oauth2-proxy · NickMeves · Dec 5, 2020 · Jun 21, 2020 · Nov 23, 2020 · Nov 23, 2020
@@ -4,13 +4,14 @@
 
 ## Important Notes
 
+- [#630](https://github.com/oauth2-proxy/oauth2-proxy/pull/630) Gitlab projects needs a Gitlab application with the extra `read_api` enabled
 - [#905](https://github.com/oauth2-proxy/oauth2-proxy/pull/905) Existing sessions from v6.0.0 or earlier are no longer valid. They will trigger a reauthentication.
 - [#826](https://github.com/oauth2-proxy/oauth2-proxy/pull/826) `skip-auth-strip-headers` now applies to all requests, not just those where authentication would be skipped.
 - [#797](https://github.com/oauth2-proxy/oauth2-proxy/pull/797) The behavior of the Google provider Groups restriction changes with this
   - Either `--google-group` or the new `--allowed-group` will work for Google now (`--google-group` will be used if both are set)
   - Group membership lists will be passed to the backend with the `X-Forwarded-Groups` header
   - If you change the list of allowed groups, existing sessions that now don't have a valid group will be logged out immediately.
-      - Previously, group membership was only checked on session creation and refresh.
+    - Previously, group membership was only checked on session creation and refresh.
 - [#789](https://github.com/oauth2-proxy/oauth2-proxy/pull/789) `--skip-auth-route` is (almost) backwards compatible with `--skip-auth-regex`
   - We are marking `--skip-auth-regex` as DEPRECATED and will remove it in the next major version.
   - If your regex contains an `=` and you want it for all methods, you will need to add a leading `=` (this is the area where `--skip-auth-regex` doesn't port perfectly)
@@ -38,11 +39,12 @@
   be any redirects in the browser anymore when tokens expire, but instead a token refresh is initiated
   in the background, which leads to new tokens being returned in the cookies.
   - Please note that `--cookie-refresh` must be 0 (the default) or equal to the token lifespan configured in Azure AD to make
-  Azure token refresh reliable. Setting this value to 0 means that it relies on the provider implementation
-  to decide if a refresh is required.
+    Azure token refresh reliable. Setting this value to 0 means that it relies on the provider implementation
+    to decide if a refresh is required.
 
 ## Changes since v6.1.1
 
+- [#630](https://github.com/oauth2-proxy/oauth2-proxy/pull/630) Add support for Gitlab project based authentication (@factorysh)
 - [#907](https://github.com/oauth2-proxy/oauth2-proxy/pull/907) Introduce alpha configuration option to enable testing of structured configuration (@JoelSpeed)
 - [#938](https://github.com/oauth2-proxy/oauth2-proxy/pull/938) Cleanup missed provider renaming refactor methods (@NickMeves)
 - [#925](https://github.com/oauth2-proxy/oauth2-proxy/pull/925) Fix basic auth legacy header conversion (@JoelSpeed)
@@ -78,7 +80,6 @@
 - [#829](https://github.com/oauth2-proxy/oauth2-proxy/pull/820) Rename test directory to testdata (@johejo)
 - [#819](https://github.com/oauth2-proxy/oauth2-proxy/pull/819) Improve CI (@johejo)
 
-
 # v6.1.1
 
 ## Release Highlights
@@ -180,7 +181,7 @@ N/A
 - [#440](https://github.com/oauth2-proxy/oauth2-proxy/pull/440) Switch Azure AD Graph API to Microsoft Graph API
   - The Azure AD Graph API has been [deprecated](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api) and is being replaced by the Microsoft Graph API.
     If your application relies on the access token being passed to it to access the Azure AD Graph API, you should migrate your application to use the Microsoft Graph API.
-    Existing behaviour can be retained by setting  `-resource=https://graph.windows.net`.
+    Existing behaviour can be retained by setting `-resource=https://graph.windows.net`.
 - [#484](https://github.com/oauth2-proxy/oauth2-proxy/pull/484) Configuration loading has been replaced with Viper and PFlag
   - Flags now require a `--` prefix before the option
   - Previously flags allowed either `-` or `--` to prefix the option name
@@ -201,7 +202,7 @@ N/A
 - [#556](https://github.com/oauth2-proxy/oauth2-proxy/pull/556) Remove unintentional auto-padding of secrets that were too short
   - Previously, after cookie-secrets were opportunistically base64 decoded to raw bytes,
     they were padded to have a length divisible by 4.
-  - This led to wrong sized secrets being valid AES lengths of 16, 24, or 32  bytes. Or it led to confusing errors
+  - This led to wrong sized secrets being valid AES lengths of 16, 24, or 32 bytes. Or it led to confusing errors
     reporting an invalid length of 20 or 28 when the user input cookie-secret was not that length.
   - Now we will only base64 decode a cookie-secret to raw bytes if it is 16, 24, or 32 bytes long. Otherwise, we will convert
     the direct cookie-secret to bytes without silent padding added.
@@ -306,15 +307,18 @@ N/A
 # v5.1.0
 
