barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2025-11-08 10:05:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: disable env acls

Browse Source
This commit is contained in:
Stavros
2025-11-04 17:48:45 +02:00
parent 20fb63532c
commit e23f4f1371
2 changed files with 84 additions and 62 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
cmd/root.go
View File

@@ -34,6 +34,9 @@ func (c *rootCmd) Register() {
Run: c.run, Run: c.run,
} }
// Ignore unknown flags to allow --providers-*
c.cmd.FParseErrWhitelist.UnknownFlags = true
c.viper.AutomaticEnv() c.viper.AutomaticEnv()
configOptions := []struct { configOptions := []struct {

141
internal/service/access_controls_service.go
View File

@@ -1,17 +1,34 @@
package service package service
import ( import (
"os"
"strings"
"tinyauth/internal/config" "tinyauth/internal/config"
"tinyauth/internal/utils/decoders"
"github.com/rs/zerolog/log"
) )
/*
Environment variable/flag based ACLs are disabled until v5 due to a technical challenge
with the current parsing logic.
The current parser works for simple OAuth provider configs like:
- PROVIDERS_MY_AMAZING_PROVIDER_CLIENT_ID
However, it breaks down when handling nested structs required for ACLs. The custom parsing
solution that worked for v4 OAuth providers is incompatible with the ACL parsing logic,
making the codebase unmaintainable and fragile.
A solution is being considered for v5 that would standardize the format to something like:
- TINYAUTH_PROVIDERS_GOOGLE_CLIENTSECRET
- TINYAUTH_APPS_MYAPP_CONFIG_DOMAIN
This would allow the Traefik parser to handle everything consistently, but requires a
config migration. Until this is resolved, environment-based ACLs are disabled and only
Docker label-based ACLs are supported.
See: https://discord.com/channels/1337450123600465984/1337459086270271538/1434986689935179838 for more information
*/
type AccessControlsService struct { type AccessControlsService struct {
docker *DockerService docker *DockerService
envACLs config.Apps // envACLs config.Apps
} }
func NewAccessControlsService(docker *DockerService) *AccessControlsService { func NewAccessControlsService(docker *DockerService) *AccessControlsService {
@@ -21,82 +38,84 @@ func NewAccessControlsService(docker *DockerService) *AccessControlsService {
} }
func (acls *AccessControlsService) Init() error { func (acls *AccessControlsService) Init() error {
acls.envACLs = config.Apps{} // acls.envACLs = config.Apps{}
env := os.Environ() // env := os.Environ()
appEnvVars := []string{} // appEnvVars := []string{}
for _, e := range env { // for _, e := range env {
if strings.HasPrefix(e, "TINYAUTH_APPS_") { // if strings.HasPrefix(e, "TINYAUTH_APPS_") {
appEnvVars = append(appEnvVars, e) // appEnvVars = append(appEnvVars, e)
} // }
} // }
err := acls.loadEnvACLs(appEnvVars) // err := acls.loadEnvACLs(appEnvVars)
if err != nil { // if err != nil {
return err // return err
} // }
// return nil
return nil return nil
} }
func (acls *AccessControlsService) loadEnvACLs(appEnvVars []string) error { // func (acls *AccessControlsService) loadEnvACLs(appEnvVars []string) error {
if len(appEnvVars) == 0 { // if len(appEnvVars) == 0 {
return nil // return nil
} // }
envAcls := map[string]string{} // envAcls := map[string]string{}
for _, e := range appEnvVars { // for _, e := range appEnvVars {
parts := strings.SplitN(e, "=", 2) // parts := strings.SplitN(e, "=", 2)
if len(parts) != 2 { // if len(parts) != 2 {
continue // continue
} // }
// Normalize key, this should use the same normalization logic as in utils/decoders/decoders.go // key := parts[0]
key := parts[0] // key = strings.ToLower(key)
key = strings.ToLower(key) // key = strings.ReplaceAll(key, "_", ".")
key = strings.ReplaceAll(key, "_", ".") // value := parts[1]
value := parts[1] // envAcls[key] = value
envAcls[key] = value // }
}
apps, err := decoders.DecodeLabels(envAcls) // apps, err := decoders.DecodeLabels(envAcls)
if err != nil { // if err != nil {
return err // return err
} // }
acls.envACLs = apps // acls.envACLs = apps
return nil // return nil
} // }
func (acls *AccessControlsService) lookupEnvACLs(appDomain string) *config.App { // func (acls *AccessControlsService) lookupEnvACLs(appDomain string) *config.App {
if len(acls.envACLs.Apps) == 0 { // if len(acls.envACLs.Apps) == 0 {
return nil // return nil
} // }
for appName, appACLs := range acls.envACLs.Apps { // for appName, appACLs := range acls.envACLs.Apps {
if appACLs.Config.Domain == appDomain { // if appACLs.Config.Domain == appDomain {
return &appACLs // return &appACLs
} // }
if strings.SplitN(appDomain, ".", 2)[0] == appName { // if strings.SplitN(appDomain, ".", 2)[0] == appName {
return &appACLs // return &appACLs
} // }
} // }
return nil // return nil
} // }
func (acls *AccessControlsService) GetAccessControls(appDomain string) (config.App, error) { func (acls *AccessControlsService) GetAccessControls(appDomain string) (config.App, error) {
// First check environment variables // First check environment variables
envACLs := acls.lookupEnvACLs(appDomain) // envACLs := acls.lookupEnvACLs(appDomain)
if envACLs != nil { // if envACLs != nil {
log.Debug().Str("domain", appDomain).Msg("Found matching access controls in environment variables") // log.Debug().Str("domain", appDomain).Msg("Found matching access controls in environment variables")
return *envACLs, nil // return *envACLs, nil
} // }
// Fallback to Docker labels // Fallback to Docker labels
return acls.docker.GetLabels(appDomain) return acls.docker.GetLabels(appDomain)