Skip to content
Snippets Groups Projects
Commit bbbe873e authored by Niall Sheridan's avatar Niall Sheridan Committed by GitHub
Browse files

Merge pull request #22 from nsheridan/whitelist

Update whitelisting
parents 77c2a946 cd138ddf
No related branches found
No related tags found
No related merge requests found
......@@ -86,7 +86,7 @@ Configuration is divided into different sections: `server`, `auth`, `ssh`, and `
- `oauth_client_secret` : string. Oauth secret.
- `oauth_callback_url` : string. URL that the Oauth provider will redirect to after user authorisation. The path is hardcoded to `"/auth/callback"` in the source.
- `provider_opts` : object. Additional options for the provider.
- `users_whitelist` : array of strings. Optional list of whitelisted usernames. If missing, all users of your current domain/organization are allowed to authenticate against cashierd.
- `users_whitelist` : array of strings. Optional list of whitelisted usernames. If missing, all users of your current domain/organization are allowed to authenticate against cashierd. For Google auth a user is an email address. For GitHub auth a user is a GitHub username.
#### Provider-specific options
......
......@@ -62,12 +62,17 @@ func (c *Config) Name() string {
// Valid validates the oauth token.
func (c *Config) Valid(token *oauth2.Token) bool {
if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] {
if len(c.whitelist) > 0 && !c.whitelist[c.Username(token)] {
return false
}
if !token.Valid() {
return false
}
if c.organization == "" {
// There's no organization and the token is valid. Can only reach here
// if there's a user whitelist set and the user is in the whitelist.
return true
}
client := githubapi.NewClient(c.newClient(token))
member, _, err := client.Organizations.IsMember(c.organization, c.Username(token))
if err != nil {
......
......@@ -62,7 +62,7 @@ func (c *Config) Name() string {
// Valid validates the oauth token.
func (c *Config) Valid(token *oauth2.Token) bool {
if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] {
if len(c.whitelist) > 0 && !c.whitelist[c.Email(token)] {
return false
}
if !token.Valid() {
......@@ -78,11 +78,14 @@ func (c *Config) Valid(token *oauth2.Token) bool {
if err != nil {
return false
}
if ti.Audience != c.config.ClientID {
return false
}
ui, err := svc.Userinfo.Get().Do()
if err != nil {
return false
}
if ti.Audience != c.config.ClientID || ui.Hd != c.domain {
if c.domain != "" && ui.Hd != c.domain {
return false
}
return true
......@@ -107,8 +110,8 @@ func (c *Config) Exchange(code string) (*oauth2.Token, error) {
return c.config.Exchange(oauth2.NoContext, code)
}
// Username retrieves the username portion of the user's email address.
func (c *Config) Username(token *oauth2.Token) string {
// Email retrieves the email address of the user.
func (c *Config) Email(token *oauth2.Token) string {
svc, err := googleapi.New(c.newClient(token))
if err != nil {
return ""
......@@ -117,5 +120,10 @@ func (c *Config) Username(token *oauth2.Token) string {
if err != nil {
return ""
}
return strings.Split(ui.Email, "@")[0]
return ui.Email
}
// Username retrieves the username portion of the user's email address.
func (c *Config) Username(token *oauth2.Token) string {
return strings.Split(c.Email(token), "@")[0]
}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment