Merge pull request #1985 from isodude/systemd-socket

JoelSpeed · web-flow · commit 4d2b5c30a1a4 · 2024-10-28T03:56:05.000+07:00
Add support for systemd socket
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@
 
 - [#2800](https://github.com/oauth2-proxy/oauth2-proxy/pull/2800) Add some opencontainer labels to docker image (@halkeye)
 - [#2755](https://github.com/oauth2-proxy/oauth2-proxy/pull/2755) feat: add X-Envoy-External-Address as supported header (@bjencks)
+- [#1985](https://github.com/oauth2-proxy/oauth2-proxy/pull/1985) Add support for systemd socket (@isodude)
 
 # V7.7.1
 
@@ -58,6 +59,7 @@
 - [#2790](https://github.com/oauth2-proxy/oauth2-proxy/pull/2790) chore(deps): update all golang dependencies (@tuunit)
 - [#2607](https://github.com/oauth2-proxy/oauth2-proxy/pull/2607) fix(csrf): fix possible infinite loop (@Primexz)
 
+
 # V7.6.0
 
 ## Release Highlights
diff --git a/docs/docs/configuration/overview.md b/docs/docs/configuration/overview.md
@@ -219,7 +219,7 @@ Provider specific options can be found on their respective subpages.
 
 | Flag / Config Field                                                 | Type           | Description                                                                                                                                                                                                                                                                                                   | Default            |
 | ------------------------------------------------------------------- | -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------ |
-| flag: `--http-address`<br/>toml: `http_address`                     | string         | `[http://]<addr>:<port>` or `unix://<path>` to listen on for HTTP clients. Square brackets are required for ipv6 address, e.g. `http://[::1]:4180`                                                                                                                                                            | `"127.0.0.1:4180"` |
+| flag: `--http-address`<br/>toml: `http_address`                     | string         | `[http://]<addr>:<port>` or `unix://<path>` or `fd:<int>` (case insensitive) to listen on for HTTP clients. Square brackets are required for ipv6 address, e.g. `http://[::1]:4180`                                                                                                                           | `"127.0.0.1:4180"` |
 | flag: `--https-address`<br/>toml: `https_address`                   | string         | `[https://]<addr>:<port>` to listen on for HTTPS clients. Square brackets are required for ipv6 address, e.g. `https://[::1]:443`                                                                                                                                                                             | `":443"`           |
 | flag: `--metrics-address`<br/>toml: `metrics_address`               | string         | the address prometheus metrics will be scraped from                                                                                                                                                                                                                                                           | `""`               |
 | flag: `--metrics-secure-address`<br/>toml: `metrics_secure_address` | string         | the address prometheus metrics will be scraped from if using HTTPS                                                                                                                                                                                                                                            | `""`               |
diff --git a/docs/docs/configuration/systemd_socket.md b/docs/docs/configuration/systemd_socket.md
@@ -0,0 +1,43 @@
+---
+id: systemd_socket
+title: Systemd Socket Activation
+---
+
+Pass an existing listener created by systemd.socket to oauth2-proxy.
+
+To do this create a socket:
+
+oauth2-proxy.socket
+```
+[Socket]
+ListenStream=%t/oauth2.sock
+SocketGroup=www-data
+SocketMode=0660
+```
+
+Now it's possible to call this socket from e.g. nginx:
+```
+server {
+    location /oauth2/ {
+      proxy_pass http://unix:/run/oauth2-proxy/oauth2.sock;
+}
+```
+
+The oauth2-proxy should have `--http-address=fd:3` as a parameter.
+Here fd is case insensitive and means file descriptor. The number 3 refers to the first non-stdin/stdout/stderr file descriptor,
+systemd-socket-activate (which is what systemd.socket uses), listens to what it is told and passes
+the listener it created onto the process, starting with file descriptor 3.
+
+```
+./oauth2-proxy \
+    --http-address="fd:3" \
+    --email-domain="yourcompany.com"  \
+    --upstream=http://127.0.0.1:8080/ \
+    --cookie-secret=... \
+    --cookie-secure=true \
+    --provider=... \
+    --client-id=... \
+    --client-secret=...
+```
+
+Currently TLS is not supported (but it's doable).
diff --git a/docs/docs/installation.md b/docs/docs/installation.md
@@ -29,3 +29,4 @@ title: Installation
 2.  [Select a Provider and Register an OAuth Application with a Provider](configuration/providers/index.md)
 3.  [Configure OAuth2 Proxy using config file, command line options, or environment variables](configuration/overview.md)
 4.  [Configure SSL or Deploy behind an SSL endpoint](configuration/tls.md) (example provided for Nginx)
+5.  [Configure OAuth2 Proxy using systemd.socket](configuration/systemd_socket.md) (example provided for Nginx/Systemd)
diff --git a/go.mod b/go.mod
@@ -11,6 +11,7 @@ require (
 	github.com/bitly/go-simplejson v0.5.1
 	github.com/bsm/redislock v0.9.4
 	github.com/coreos/go-oidc/v3 v3.11.0
+	github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf
 	github.com/fsnotify/fsnotify v1.7.0
 	github.com/ghodss/yaml v1.0.1-0.20220118164431-d8423dcdf344
 	github.com/go-jose/go-jose/v3 v3.0.1
diff --git a/go.sum b/go.sum
@@ -42,6 +42,8 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
 github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
+github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf h1:iW4rZ826su+pqaw19uhpSCzhj44qo35pNgKFGqzDKkU=
+github.com/coreos/go-systemd v0.0.0-20191104093116-d3cd4ed1dbcf/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
diff --git a/oauthproxy.go b/oauthproxy.go
@@ -606,7 +606,9 @@ func (p *OAuthProxy) isAPIPath(req *http.Request) bool {
 
