aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNiall Sheridan <nsheridan@gmail.com>2016-06-15 09:42:44 +0100
committerGitHub <noreply@github.com>2016-06-15 09:42:44 +0100
commitbbbe873ebd93821f0db0a9d88dbbeccf3679f290 (patch)
treecc55353786fcbe1424abd18382f32ab63e3473a2
parent77c2a94644dd7ec9c3ae8c995c32f2ad8d90a7b1 (diff)
parentcd138ddf742d124aea3d1e7f155735576459be67 (diff)
Merge pull request #22 from nsheridan/whitelist
Update whitelisting
-rw-r--r--README.md2
-rw-r--r--server/auth/github/github.go7
-rw-r--r--server/auth/google/google.go18
3 files changed, 20 insertions, 7 deletions
diff --git a/README.md b/README.md
index 0c9573b..8f3ec4e 100644
--- a/README.md
+++ b/README.md
@@ -86,7 +86,7 @@ Configuration is divided into different sections: `server`, `auth`, `ssh`, and `
- `oauth_client_secret` : string. Oauth secret.
- `oauth_callback_url` : string. URL that the Oauth provider will redirect to after user authorisation. The path is hardcoded to `"/auth/callback"` in the source.
- `provider_opts` : object. Additional options for the provider.
-- `users_whitelist` : array of strings. Optional list of whitelisted usernames. If missing, all users of your current domain/organization are allowed to authenticate against cashierd.
+- `users_whitelist` : array of strings. Optional list of whitelisted usernames. If missing, all users of your current domain/organization are allowed to authenticate against cashierd. For Google auth a user is an email address. For GitHub auth a user is a GitHub username.
#### Provider-specific options
diff --git a/server/auth/github/github.go b/server/auth/github/github.go
index 912caae..24a4bbf 100644
--- a/server/auth/github/github.go
+++ b/server/auth/github/github.go
@@ -62,12 +62,17 @@ func (c *Config) Name() string {
// Valid validates the oauth token.
func (c *Config) Valid(token *oauth2.Token) bool {
- if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] {
+ if len(c.whitelist) > 0 && !c.whitelist[c.Username(token)] {
return false
}
if !token.Valid() {
return false
}
+ if c.organization == "" {
+ // There's no organization and the token is valid. Can only reach here
+ // if there's a user whitelist set and the user is in the whitelist.
+ return true
+ }
client := githubapi.NewClient(c.newClient(token))
member, _, err := client.Organizations.IsMember(c.organization, c.Username(token))
if err != nil {
diff --git a/server/auth/google/google.go b/server/auth/google/google.go
index 3a833ab..08a4083 100644
--- a/server/auth/google/google.go
+++ b/server/auth/google/google.go
@@ -62,7 +62,7 @@ func (c *Config) Name() string {
// Valid validates the oauth token.
func (c *Config) Valid(token *oauth2.Token) bool {
- if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] {
+ if len(c.whitelist) > 0 && !c.whitelist[c.Email(token)] {
return false
}
if !token.Valid() {
@@ -78,11 +78,14 @@ func (c *Config) Valid(token *oauth2.Token) bool {
if err != nil {
return false
}
+ if ti.Audience != c.config.ClientID {
+ return false
+ }
ui, err := svc.Userinfo.Get().Do()
if err != nil {
return false
}
- if ti.Audience != c.config.ClientID || ui.Hd != c.domain {
+ if c.domain != "" && ui.Hd != c.domain {
return false
}
return true
@@ -107,8 +110,8 @@ func (c *Config) Exchange(code string) (*oauth2.Token, error) {
return c.config.Exchange(oauth2.NoContext, code)
}
-// Username retrieves the username portion of the user's email address.
-func (c *Config) Username(token *oauth2.Token) string {
+// Email retrieves the email address of the user.
+func (c *Config) Email(token *oauth2.Token) string {
svc, err := googleapi.New(c.newClient(token))
if err != nil {
return ""
@@ -117,5 +120,10 @@ func (c *Config) Username(token *oauth2.Token) string {
if err != nil {
return ""
}
- return strings.Split(ui.Email, "@")[0]
+ return ui.Email
+}
+
+// Username retrieves the username portion of the user's email address.
+func (c *Config) Username(token *oauth2.Token) string {
+ return strings.Split(c.Email(token), "@")[0]
}