders:   true,
 		PassHostHeader:    true,
 		RequestLogging:    true,
+		LdapUserFilter:    "(&(objectClass=User)(uid=%s))",
+		LdapGroupFilter:   "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:=%s))",
 	}
 }
 

version.go

@@ -1,4 +1,4 @@
 package main
 
 // VERSION released
-const VERSION = "0.4.0"
+const VERSION = "0.4.1"