diff --git a/README.md b/README.md
index 2d0be20863d57b37f8e3d41b5f2f1dfeefb97864..d33226736f3902a6365ccc4d520b132cbcf6529c 100644
--- a/README.md
+++ b/README.md
@@ -48,7 +48,8 @@ For the server you need the following:
## Installation using Go tools
1. Use the Go tools to install cashier. The binaries `cashierd` and `cashier` will be installed in your $GOPATH.
```
-go get github.com/nsheridan/cashier/cmd/...
+go get -u github.com/nsheridan/cashier/cmd/cashier
+go get -u github.com/nsheridan/cashier/cmd/cashierd
```
2. Create a signing key with `ssh-keygen` and a [cashierd.conf](example-server.conf)
3. Run the cashier server with `cashierd` and the cli with `cashier`.
@@ -85,6 +86,7 @@ Configuration is divided into different sections: `server`, `auth`, `ssh`, and `
- `oauth_client_secret` : string. Oauth secret.
- `oauth_callback_url` : string. URL that the Oauth provider will redirect to after user authorisation. The path is hardcoded to `"/auth/callback"` in the source.
- `provider_opts` : object. Additional options for the provider.
+- `users_whitelist` : array of strings. Optional list of whitelisted usernames. If missing, all users of your current domain/organization are allowed to authenticate against cashierd.
#### Provider-specific options
diff --git a/example-server.conf b/example-server.conf
index 5a886153f239713f898b00aba2d2a69a21ca801e..d112faf0edc066d562802eca6f2207cbd67ad139 100644
--- a/example-server.conf
+++ b/example-server.conf
@@ -16,6 +16,7 @@ auth {
provider_opts {
domain = "example.com" # Oauth-provider specific options
}
+ users_whitelist = ["marco", "niall", "patrick"] # Optional
}
# Configuration for the certificate signer.
diff --git a/server/auth/github/github.go b/server/auth/github/github.go
index 7904e2623144d778afd7234bd28402204c90ed57..a6a4a5910a3dfec000f46b33ac0cfb2f3675cee3 100644
--- a/server/auth/github/github.go
+++ b/server/auth/github/github.go
@@ -22,12 +22,17 @@ const (
type Config struct {
config *oauth2.Config
organization string
+ whitelist map[string]bool
}
// New creates a new Github provider from a configuration.
func New(c *config.Auth) (auth.Provider, error) {
- if c.ProviderOpts["organization"] == "" {
- return nil, errors.New("github_opts organization must not be empty")
+ uw := make(map[string]bool)
+ for _, u := range c.UsersWhitelist {
+ uw[u] = true
+ }
+ if c.ProviderOpts["organization"] == "" && len(uw) == 0 {
+ return nil, errors.New("github_opts organization and the users whitelist must not be both empty")
}
return &Config{
config: &oauth2.Config{
@@ -41,6 +46,7 @@ func New(c *config.Auth) (auth.Provider, error) {
},
},
organization: c.ProviderOpts["organization"],
+ whitelist: uw,
}, nil
}
@@ -56,6 +62,9 @@ func (c *Config) Name() string {
// Valid validates the oauth token.
func (c *Config) Valid(token *oauth2.Token) bool {
+ if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] {
+ return false
+ }
if !token.Valid() {
return false
}
diff --git a/server/auth/github/github_test.go b/server/auth/github/github_test.go
index 1d6b801b002aeee54b4d01531b1931d9f9fc0053..c0b26a41e9e980ff5dda8655bf18774e19cd05f5 100644
--- a/server/auth/github/github_test.go
+++ b/server/auth/github/github_test.go
@@ -32,7 +32,7 @@ func TestNewEmptyOrganization(t *testing.T) {
a := assert.New(t)
_, err := newGithub()
- a.EqualError(err, "github_opts organization must not be empty")
+ a.EqualError(err, "github_opts organization and the users whitelist must not be both empty")
organization = "exampleorg"
}
diff --git a/server/auth/google/google.go b/server/auth/google/google.go
index e2c67242b3898dd4829380a7525b4d17e960986a..3a833ab9a69e7276553482c029f0df4d86b80842 100644
--- a/server/auth/google/google.go
+++ b/server/auth/google/google.go
@@ -22,14 +22,19 @@ const (
// Config is an implementation of `auth.Provider` for authenticating using a
// Google account.
type Config struct {
- config *oauth2.Config
- domain string
+ config *oauth2.Config
+ domain string
+ whitelist map[string]bool
}
// New creates a new Google provider from a configuration.
func New(c *config.Auth) (auth.Provider, error) {
- if c.ProviderOpts["domain"] == "" {
- return nil, errors.New("google_opts domain must not be empty")
+ uw := make(map[string]bool)
+ for _, u := range c.UsersWhitelist {
+ uw[u] = true
+ }
+ if c.ProviderOpts["domain"] == "" && len(uw) == 0 {
+ return nil, errors.New("google_opts domain and the users whitelist must not be both empty")
}
return &Config{
@@ -40,7 +45,8 @@ func New(c *config.Auth) (auth.Provider, error) {
Endpoint: google.Endpoint,
Scopes: []string{googleapi.UserinfoEmailScope, googleapi.UserinfoProfileScope},
},
- domain: c.ProviderOpts["domain"],
+ domain: c.ProviderOpts["domain"],
+ whitelist: uw,
}, nil
}
@@ -56,6 +62,9 @@ func (c *Config) Name() string {
// Valid validates the oauth token.
func (c *Config) Valid(token *oauth2.Token) bool {
+ if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] {
+ return false
+ }
if !token.Valid() {
return false
}
diff --git a/server/auth/google/google_test.go b/server/auth/google/google_test.go
index 9970c210e85924bd227fbf0c21e6863f0b52e009..b80c4bf9bf45a5db1a1271b417ce8d1ddf98cb68 100644
--- a/server/auth/google/google_test.go
+++ b/server/auth/google/google_test.go
@@ -33,7 +33,7 @@ func TestNewWithoutDomain(t *testing.T) {
domain = ""
_, err := newGoogle()
- a.EqualError(err, "google_opts domain must not be empty")
+ a.EqualError(err, "google_opts domain and the users whitelist must not be both empty")
domain = "example.com"
}
diff --git a/server/config/config.go b/server/config/config.go
index 648cf4639ebc4f2248feaf241a78c6084d6440c2..0ae1e60a0f3f4d502fe89e7066879c45211d0816 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -40,6 +40,7 @@ type Auth struct {
OauthCallbackURL string `mapstructure:"oauth_callback_url"`
Provider string `mapstructure:"provider"`
ProviderOpts map[string]string `mapstructure:"provider_opts"`
+ UsersWhitelist []string `mapstructure:"users_whitelist"`
}
// SSH holds the configuration specific to signing ssh keys.