Cleanup comments
This commit is contained in:
parent
284d384c3f
commit
28066aa729
@ -390,7 +390,6 @@ func (o *Options) Validate() error {
|
||||
}
|
||||
|
||||
func parseProviderInfo(o *Options, msgs []string) []string {
|
||||
var splittedGroups []string
|
||||
p := &providers.ProviderData{
|
||||
Scope: o.Scope,
|
||||
ClientID: o.ClientID,
|
||||
@ -402,15 +401,13 @@ func parseProviderInfo(o *Options, msgs []string) []string {
|
||||
p.ProfileURL, msgs = parseURL(o.ProfileURL, "profile", msgs)
|
||||
p.ValidateURL, msgs = parseURL(o.ValidateURL, "validate", msgs)
|
||||
p.ProtectedResource, msgs = parseURL(o.ProtectedResource, "resource", msgs)
|
||||
if len(o.PermitGroups) > 0 {
|
||||
splittedGroups = strings.Split(o.PermitGroups[0], o.GroupsDelimiter)
|
||||
}
|
||||
|
||||
o.provider = providers.New(o.Provider, p)
|
||||
switch p := o.provider.(type) {
|
||||
case *providers.AzureProvider:
|
||||
p.Configure(o.AzureTenant)
|
||||
if len(splittedGroups) > 0 {
|
||||
p.SetGroupRestriction(splittedGroups)
|
||||
if len(o.PermitGroups) > 0 {
|
||||
p.SetGroupRestriction(o.PermitGroups)
|
||||
}
|
||||
if len(o.PermitUsers) > 0 {
|
||||
p.SetGroupsExemption(o.PermitUsers)
|
||||
|
@ -199,11 +199,9 @@ func (p *AzureProvider) GetLoginURL(redirectURI, state string) string {
|
||||
|
||||
return a.String()
|
||||
}
|
||||
|
||||
// Get list of groups (optionally with Group IDs) that ONLY allowed for user
|
||||
// That means even if user has wider group membership, only membership in those groups will be forwarded
|
||||
func (p *AzureProvider) SetGroupRestriction(groups []string) {
|
||||
// Get list of groups (optionally with Group IDs) that ONLY allowed for user
|
||||
// That means even if user has wider group membership, only membership in those groups will be forwarded
|
||||
|
||||
p.PermittedGroups = make(map[string]string)
|
||||
if len(groups) == 0 {
|
||||
return
|
||||
@ -219,37 +217,43 @@ func (p *AzureProvider) SetGroupRestriction(groups []string) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// Get list of users (optionally with User IDs) that could still be allowed to login
|
||||
// when group membership calls fail (e.g. insufficient permissions)
|
||||
func (p *AzureProvider) SetGroupsExemption(exemptions []string) {
|
||||
// Get list of users (optionally with User IDs) that could still be allowed to login
|
||||
// when group membership calls fail (e.g. insufficient permissions)
|
||||
|
||||
p.ExemptedUsers = make(map[string]string)
|
||||
if len(exemptions) == 0 {
|
||||
return
|
||||
}
|
||||
|
||||
var userRecord string
|
||||
var groupName string
|
||||
var userName string
|
||||
var userId string
|
||||
for _, pRecord := range exemptions {
|
||||
splittedRecord := strings.Split(pRecord, ":")
|
||||
|
||||
if len(splittedRecord) == 1 {
|
||||
userRecord, groupName = splittedRecord[0], ""
|
||||
userName, userId = splittedRecord[0], ""
|
||||
} else if len(splittedRecord) == 2 {
|
||||
userRecord, groupName = splittedRecord[0], splittedRecord[1]
|
||||
userName, userId = splittedRecord[0], splittedRecord[1]
|
||||
} else {
|
||||
userRecord = splittedRecord[0] + ":" + splittedRecord[1]
|
||||
groupName = splittedRecord[2]
|
||||
userName = splittedRecord[0] + ":" + splittedRecord[1]
|
||||
userId = splittedRecord[2]
|
||||
}
|
||||
p.ExemptedUsers[userRecord] = groupName
|
||||
p.ExemptedUsers[userName] = userId
|
||||
}
|
||||
}
|
||||
|
||||
func (p *AzureProvider) ValidateGroupWithSession(s *sessions.SessionState) bool {
|
||||
// return true if not PermittedGroups not set
|
||||
if len(p.PermittedGroups) == 0 {
|
||||
return true
|
||||
}
|
||||
// return true if user listed in exemptions
|
||||
for userName, _ := range p.ExemptedUsers {
|
||||
if s.Email == userName {
|
||||
return true
|
||||
}
|
||||
}
|
||||
// check if user groups match allowed groups, any matching group is letting user in
|
||||
for _, group := range s.Groups {
|
||||
for _, groupID := range p.PermittedGroups {
|
||||
if strings.Contains(group, groupID) {
|
||||
|
Loading…
Reference in New Issue
Block a user