Merge pull request #1 from iij/update-2023.03

Update 2023.03

build.sh

@@ -1,14 +1,15 @@
 #!/bin/bash
 set -eu
 export GO111MODULE=on
-export GOBIN=$(pwd)/bin
+OUT_DIR=$(pwd)/bin
 
-echo "GOBIN: ${GOBIN}"
+echo "output: ${OUT_DIR}"
+mkdir -p "${OUT_DIR}"
 ls -1 src/ngx_auth/exec | while read d ; do
-  echo -n "install ${d}: "
+  echo -n "build ${d}: "
   (
     cd "src/ngx_auth/exec/${d}" || exit 1
-    go install -ldflags '-s -w' || exit
+    go build -o "${OUT_DIR}" -ldflags '-s -w' || exit
   ) || continue
   echo done
 done

conf/auth-header-path.conf

@@ -1,14 +1,16 @@
 socket_type = "tcp"
-socket_path = "127.0.0.1:9202"
+socket_path = "127.0.0.1:9200"
+#cache_seconds = 0
 path_header = "X-Authz-Path"
 user_header = "X-Forwarded-User"
 
 [authz]
+user_map_config = "/etc/ngx_auth_mod/usermap_config.conf"
 user_map = "/etc/ngx_auth_mod/usermap.conf"
 
 path_pattern = "^/([^/]+)/"
-nomatch_right = "@admin"
-default_right = "*/
+nomatch_right = "*"
+default_right = "@admin"
 
 [authz.path_right]
 "test" = "@dev"

conf/auth-ldap-path.conf

@@ -1,5 +1,7 @@
 socket_type = "tcp"
-socket_path = "127.0.0.1:9201"
+socket_path = "127.0.0.1:9200"
+#cache_seconds = 0
+#use_etag = false
 auth_realm = "TEST Authentication"
 path_header = "X-Authz-Path"
 
@@ -17,11 +19,12 @@ uniq_filter = "(&(objectCategory=person)(objectClass=user)(memberOf=CN=Group1,DC
 timeout = 5000
 
 [authz]
+user_map_config = "/var/ngx_auth_mod/usermap_config.conf"
 user_map = "/etc/ngx_auth_mod/usermap.conf"
 
 path_pattern = "^/([^/]+)/"
-nomatch_right = "@admin"
-default_right = "*"
+nomatch_right = "*"
+default_right = "@admin"
 
 [authz.path_right]
 "test" = "@dev"

conf/auth-ldap-path2ldap.conf

@@ -1,5 +1,7 @@
 socket_type = "tcp"
-socket_path = "127.0.0.1:9203"
+socket_path = "127.0.0.1:9200"
+#cache_seconds = 0
+#use_etag = false
 auth_realm = "TEST Authentication"
 path_header = "X-Authz-Path"
 
@@ -17,7 +19,7 @@ uniq_filter = "(&(objectCategory=person)(objectClass=user)(userPrincipalName=%s@
 timeout = 5000
 
 [authz]
-path_pattern = "^/([^/]+)/"
+path_pattern = "^/([^/]*)/"
 #ban_nomatch = false
 nomatch_filter = "" # for root directory files
 ban_default = true

conf/auth-ldap.conf

@@ -1,5 +1,7 @@
 socket_type = "tcp"
 socket_path = "127.0.0.1:9200"
+#cache_seconds = 0
+#use_etag = false
 auth_realm = "TEST Authentication"
 
 host_url = "ldaps://ldap.example.com"

conf/auth-simple.conf

@@ -1,5 +1,6 @@
 socket_type = "tcp"
 socket_path = "127.0.0.1:9200"
+#cache_seconds = 0
 auth_realm = "TEST Authentication"
 