 // isTrustedIP is used to check if a request comes from a trusted client IP address.
 func (p *OAuthProxy) isTrustedIP(req *http.Request) bool {
-	if p.trustedIPs == nil {
+	// RemoteAddr @ means unix socket
+	// https://github.com/golang/go/blob/0fa53e41f122b1661d0678a6d36d71b7b5ad031d/src/syscall/syscall_linux.go#L506-L511
+	if p.trustedIPs == nil && req.RemoteAddr != "@" {
 		return false
 	}
 
diff --git a/pkg/apis/options/legacy_options.go b/pkg/apis/options/legacy_options.go
@@ -470,7 +470,7 @@ func legacyServerFlagset() *pflag.FlagSet {
 	flagSet.String("metrics-secure-address", "", "the address /metrics will be served on for HTTPS clients (e.g. \":9100\")")
 	flagSet.String("metrics-tls-cert-file", "", "path to certificate file for secure metrics server")
 	flagSet.String("metrics-tls-key-file", "", "path to private key file for secure metrics server")
-	flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> to listen on for HTTP clients")
+	flagSet.String("http-address", "127.0.0.1:4180", "[http://]<addr>:<port> or unix://<path> or fd:<int> (case insensitive) to listen on for HTTP clients")
 	flagSet.String("https-address", ":443", "<addr>:<port> to listen on for HTTPS clients")
 	flagSet.String("tls-cert-file", "", "path to certificate file")
 	flagSet.String("tls-key-file", "", "path to private key file")
diff --git a/pkg/http/server.go b/pkg/http/server.go
@@ -7,15 +7,27 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"os"
+	"strconv"
 	"strings"
 	"time"
 
+	"github.com/coreos/go-systemd/activation"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options/util"
 	"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/logger"
 	"golang.org/x/sync/errgroup"
 )
 
