]> go.fuhry.dev Git - runtime.git/commitdiff
projects / runtime.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d12699b)
[http/samlproxy] add systemd service, allow username header to be customized
authorDan Fuhry <dan@fuhry.com>
Sun, 23 Mar 2025 01:44:12 +0000 (21:44 -0400)
committerDan Fuhry <dan@fuhry.com>
Sun, 23 Mar 2025 01:44:12 +0000 (21:44 -0400)
http/samlproxy.go patch | blob | history
http/samlproxy/main.go patch | blob | history
http/samlproxy/systemd/saml-proxy@.service [new file with mode: 0644] patch | blob

diff --git a/http/samlproxy.go b/http/samlproxy.go
index c39e6d3ec5adf97598c96423cc9cac2417cfad70..610ab62b510a183df065c3701846b27d18a7a7c3 100644 (file)
--- a/http/samlproxy.go
+++ b/http/samlproxy.go
@@ -24,6 +24,7 @@ import (
 
        "github.com/crewjam/saml"
        "github.com/crewjam/saml/samlsp"
+
        "go.fuhry.dev/runtime/mtls"
        "go.fuhry.dev/runtime/mtls/certutil"
        "go.fuhry.dev/runtime/utils/hashset"
@@ -40,9 +41,10 @@ type Route struct {
 }
 
 type SAMLBackend struct {
-       Host     string `yaml:"host"`
-       Port     int    `yaml:"port"`
-       Identity string `yaml:"mtls_id"`
+       Host           string `yaml:"host"`
+       Port           int    `yaml:"port"`
+       Identity       string `yaml:"mtls_id"`
+       UsernameHeader string `yaml:"username_header"`
 
        client     *http.Client
        clientOnce sync.Once
@@ -493,8 +495,12 @@ func (sp *SAMLProxy) newHandler() (http.HandlerFunc, error) {
 
                if swa, ok := session.(samlsp.SessionWithAttributes); ok {
                        attrs := swa.GetAttributes()
-                       sp.logger.V(3).Debugf("setting origin request header: on-behalf-of: %q", attrs.Get("uid"))
-                       newReq.Header.Set("on-behalf-of", attrs.Get("uid"))
+                       oboHeader := vhost.Backend.UsernameHeader
+                       if oboHeader == "" {
+                               oboHeader = "on-behalf-of"
+                       }
+                       sp.logger.V(3).Debugf("setting origin request header: %s: %q", oboHeader, attrs.Get("uid"))
+                       newReq.Header.Set(oboHeader, attrs.Get("uid"))
                }
 
                if jwts, ok := session.(samlsp.JWTSessionClaims); ok {
diff --git a/http/samlproxy/main.go b/http/samlproxy/main.go
index 52be074327683c0f8f322c5faf77a58ac1938748..b8daa0362e22f394ce4c0906e1e99ab6b7d580f3 100644 (file)
--- a/http/samlproxy/main.go
+++ b/http/samlproxy/main.go
@@ -8,6 +8,7 @@ import (
        "syscall"
        "time"
 
+       "github.com/coreos/go-systemd/daemon"
        "gopkg.in/yaml.v3"
 
        "go.fuhry.dev/runtime/http"
@@ -73,6 +74,8 @@ func main() {
        server.Addr = *listen
        go server.ListenAndServeTLS("", "")
 
+       daemon.SdNotify(false, daemon.SdNotifyReady)
+
        <-ctx.Done()
        shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
        defer shutdownCancel()
diff --git a/http/samlproxy/systemd/saml-proxy@.service b/http/samlproxy/systemd/saml-proxy@.service
new file mode 100644 (file)
index 0000000..fb6bc36
--- /dev/null
+++ b/http/samlproxy/systemd/saml-proxy@.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=SAML-authenticating proxy instance %i
+
+[Service]
+Type=notify
+User=http
+ExecStart=/usr/bin/saml-proxy -config=/etc/runtime/saml-proxy/%i.yaml
+
+[Install]
+WantedBy=default.target
\ No newline at end of file