 ## Release Highlights
+
 - Bump to Go 1.14
 - Reduced number of Google API requests for group validation
 - Support for Redis Cluster
 - Support for overriding hosts in hosts file
 
 ## Important Notes
+
 - [#335] The session expiry for the OIDC provider is now taken from the Token Response (expires_in) rather than from the id_token (exp)
 
 ## Breaking Changes
+
 N/A
 
 ## Changes since v5.0.0
@@ -338,13 +342,15 @@ N/A
 # v5.0.0
 
 ## Release Highlights
+
 - Disabled CGO (binaries will work regardless og glibc/musl)
 - Allow whitelisted redirect ports
 - Nextcloud provider support added
 - DigitalOcean provider support added
 
 ## Important Notes
-- (Security) Fix for [open redirect vulnerability](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-qqxw-m5fj-f7gv)..  a bad actor using `/\` in redirect URIs can redirect a session to another domain
+
+- (Security) Fix for [open redirect vulnerability](https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-qqxw-m5fj-f7gv).. a bad actor using `/\` in redirect URIs can redirect a session to another domain
 
 ## Breaking Changes
 
@@ -365,6 +371,7 @@ N/A
 # v4.1.0
 
 ## Release Highlights
+
 - Added Keycloak provider
 - Build on Go 1.13
 - Upgrade Docker image to use Debian Buster
@@ -373,12 +380,15 @@ N/A
 - Added support for GitHub teams
 
 ## Important Notes
+
 N/A
 
 ## Breaking Changes
+
 N/A
 
 ## Changes since v4.0.0
+
 - [#292](https://github.com/oauth2-proxy/oauth2-proxy/pull/292) Added bash >= 4.0 dependency to configure script (@jmfrank63)
 - [#227](https://github.com/oauth2-proxy/oauth2-proxy/pull/227) Add Keycloak provider (@Ofinka)
 - [#259](https://github.com/oauth2-proxy/oauth2-proxy/pull/259) Redirect to HTTPS (@jmickey)
@@ -401,36 +411,38 @@ N/A
 # v4.0.0
 
 ## Release Highlights
+
 - Documentation is now on a [microsite](https://oauth2-proxy.github.io/oauth2-proxy/)
 - Health check logging can now be disabled for quieter logs
 - Authorization Header JWTs can now be verified by the proxy to skip authentication for machine users
 - Sessions can now be stored in Redis. This reduces refresh failures and uses smaller cookies (Recommended for those using OIDC refreshing)
 - Logging overhaul allows customisable logging formats
 
 ## Important Notes
+
 - This release includes a number of breaking changes that will require users to
-reconfigure their proxies. Please read the Breaking Changes below thoroughly.
+  reconfigure their proxies. Please read the Breaking Changes below thoroughly.
 