+// listenFdsStart corresponds to `SD_LISTEN_FDS_START`.
+// Since the 3 first file descriptors in every linux process is
+// stdin, stdout and stderr. The first usable file descriptor is 3.
+// systemd-socket-activate will always assume that the first socket will be
+// 3 and the rest follow.
+const (
+	listenFdsStart = 3
+)
+
 // Server represents an HTTP or HTTPS server.
 type Server interface {
 	// Start blocks and runs the server.
@@ -35,13 +47,21 @@ type Opts struct {
 
 	// TLS is the TLS configuration for the server.
 	TLS *options.TLS
+
+	// Let testing infrastructure circumvent parsing file descriptors
+	fdFiles []*os.File
 }
 
 // NewServer creates a new Server from the options given.
 func NewServer(opts Opts) (Server, error) {
 	s := &server{
 		handler: opts.Handler,
 	}
+
+	if len(opts.fdFiles) > 0 {
+		s.fdFiles = opts.fdFiles
+	}
+
 	if err := s.setupListener(opts); err != nil {
 		return nil, fmt.Errorf("error setting up listener: %v", err)
 	}
@@ -58,6 +78,30 @@ type server struct {
 
 	listener    net.Listener
 	tlsListener net.Listener
+
+	// ensure activation.Files are called once
+	fdFiles []*os.File
+}
+
+// convert a string filedescriptor to an actual listener
+func (s *server) fdToListener(bindAddress string) (net.Listener, error) {
+	fd, err := strconv.Atoi(bindAddress)
+	if err != nil {
+		return nil, fmt.Errorf("listen failed: fd with name is not implemented yet")
+	}
+	fdIndex := fd - listenFdsStart
+
+	if len(s.fdFiles) == 0 {
+		s.fdFiles = activation.Files(true)
+	}
+
+	l := len(s.fdFiles)
+
+	if fdIndex < 0 || fdIndex >= l || l == 0 {
+		return nil, fmt.Errorf("listen failed: fd outside of range of available file descriptors")
+	}
+
+	return net.FileListener(s.fdFiles[fdIndex])
 }
 
 // setupListener sets the server listener if the HTTP server is enabled.
@@ -69,6 +113,22 @@ func (s *server) setupListener(opts Opts) error {
 		return nil
 	}
 
+	// Use fd: as a prefix for systemd socket activation, it's generic
+	// enough and short.
+	// The most common usage would be --http-address fd:3.
+	// This causes oauth2-proxy to just assume that the third fd passed
+	// to the program is indeed a net.Listener and starts using it
+	// without setting up a new listener.
+	if strings.HasPrefix(strings.ToLower(opts.BindAddress), "fd:") {
+		listenAddr := opts.BindAddress[3:]
+		listener, err := s.fdToListener(listenAddr)
+		if err != nil {
+			err = fmt.Errorf("listen (%s, %s) failed: %v", "file", listenAddr, err)
+		}
+		s.listener = listener
+		return err
+	}
+
 	networkType := getNetworkScheme(opts.BindAddress)
 	listenAddr := getListenAddress(opts.BindAddress)
 
diff --git a/pkg/http/server_test.go b/pkg/http/server_test.go

Original file line number	Diff line number	Diff line change
`@@ -606,7 +606,9 @@ func (p OAuthProxy) isAPIPath(req http.Request) bool {`
`606`	`606`
`607`	`607`	`// isTrustedIP is used to check if a request comes from a trusted client IP address.`
`608`	`608`	`func (p OAuthProxy) isTrustedIP(req http.Request) bool {`
`609`		`- if p.trustedIPs == nil {`
	`609`	`+ // RemoteAddr @ means unix socket`
	`610`	`+ // https://github.com/golang/go/blob/0fa53e41f122b1661d0678a6d36d71b7b5ad031d/src/syscall/syscall_linux.go#L506-L511`
	`611`	`+ if p.trustedIPs == nil && req.RemoteAddr != "@" {`
`610`	`612`	`return false`
`611`	`613`	`}`
`612`	`614`