From 28066aa729150ea05a310a97e8947763db5898c6 Mon Sep 17 00:00:00 2001 From: Lukasz Leszczuk Date: Fri, 13 Sep 2019 15:17:47 +0200 Subject: [PATCH] Cleanup comments --- options.go | 9 +++------ providers/azure.go | 34 +++++++++++++++++++--------------- 2 files changed, 22 insertions(+), 21 deletions(-) diff --git a/options.go b/options.go index d8ddebc..0236c60 100644 --- a/options.go +++ b/options.go @@ -390,7 +390,6 @@ func (o *Options) Validate() error { } func parseProviderInfo(o *Options, msgs []string) []string { - var splittedGroups []string p := &providers.ProviderData{ Scope: o.Scope, ClientID: o.ClientID, @@ -402,15 +401,13 @@ func parseProviderInfo(o *Options, msgs []string) []string { p.ProfileURL, msgs = parseURL(o.ProfileURL, "profile", msgs) p.ValidateURL, msgs = parseURL(o.ValidateURL, "validate", msgs) p.ProtectedResource, msgs = parseURL(o.ProtectedResource, "resource", msgs) - if len(o.PermitGroups) > 0 { - splittedGroups = strings.Split(o.PermitGroups[0], o.GroupsDelimiter) - } + o.provider = providers.New(o.Provider, p) switch p := o.provider.(type) { case *providers.AzureProvider: p.Configure(o.AzureTenant) - if len(splittedGroups) > 0 { - p.SetGroupRestriction(splittedGroups) + if len(o.PermitGroups) > 0 { + p.SetGroupRestriction(o.PermitGroups) } if len(o.PermitUsers) > 0 { p.SetGroupsExemption(o.PermitUsers) diff --git a/providers/azure.go b/providers/azure.go index 2816ab8..3a63d4b 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -199,11 +199,9 @@ func (p *AzureProvider) GetLoginURL(redirectURI, state string) string { return a.String() } - +// Get list of groups (optionally with Group IDs) that ONLY allowed for user +// That means even if user has wider group membership, only membership in those groups will be forwarded func (p *AzureProvider) SetGroupRestriction(groups []string) { - // Get list of groups (optionally with Group IDs) that ONLY allowed for user - // That means even if user has wider group membership, only membership in those groups will be forwarded - p.PermittedGroups = make(map[string]string) if len(groups) == 0 { return @@ -219,37 +217,43 @@ func (p *AzureProvider) SetGroupRestriction(groups []string) { } } } - +// Get list of users (optionally with User IDs) that could still be allowed to login +// when group membership calls fail (e.g. insufficient permissions) func (p *AzureProvider) SetGroupsExemption(exemptions []string) { - // Get list of users (optionally with User IDs) that could still be allowed to login - // when group membership calls fail (e.g. insufficient permissions) - p.ExemptedUsers = make(map[string]string) if len(exemptions) == 0 { return } - var userRecord string - var groupName string + var userName string + var userId string for _, pRecord := range exemptions { splittedRecord := strings.Split(pRecord, ":") if len(splittedRecord) == 1 { - userRecord, groupName = splittedRecord[0], "" + userName, userId = splittedRecord[0], "" } else if len(splittedRecord) == 2 { - userRecord, groupName = splittedRecord[0], splittedRecord[1] + userName, userId = splittedRecord[0], splittedRecord[1] } else { - userRecord = splittedRecord[0] + ":" + splittedRecord[1] - groupName = splittedRecord[2] + userName = splittedRecord[0] + ":" + splittedRecord[1] + userId = splittedRecord[2] } - p.ExemptedUsers[userRecord] = groupName + p.ExemptedUsers[userName] = userId } } func (p *AzureProvider) ValidateGroupWithSession(s *sessions.SessionState) bool { + // return true if not PermittedGroups not set if len(p.PermittedGroups) == 0 { return true } + // return true if user listed in exemptions + for userName, _ := range p.ExemptedUsers { + if s.Email == userName { + return true + } + } + // check if user groups match allowed groups, any matching group is letting user in for _, group := range s.Groups { for _, groupID := range p.PermittedGroups { if strings.Contains(group, groupID) {