Merge pull request #21 from nsheridan/whitelist_support

Add support for a users whitelist
author: Marco Bonetti <sid77@users.noreply.github.com> 2016-06-14 09:40:14 +0100
committer: GitHub <noreply@github.com> 2016-06-14 09:40:14 +0100
commit: c50fcd7500b78ad73d0d61246b03ed74560d2839 (patch)
tree: 724aba623713b352dc59e217ed26bddce7448189 /server
parent: dabb7c11624a53fc22b08ae8ac83f3604ec76d9e (diff)
parent: a03243a826bb4eb5eebad19133f6b15e2f5dfdc2 (diff)
5 files changed, 28 insertions, 9 deletions
diff --git a/server/auth/github/github.go b/server/auth/github/github.go
index 9bbd8f6..912caae 100644
--- a/server/auth/github/github.go
+++ b/server/auth/github/github.go
@@ -22,12 +22,17 @@ const (
 type Config struct {
 	config       *oauth2.Config
 	organization string
+	whitelist    map[string]bool
 }
 
 // New creates a new Github provider from a configuration.
 func New(c *config.Auth) (auth.Provider, error) {
-	if c.ProviderOpts["organization"] == "" {
-		return nil, errors.New("github_opts organization must not be empty")
+	uw := make(map[string]bool)
+	for _, u := range c.UsersWhitelist {
+		uw[u] = true
+	}
+	if c.ProviderOpts["organization"] == "" && len(uw) == 0 {
+		return nil, errors.New("github_opts organization and the users whitelist must not be both empty")
 	}
 	return &Config{
 		config: &oauth2.Config{
@@ -41,6 +46,7 @@ func New(c *config.Auth) (auth.Provider, error) {
 			},
 		},
 		organization: c.ProviderOpts["organization"],
+		whitelist:    uw,
 	}, nil
 }
 
@@ -56,6 +62,9 @@ func (c *Config) Name() string {
 
 // Valid validates the oauth token.
 func (c *Config) Valid(token *oauth2.Token) bool {
+	if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] {
+		return false
+	}
 	if !token.Valid() {
 		return false
 	}
diff --git a/server/auth/github/github_test.go b/server/auth/github/github_test.go
index 1d6b801..c0b26a4 100644
--- a/server/auth/github/github_test.go
+++ b/server/auth/github/github_test.go
@@ -32,7 +32,7 @@ func TestNewEmptyOrganization(t *testing.T) {
 	a := assert.New(t)
 
 	_, err := newGithub()
-	a.EqualError(err, "github_opts organization must not be empty")
+	a.EqualError(err, "github_opts organization and the users whitelist must not be both empty")
 
 	organization = "exampleorg"
 }
diff --git a/server/auth/google/google.go b/server/auth/google/google.go
index e2c6724..3a833ab 100644
--- a/server/auth/google/google.go
+++ b/server/auth/google/google.go
@@ -22,14 +22,19 @@ const (
 // Config is an implementation of `auth.Provider` for authenticating using a
 // Google account.
 type Config struct {
-	config *oauth2.Config
-	domain string
+	config    *oauth2.Config
+	domain    string
+	whitelist map[string]bool
 }
 
 // New creates a new Google provider from a configuration.
 func New(c *config.Auth) (auth.Provider, error) {
-	if c.ProviderOpts["domain"] == "" {
-		return nil, errors.New("google_opts domain must not be empty")
+	uw := make(map[string]bool)
+	for _, u := range c.UsersWhitelist {
+		uw[u] = true
+	}
+	if c.ProviderOpts["domain"] == "" && len(uw) == 0 {
+		return nil, errors.New("google_opts domain and the users whitelist must not be both empty")
 	}
 
 	return &Config{
@@ -40,7 +45,8 @@ func New(c *config.Auth) (auth.Provider, error) {
 			Endpoint:     google.Endpoint,
 			Scopes:       []string{googleapi.UserinfoEmailScope, googleapi.UserinfoProfileScope},
 		},
-		domain: c.ProviderOpts["domain"],
+		domain:    c.ProviderOpts["domain"],
+		whitelist: uw,
 	}, nil
 }
 
@@ -56,6 +62,9 @@ func (c *Config) Name() string {
 
 // Valid validates the oauth token.
 func (c *Config) Valid(token *oauth2.Token) bool {
+	if len(c.whitelist) == 0 && !c.whitelist[c.Username(token)] {
+		return false
+	}
 	if !token.Valid() {
 		return false
 	}
diff --git a/server/auth/google/google_test.go b/server/auth/google/google_test.go
index 9970c21..b80c4bf 100644
--- a/server/auth/google/google_test.go
+++ b/server/auth/google/google_test.go
@@ -33,7 +33,7 @@ func TestNewWithoutDomain(t *testing.T) {
 	domain = ""
 
 	_, err := newGoogle()
-	a.EqualError(err, "google_opts domain must not be empty")
+	a.EqualError(err, "google_opts domain and the users whitelist must not be both empty")
 
 	domain = "example.com"
 }
diff --git a/server/config/config.go b/server/config/config.go
index 648cf46..0ae1e60 100644
--- a/server/config/config.go
+++ b/server/config/config.go
@@ -40,6 +40,7 @@ type Auth struct {
 	OauthCallbackURL  string            `mapstructure:"oauth_callback_url"`
 	Provider          string            `mapstructure:"provider"`
 	ProviderOpts      map[string]string `mapstructure:"provider_opts"`
+	UsersWhitelist    []string          `mapstructure:"users_whitelist"`
 }
 
 // SSH holds the configuration specific to signing ssh keys.
author	Marco Bonetti <sid77@users.noreply.github.com>	2016-06-14 09:40:14 +0100
committer	GitHub <noreply@github.com>	2016-06-14 09:40:14 +0100
commit	c50fcd7500b78ad73d0d61246b03ed74560d2839 (patch)
tree	724aba623713b352dc59e217ed26bddce7448189 /server
parent	dabb7c11624a53fc22b08ae8ac83f3604ec76d9e (diff)
parent	a03243a826bb4eb5eebad19133f6b15e2f5dfdc2 (diff)