 [password]

conf/usermap_config.conf

@@ -0,0 +1,2 @@
+user_regex = '^[A-Za-z_][0-9A-Za-z_\-]{0,32}$'
+group_regex = '^[A-Za-z_][0-9A-Za-z_\-]{0,32}$'

docs/check_ldap.md

@@ -16,5 +16,3 @@ check_ldap <config file> <user name>
 
 Execute with the configuration file and user name as arguments.
 After execution, enter the password and the result will be output.
-
-The configuration file is the same as [ngx\_ldap\_auth](ngx_ldap_auth.md).

docs/ngx_header_path_auth.md

@@ -23,10 +23,10 @@ See the [auth request module documentation](http://nginx.org/en/docs/http/ngx_ht
 
 The **ngx\_header\_path\_auth** configuration file is in TOML format, and the following is a sample configuration file.
 
-
 ```ini
 socket_type = "tcp"
 socket_path = "127.0.0.1:9202"
+#cache_seconds = 0
 path_header = "X-Authz-Path"
 user_header = "X-Forwarded-User"
 
@@ -43,38 +43,51 @@ default_right = "*/
 
 Each parameter of the configuration file is as follows.
 
-* **socket\_type** - Set this parameter to tcp(TCP socket) or unix(UNIX domain socket).
-* **socket\_path** - Set the IP address and port number for tcp, and UNIX domain socket file path for unix.
-* **path\_header** - A HTTP header that sets the path used for authorization processing. The default value is `X-Authz-Path`. In the appropriate place of the nginx configuration file, use `proxy_set_header` directive to set the HTTP header. (Eg `proxy_set_header X-Authz-Path $request_uri;`)
-* **user\_header** - A HTTP header to set the user name. The default value is `X-Forwarded-User`. In the appropriate place of the nginx configuration file, use `proxy_set_header` directive to set the HTTP header. (Eg `proxy_set_header X-Forwarded-User $remote_user;`)
+### Root part
+
+| Parameter | Description |
+| :--- | :--- |
+| **socket\_type** | Set this parameter to tcp(TCP socket) or unix(UNIX domain socket). |
+| **socket\_path** | Set the IP address and port number for tcp, and UNIX domain socket file path for unix. |
+| **cache\_seconds** | The cache duration in seconds to pass to nginx. However, if its value is 0, it will not use the cache.<br>See [Authentication Cache Control](proxy_cache.md) for details.|
+| **path\_header** | A HTTP header that sets the path used for authorization processing. The default value is `X-Authz-Path`. In the appropriate place of the nginx configuration file, use `proxy_set_header` directive to set the HTTP header. (Eg `proxy_set_header X-Authz-Path $request_uri;`) |
+| **user\_header** | A HTTP header to set the user name. The default value is `X-Forwarded-User`. In the appropriate place of the nginx configuration file, use `proxy_set_header` directive to set the HTTP header. (Eg `proxy_set_header X-Forwarded-User $remote_user;`) |
+
+### **\[authz\]** part
 
-* \[authz\] part
-	* **user_map** - User name and group name mapping file. More on this in the "_**user\_map** file details_" section.
-	* **path\_pattern** - A regular expression that extracts the authorization judgment string from the path of the header specified by **path_header**. The extracted string is used for the key in **path\_right**. Use the `()` subexpression regular expression only once to specify the extraction location.
-	* **nomatch\_right** - Authorization rights when the **path\_pattern** regular expression is not matched. For more information on authorization rights, see "_Authorization rights details_" section.
-	* **default\_right** - Authorization rights when it matches the **path\_pattern**の regular expression and is not specified in **path\_right**. For more information on authorization rights, see "_Authorization rights details_".