 ## Breaking Changes
 
 - [#231](https://github.com/oauth2-proxy/oauth2-proxy/pull/231) Rework GitLab provider
   - This PR changes the configuration options for the GitLab provider to use
-  a self-hosted instance. You now need to specify a `-oidc-issuer-url` rather than
-  explicit `-login-url`, `-redeem-url` and `-validate-url` parameters.
+    a self-hosted instance. You now need to specify a `-oidc-issuer-url` rather than
+    explicit `-login-url`, `-redeem-url` and `-validate-url` parameters.
 - [#186](https://github.com/oauth2-proxy/oauth2-proxy/pull/186) Make config consistent
   - This PR changes configuration options so that all flags have a config counterpart
-  of the same name but with underscores (`_`) in place of hyphens (`-`).
-  This change affects the following flags:
+    of the same name but with underscores (`_`) in place of hyphens (`-`).
+    This change affects the following flags:
   - The `--tls-key` flag is now `--tls-key-file` to be consistent with existing
-  file flags and the existing config and environment settings
+    file flags and the existing config and environment settings
   - The `--tls-cert` flag is now `--tls-cert-file` to be consistent with existing
-  file flags and the existing config and environment settings
-  This change affects the following existing configuration options:
+    file flags and the existing config and environment settings
+    This change affects the following existing configuration options:
   - The `proxy-prefix` option is now `proxy_prefix`.
-  This PR changes environment variables so that all flags have an environment
-  counterpart of the same name but capitalised, with underscores (`_`) in place
-  of hyphens (`-`) and with the prefix `OAUTH2_PROXY_`.
-  This change affects the following existing environment variables:
+    This PR changes environment variables so that all flags have an environment
+    counterpart of the same name but capitalised, with underscores (`_`) in place
+    of hyphens (`-`) and with the prefix `OAUTH2_PROXY_`.
+    This change affects the following existing environment variables:
   - The `OAUTH2_SKIP_OIDC_DISCOVERY` environment variable is now `OAUTH2_PROXY_SKIP_OIDC_DISCOVERY`.
   - The `OAUTH2_OIDC_JWKS_URL` environment variable is now `OAUTH2_PROXY_OIDC_JWKS_URL`.
 - [#146](https://github.com/oauth2-proxy/oauth2-proxy/pull/146) Use full email address as `User` if the auth response did not contain a `User` field
@@ -456,7 +468,7 @@ reconfigure their proxies. Please read the Breaking Changes below thoroughly.
 - [#65](https://github.com/oauth2-proxy/oauth2-proxy/pull/65) Improvements to authenticate requests with a JWT bearer token in the `Authorization` header via
   the `-skip-jwt-bearer-token` options. (@brianv0)
   - Additional verifiers can be configured via the `-extra-jwt-issuers` flag if the JWT issuers is either an OpenID provider or has a JWKS URL
-  (e.g. `https://example.com/.well-known/jwks.json`).
+    (e.g. `https://example.com/.well-known/jwks.json`).
 - [#180](https://github.com/oauth2-proxy/oauth2-proxy/pull/180) Minor refactor of core proxying path (@aeijdenberg).
 - [#175](https://github.com/oauth2-proxy/oauth2-proxy/pull/175) Bump go-oidc to v2.0.0 (@aeijdenberg).
   - Includes fix for potential signature checking issue when OIDC discovery is skipped.
@@ -514,16 +526,18 @@ reconfigure their proxies. Please read the Breaking Changes below thoroughly.
 # v3.2.0
 
 ## Release highlights
+
 - Internal restructure of session state storage to use JSON rather than proprietary scheme
 - Added health check options for running on GCP behind a load balancer
 - Improved support for protecting websockets
 - Added provider for login.gov
 - Allow manual configuration of OIDC providers
 
 ## Important notes
+
 - Dockerfile user is now non-root, this may break your existing deployment
 - In the OIDC provider, when no email is returned, the ID Token subject will be used
-instead of returning an error
+  instead of returning an error
 - GitHub user emails must now be primary and verified before authenticating
 
 ## Changes since v3.1.0

@@ -149,6 +149,8 @@ The group management in keycloak is using a tree. If you create a group named ad
 
 Whether you are using GitLab.com or self-hosting GitLab, follow [these steps to add an application](https://docs.gitlab.com/ce/integration/oauth_provider.html). Make sure to enable at least the `openid`, `profile` and `email` scopes, and set the redirect url to your application url e.g. https://myapp.com/oauth2/callback.
 
