This uses a provide() function in server/server.go, to push the
necessary oauth2.Provider and oauth2.Mux into the scope of the
server.Mux. This allows the server.Mux to configure its routes without
caring which Providers are enabled, which switches/ENVs are set etc. It
configures its routes optimistically and leaves the higher-order logic
to decide whether to actually invoke the logic used by the mux to
configure routes for that provider.
This allows operators to permit access to Chronograf only to users belonging
to a set of specific Heroku organizations. This is controlled using the
HEROKU_ORGS env or the --heroku-organizations switch.
JWTMux was a disingenuous name because while JWTs are a very good choice
for a cookie encoding, they were not strictly required for use with this
mux. To better indicate the responsibilities of this mux, it's been
renamed "CookieMux," since its responsibilities end with persisting the
oauth2.Authenticator's encoded state in the browser. It is up to the
oauth2.Authenticator to choose the encoding.
If a --token-secret, --heroku-client-id, and --heroku-secret are
provided to Chronograf, it will add Heroku as an OAuth2 provider. These
tokens can be obtained (as of this writing) by visiting your "manage
account" page, navigating to "Applications," and then clicking "Register
New API Client" under the "API Clients" section.
Created an oauth2 package which encapsulates all oauth2 providers,
utility functions, types, and interfaces. Previously some methods of the
Github provider were used as http.HandlerFuncs. These have now been
pulled into a concrete type called a JWTMux to implement other Oauth2
providers.
JWTMux has all of the functionality required to take a token from any
provider and store it as a JWT in a browser, and that is the extent of
its responsibilities. It implements the oauth2.Mux interface which would
potentially allow other strategies of oauth2 credential storage.
Chris Goller
Tim Raymond
Jared Scheib
Hunter Trujillo