-	* **path\_right** - Authorization rights map for each extracted string when matching **path\_pattern** regular expression. Specify the extraction string as the key. For more information on authorization rights, see "_Authorization rights details_" section.
+| Parameter | Description |
+| :--- | :--- |
+| **user\_map\_config** | A file that specifies how user names and group names are handled in **user\_map**.  More on this in the "_**user\_map\_config** file details_" section. |
+| **user_map** | User name and group name mapping file. More on this in the "_**user\_map** file details_" section. |
+| **path\_pattern** | A regular expression that extracts the authorization judgment string from the path of the header specified by **path\_header**. The extracted string is used for the key in **path\_right**. Use the `()` subexpression regular expression only once to specify the extraction location. |
+| **nomatch\_right** | Authorization rights when the **path\_pattern** regular expression is not matched. For more information on authorization rights, see "_Authorization rights details_" section. |
+| **default\_right** | Authorization rights when it matches the **path\_pattern**の regular expression and is not specified in **path\_right**. For more information on authorization rights, see "_Authorization rights details_". |
+| **path\_right** | Authorization rights map for each extracted string when matching **path\_pattern** regular expression. Specify the extraction string as the key. For more information on authorization rights, see "_Authorization rights details_" section. |
 
 ## Authorization rights details
 
-In \[authz\] part, **nomatch\_right**, **default\_right**, and **path\_right** table value specify a character string that combines the following judgment descriptions with `|`. The combined judgment process is calculated by logical disjunction("OR"). If the result is true, it is authorized.
+In **\[authz\]** part, **nomatch\_right**, **default\_right**, and **path\_right** table value specify a character string that combines the following judgment descriptions with `|`. The combined judgment process is calculated by logical disjunction("OR"). If the result is true, it is authorized.
 
-* '' - (empty string) Always considers true regardless of the user name.
-* '!' - Always considers false regardless of the user name.
-* '*' - If the user name exists, it is considered true.
-* '@groupname` - The character string after @ is treated as a group name. True if the group contains users. Groups are defined in the **user_map** file.
-* '@' - (no group name)　True if the user is described in the **user_map** file.
-* 'username` True if the user name matches.
+| Authorization method | Description|
+| :--- | :--- |
+| empty string | Always considers true regardless of the user name. |
+| `!` | Always considers false regardless of the user name. |
+| `*` | If the user name exists, it is considered true. |
+| `@groupname` | The character string after @ is treated as a group name. True if the group contains users. Groups are defined in the **user_map** file. |
+| `@` (no group name) | True if the user is described in the **user_map** file. |
+| user name | True if the user name matches. |
 
-## **user\_map** file details
+## **user\_map\_config** file details
 
-**user\_map** is a text file that defines users and groups.
-This text file defines a user-group mapping, with a user name and group names (None or more is possible) on each line, as shown below.
+**user\_map\_config** is a file that defines the handling of user names and group names.   
+This text file defines the available usernames and group names in regular expressions, as shown below.
 
-``` plaintext
-user1:group1 group2 ...
-...
+```
+user_regex = '^[a-z_][0-9a-z_\-]{0,32}$'
+group_regex = '^[a-z_][0-9a-z_\-]{0,32}$'
 ```
 