+If you need projects filtering, add the extra `read_api` scope to your application.
+
 The following config should be set to ensure that the oauth will work properly. To get a cookie secret follow [these steps](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/configuration/configuration.md#configuration)
 
 ```

@@ -54,6 +54,7 @@ An example [oauth2-proxy.cfg](https://github.com/oauth2-proxy/oauth2-proxy/blob/
 | `--github-token` | string | the token to use when verifying repository collaborators (must have push access to the repository) | |
 | `--github-user` | string \| list | To allow users to login by username even if they do not belong to the specified org and team or collaborators | |
 | `--gitlab-group` | string \| list | restrict logins to members of any of these groups (slug), separated by a comma | |
+| `--gitlab-projects` | string \| list | restrict logins to members of any of these projects (may be given multiple times) formatted as `orgname/repo=accesslevel`. Access level should be a value matching [Gitlab access levels](https://docs.gitlab.com/ee/api/members.html#valid-access-levels), defaulted to 20 if absent | |
 | `--google-admin-email` | string | the google admin to impersonate for api calls | |
 | `--google-group` | string | restrict logins to members of this google group (may be given multiple times). | |
 | `--google-service-account-json` | string | the path to the service account json credentials | |

@@ -48,6 +48,7 @@ type Options struct {
 	GitHubToken              string   `flag:"github-token" cfg:"github_token"`
 	GitHubUsers              []string `flag:"github-user" cfg:"github_users"`
 	GitLabGroup              []string `flag:"gitlab-group" cfg:"gitlab_groups"`
+	GitlabProjects           []string `flag:"gitlab-project" cfg:"gitlab_projects"`
 	GoogleGroups             []string `flag:"google-group" cfg:"google_group"`
 	GoogleAdminEmail         string   `flag:"google-admin-email" cfg:"google_admin_email"`
 	GoogleServiceAccountJSON string   `flag:"google-service-account-json" cfg:"google_service_account_json"`
@@ -188,6 +189,7 @@ func NewFlagSet() *pflag.FlagSet {
 	flagSet.String("github-token", "", "the token to use when verifying repository collaborators (must have push access to the repository)")
 	flagSet.StringSlice("github-user", []string{}, "allow users with these usernames to login even if they do not belong to the specified org and team or collaborators (may be given multiple times)")
 	flagSet.StringSlice("gitlab-group", []string{}, "restrict logins to members of this group (may be given multiple times)")
+	flagSet.StringSlice("gitlab-project", []string{}, "restrict logins to members of this project (may be given multiple times) (eg `group/project=accesslevel`). Access level should be a value matching Gitlab access levels (see https://docs.gitlab.com/ee/api/members.html#valid-access-levels), defaulted to 20 if absent")
 	flagSet.StringSlice("google-group", []string{}, "restrict logins to members of this google group (may be given multiple times).")
 	flagSet.String("google-admin-email", "", "the google admin to impersonate for api calls")
 	flagSet.String("google-service-account-json", "", "the path to the service account json credentials")

@@ -282,6 +282,12 @@ func parseProviderInfo(o *options.Options, msgs []string) []string {
 	case *providers.GitLabProvider:
 		p.AllowUnverifiedEmail = o.InsecureOIDCAllowUnverifiedEmail
 		p.Groups = o.GitLabGroup
+		err := p.AddProjects(o.GitlabProjects)
+		if err != nil {
+			msgs = append(msgs, "failed to setup gitlab project access level")
+		}
+		p.SetAllowedGroups(p.PrefixAllowedGroups())
+		p.SetProjectScope()
 
 		if p.Verifier == nil {
 			// Initialize with default verifier for gitlab.com
-Original file line number
+Diff line change
@@ Expand Up @@
     Whether you are using GitLab.com or self-hosting GitLab, follow [these steps to add an application](https://docs.gitlab.com/ce/integration/oauth_provider.html). Make sure to enable at least the `openid`, `profile` and `email` scopes, and set the redirect url to your application url e.g. https://myapp.com/oauth2/callback.
+    If you need projects filtering, add the extra `read_api` scope to your application.
     The following config should be set to ensure that the oauth will work properly. To get a cookie secret follow [these steps](https://github.com/oauth2-proxy/oauth2-proxy/blob/master/docs/configuration/configuration.md#configuration)
     ```
@@ Expand Down @@