Cleanup comments
This commit is contained in:
parent
284d384c3f
commit
28066aa729
@ -390,7 +390,6 @@ func (o *Options) Validate() error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func parseProviderInfo(o *Options, msgs []string) []string {
|
func parseProviderInfo(o *Options, msgs []string) []string {
|
||||||
var splittedGroups []string
|
|
||||||
p := &providers.ProviderData{
|
p := &providers.ProviderData{
|
||||||
Scope: o.Scope,
|
Scope: o.Scope,
|
||||||
ClientID: o.ClientID,
|
ClientID: o.ClientID,
|
||||||
@ -402,15 +401,13 @@ func parseProviderInfo(o *Options, msgs []string) []string {
|
|||||||
p.ProfileURL, msgs = parseURL(o.ProfileURL, "profile", msgs)
|
p.ProfileURL, msgs = parseURL(o.ProfileURL, "profile", msgs)
|
||||||
p.ValidateURL, msgs = parseURL(o.ValidateURL, "validate", msgs)
|
p.ValidateURL, msgs = parseURL(o.ValidateURL, "validate", msgs)
|
||||||
p.ProtectedResource, msgs = parseURL(o.ProtectedResource, "resource", msgs)
|
p.ProtectedResource, msgs = parseURL(o.ProtectedResource, "resource", msgs)
|
||||||
if len(o.PermitGroups) > 0 {
|
|
||||||
splittedGroups = strings.Split(o.PermitGroups[0], o.GroupsDelimiter)
|
|
||||||
}
|
|
||||||
o.provider = providers.New(o.Provider, p)
|
o.provider = providers.New(o.Provider, p)
|
||||||
switch p := o.provider.(type) {
|
switch p := o.provider.(type) {
|
||||||
case *providers.AzureProvider:
|
case *providers.AzureProvider:
|
||||||
p.Configure(o.AzureTenant)
|
p.Configure(o.AzureTenant)
|
||||||
if len(splittedGroups) > 0 {
|
if len(o.PermitGroups) > 0 {
|
||||||
p.SetGroupRestriction(splittedGroups)
|
p.SetGroupRestriction(o.PermitGroups)
|
||||||
}
|
}
|
||||||
if len(o.PermitUsers) > 0 {
|
if len(o.PermitUsers) > 0 {
|
||||||
p.SetGroupsExemption(o.PermitUsers)
|
p.SetGroupsExemption(o.PermitUsers)
|
||||||
|
@ -199,11 +199,9 @@ func (p *AzureProvider) GetLoginURL(redirectURI, state string) string {
|
|||||||
|
|
||||||
return a.String()
|
return a.String()
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *AzureProvider) SetGroupRestriction(groups []string) {
|
|
||||||
// Get list of groups (optionally with Group IDs) that ONLY allowed for user
|
// Get list of groups (optionally with Group IDs) that ONLY allowed for user
|
||||||
// That means even if user has wider group membership, only membership in those groups will be forwarded
|
// That means even if user has wider group membership, only membership in those groups will be forwarded
|
||||||
|
func (p *AzureProvider) SetGroupRestriction(groups []string) {
|
||||||
p.PermittedGroups = make(map[string]string)
|
p.PermittedGroups = make(map[string]string)
|
||||||
if len(groups) == 0 {
|
if len(groups) == 0 {
|
||||||
return
|
return
|
||||||
@ -219,37 +217,43 @@ func (p *AzureProvider) SetGroupRestriction(groups []string) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *AzureProvider) SetGroupsExemption(exemptions []string) {
|
|
||||||
// Get list of users (optionally with User IDs) that could still be allowed to login
|
// Get list of users (optionally with User IDs) that could still be allowed to login
|
||||||
// when group membership calls fail (e.g. insufficient permissions)
|
// when group membership calls fail (e.g. insufficient permissions)
|
||||||
|
func (p *AzureProvider) SetGroupsExemption(exemptions []string) {
|
||||||
p.ExemptedUsers = make(map[string]string)
|
p.ExemptedUsers = make(map[string]string)
|
||||||
if len(exemptions) == 0 {
|
if len(exemptions) == 0 {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
var userRecord string
|
var userName string
|
||||||
var groupName string
|
var userId string
|
||||||
for _, pRecord := range exemptions {
|
for _, pRecord := range exemptions {
|
||||||
splittedRecord := strings.Split(pRecord, ":")
|
splittedRecord := strings.Split(pRecord, ":")
|
||||||
|
|
||||||
if len(splittedRecord) == 1 {
|
if len(splittedRecord) == 1 {
|
||||||
userRecord, groupName = splittedRecord[0], ""
|
userName, userId = splittedRecord[0], ""
|
||||||
} else if len(splittedRecord) == 2 {
|
} else if len(splittedRecord) == 2 {
|
||||||
userRecord, groupName = splittedRecord[0], splittedRecord[1]
|
userName, userId = splittedRecord[0], splittedRecord[1]
|
||||||
} else {
|
} else {
|
||||||
userRecord = splittedRecord[0] + ":" + splittedRecord[1]
|
userName = splittedRecord[0] + ":" + splittedRecord[1]
|
||||||
groupName = splittedRecord[2]
|
userId = splittedRecord[2]
|
||||||
}
|
}
|
||||||
p.ExemptedUsers[userRecord] = groupName
|
p.ExemptedUsers[userName] = userId
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (p *AzureProvider) ValidateGroupWithSession(s *sessions.SessionState) bool {
|
func (p *AzureProvider) ValidateGroupWithSession(s *sessions.SessionState) bool {
|
||||||
|
// return true if not PermittedGroups not set
|
||||||
if len(p.PermittedGroups) == 0 {
|
if len(p.PermittedGroups) == 0 {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
|
// return true if user listed in exemptions
|
||||||
|
for userName, _ := range p.ExemptedUsers {
|
||||||
|
if s.Email == userName {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
// check if user groups match allowed groups, any matching group is letting user in
|
||||||
for _, group := range s.Groups {
|
for _, group := range s.Groups {
|
||||||
for _, groupID := range p.PermittedGroups {
|
for _, groupID := range p.PermittedGroups {
|
||||||
if strings.Contains(group, groupID) {
|
if strings.Contains(group, groupID) {
|
||||||
|
Loading…
Reference in New Issue
Block a user