-Separate the user name and group name with `:`. If there are multiple group names, separate them with ` ` (space character).
-
+| Parameter| Description|
+| :--- | :--- |
+| **user\_regex** | A regular expression of strings to allow as usernames. |
+| **group\_regex** | Regular expression of strings to allow as group names. |

docs/ngx_ldap_auth.md

@@ -9,7 +9,7 @@ On error, the process terminates with an unsuccessful status.
 ## How to start
 
 Run it on the command line like this:
-
+[ngx_header_path_auth](ngx_header_path_auth.md)
 ```
 ngx_ldap_auth <config file>
 ```
@@ -28,6 +28,8 @@ The **ngx\_ldap\_auth** configuration file is in TOML format, and the following
 ```ini
 socket_type = "tcp"
 socket_path = "127.0.0.1:9200"
+#cache_seconds = 0
+#use_etag = true
 auth_realm = "TEST Authentication"
 
 host_url = "ldaps://ldap.example.com"
@@ -45,14 +47,18 @@ timeout = 5000
 
 Each parameter of the configuration file is as follows.
 
-* **socket\_type** - Set this parameter to tcp(TCP socket) or unix(UNIX domain socket).
-* **socket\_path** - Set the IP address and port number for tcp, and UNIX domain socket file path for unix.
-* **auth\_realm** - HTTP realm string.
-* **host\_url** - The URL of the LDAP server connection address. The pass part is not used.
-* **start\_tls** - Set to 1 when using TLS STARTTLS.
-* **skip\_cert\_verify** - Set to 1 to ignore the certificate check result.
-* **root\_ca\_files** - A list of PEM files for the CA certificate. Used when the LDAP server is using a certificate from a private CA.
-* **base\_dn** - The base DN when connecting to the LDAP server.
-* **bind\_dn** - This is the bind DN when performing LDAP bind processing. Rewrite `%s` as the remote user name and `%%` as `%`.
-* **uniq\_filter** - Only if this value is set, search with this value filter. If the search result is one DN, the authentication will be successful.
-* **timeout** - Communication timeout(unit: ms) with the LDAP server.
+| Parameter | Description |
+| :--- | :--- |
+| **socket\_type** | Set this parameter to tcp(TCP socket) or unix(UNIX domain socket). |
+| **socket\_path** | Set the IP address and port number for tcp, and UNIX domain socket file path for unix. |
+| **cache\_seconds** | The cache duration in seconds to pass to nginx. However, if its value is 0, it will not use the cache.<br>See [Authentication Cache Control](proxy_cache.md) for details.|
+| **use_etag** | Set to `true` to enable cache validation using `ETag` tags.<br>See [Authentication Cache Control](proxy_cache.md) for details.|
+| **auth\_realm** | HTTP realm string. |
+| **host\_url** | The URL of the LDAP server connection address. The pass part is not used. |
+| **start\_tls** | Set to 1 when using TLS STARTTLS. |
+| **skip\_cert\_verify** | Set to 1 to ignore the certificate check result. |
+| **root\_ca\_files** | A list of PEM files for the CA certificate. Used when the LDAP server is using a certificate from a private CA. |
+| **base\_dn** | The base DN when connecting to the LDAP server. |
+| **bind\_dn** | This is the bind DN when performing LDAP bind processing. Rewrite `%s` as the remote user name and `%%` as `%`. |
+| **uniq\_filter** | Only if this value is set, search with this value filter. If the search result is one DN, the authentication will be successful. |
+| **timeout** | Communication timeout(unit: ms) with the LDAP server. |

docs/ngx_ldap_path2ldap_auth.md

@@ -26,6 +26,8 @@ The **ngx\_ldap\_path2ldap\_auth** configuration file is in TOML format, and the
 ```ini
 socket_type = "tcp"
 socket_path = "127.0.0.1:9203"
+#cache_seconds = 0
+#use_etag = true
 auth_realm = "TEST Authentication"
 path_header = "X-Authz-Path"
 
@@ -56,24 +58,36 @@ ban_default = true
 
 Each parameter of the configuration file is as follows.
 
-* **socket\_type** - Set this parameter to tcp(TCP socket) or unix(UNIX domain socket).
-* **socket\_path** - Set the IP address and port number for tcp, and UNIX domain socket file path for unix.
-* **auth\_realm** - HTTP realm string.
-* **path\_header** - A HTTP header that sets the path used for authorization processing. The default value is `X-Authz-Path`. In the appropriate place of the nginx configuration file, use `proxy_set_header` directive to set the HTTP header. (Eg `proxy_set_header X-Authz-Path $request_uri;`)
-
-* \[ldap\] part
-	* **host\_url** - The URL of the LDAP server connection address. The pass part is not used.
-	* **start\_tls** - Set to 1 when using TLS STARTTLS.
-	* **skip\_cert\_verify** - Set to 1 to ignore the certificate check result.
-	* **root\_ca\_files** - A list of PEM files for the CA certificate. Used when the LDAP server is using a certificate from a private CA.
-	* **base\_dn** - The base DN when connecting to the LDAP server.
-	* **bind\_dn** - This is the bind DN when performing LDAP bind processing. Rewrite `%s` as the remote user name and `%%` as `%`.
-	* **uniq\_filter** - Only if this value is set, search with this value filter. If the search result is one DN, the authentication will be successful.
-	* **timeout** - Communication timeout(unit: ms) with the LDAP server.
-
-* \[authz\] part
-	* **path\_pattern** - A regular expression that extracts the authorization judgment string from the path of the header specified by **path_header**. The extracted string is used for the key in **path\_filter**. Use the `()` subexpression regular expression only once to specify the extraction location.
-	* **ban\_nomatch** - If true, authorization will fail if the **path\_pattern** regular expression does not match. (As a result, **nomatch\_filter** is disabled.)
-	* **nomatch\_filter** - LDAP filter for authorization when the **path\_pattern** regular expression is not matched. **nomatch\_filter** results is processed in the same way as **uniq\_filter**.
-	* **ban\_default** - If true, authorization will fail if the **path\_pattern** regular expression does not match. (As a result, **default\_filter** is disabled.)
-	* **default\_filter** - LDAP filter for authorization rights when it matches the **path\_pattern** regular expression and is not specified in **path\_filter**. **default\_filter** results is processed in the same way as **uniq\_filter**.
+### Root part
+
+| Parameter | Description |
+| :--- | :--- |
+| **socket\_type** | Set this parameter to tcp(TCP socket) or unix(UNIX domain socket). |
+| **socket\_path** | Set the IP address and port number for tcp, and UNIX domain socket file path for unix. |
+| **cache\_seconds** | The cache duration in seconds to pass to nginx. However, if its value is 0, it will not use the cache.<br>See [Authentication Cache Control](proxy_cache.md) for details.|
+| **use_etag** | Set to `true` to enable cache validation using `ETag` tags.<br>See [Authentication Cache Control](proxy_cache.md) for details.|
+| **auth\_realm** | HTTP realm string. |
+| **path\_header** | A HTTP header that sets the path used for authorization processing. The default value is `X-Authz-Path`. In the appropriate place of the nginx configuration file, use `proxy_set_header` directive to set the HTTP header. (Eg `proxy_set_header X-Authz-Path $request_uri;`) |
+
+### **\[ldap\]** part
+
+| Parameter | Description |
+| :--- | :--- |
+| **host\_url** | The URL of the LDAP server connection address. The pass part is not used. |
+| **start\_tls** | Set to 1 when using TLS STARTTLS. |
+| **skip\_cert\_verify** | Set to 1 to ignore the certificate check result. |
+| **root\_ca\_files** | A list of PEM files for the CA certificate. Used when the LDAP server is using a certificate from a private CA. |
+| **base\_dn** | The base DN when connecting to the LDAP server. |
+| **bind\_dn** | This is the bind DN when performing LDAP bind processing. Rewrite `%s` as the remote user name and `%%` as `%`. |
+| **uniq\_filter** | Only if this value is set, search with this value filter. If the search result is one DN, the authentication will be successful. |
+| **timeout** | Communication timeout(unit: ms) with the LDAP server. |
+
+### **\[authz\]** part
+
+| Parameter | Description |
+| :--- | :--- |
+| **path\_pattern** | A regular expression that extracts the authorization judgment string from the path of the header specified by **path_header**. The extracted string is used for the key in **path\_filter**. Use the `()` subexpression regular expression only once to specify the extraction location. |
+| **ban\_nomatch** | If true, authorization will fail if the **path\_pattern** regular expression does not match. (As a result, **nomatch\_filter** is disabled.) |
+| **nomatch\_filter** | LDAP filter for authorization when the **path\_pattern** regular expression is not matched. **nomatch\_filter** results is processed in the same way as **uniq\_filter**. |
+| **ban\_default** | If true, authorization will fail if the **path\_pattern** regular expression does not match. (As a result, **default\_filter** is disabled.) |
+| **default\_filter** | LDAP filter for authorization rights when it matches the **path\_pattern** regular expression and is not specified in **path\_filter**. **default\_filter** results is processed in the same way as **uniq\_filter**. |