diff --git a/main.go b/main.go index fccea35..ad9170a 100644 --- a/main.go +++ b/main.go @@ -26,7 +26,6 @@ func main() { jwtIssuers := StringArray{} googleGroups := StringArray{} permittedGroups := StringArray{} - exemptedUsers := StringArray{} redisSentinelConnectionURLs := StringArray{} config := flagSet.String("config", "", "path to config file") @@ -45,7 +44,6 @@ func main() { flagSet.String("filter-groups", "", "exclude groups that do not contain this value in its 'displayName' (Azure only)") flagSet.Var(&permittedGroups, "permit-groups", "restrict logins to members of this group (may be given multiple times; Azure).") flagSet.String("groups-delimiter", "|", "delimiter between group names if more than one found. By default it is '|' symbol") - flagSet.Var(&exemptedUsers, "permit-users", "let these users in if azure call to check group membership fails (may be given multiple times; Azure).") flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header") flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header") flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream") diff --git a/oauthproxy.go b/oauthproxy.go index 97d5de8..03427a3 100644 --- a/oauthproxy.go +++ b/oauthproxy.go @@ -803,7 +803,7 @@ func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.R } if session != nil && session.Email != "" { - if !p.Validator(session.Email) || !p.provider.ValidateGroup(session.Email) { + if !p.Validator(session.Email) || !p.provider.ValidateGroupWithSession(session) { logger.Printf(session.Email, req, logger.AuthFailure, "Invalid authentication via session: removing session %s", session) session = nil saveSession = false diff --git a/providers/azure.go b/providers/azure.go index 43908d1..a0afed2 100644 --- a/providers/azure.go +++ b/providers/azure.go @@ -175,16 +175,6 @@ func (p *AzureProvider) GetGroups(s *sessions.SessionState, f string) (map[strin return groupsMap, nil } -// ValidateExemptions checks if we can allow user login dispite group membership returned failure -func (p *AzureProvider) ValidateExemptions(s *sessions.SessionState) (bool, string) { - for eAccount, eGroup := range p.ExemptedUsers { - if eAccount == s.Email || eAccount == s.Email+":"+s.ID { - return true, eGroup - } - } - return false, "" -} - func (p *AzureProvider) GetLoginURL(redirectURI, state string) string { var a url.URL a = *p.LoginURL @@ -264,24 +254,3 @@ func (p *AzureProvider) ValidateGroupWithSession(s *sessions.SessionState) bool } return false } - -func (p *AzureProvider) GroupPermitted(gName *string, gID *string) bool { - // Validate provided group - // if "PermitGroups" are defined, for each user group membership, include only those groups that - // marked in list - // - // NOTE: if group in "PermitGroups" does not have group_id defined, this parameter is ignored - if len(p.PermittedGroups) != 0 { - for pGroupName, pGroupID := range p.PermittedGroups { - if pGroupName == *gName { - if pGroupID == "" || gID == nil { - return true - } else if pGroupID == *gID { - return true - } - } - } - return false - } - return true -} diff --git a/providers/provider_default.go b/providers/provider_default.go index 3b7e7fb..3f03f55 100644 --- a/providers/provider_default.go +++ b/providers/provider_default.go @@ -136,11 +136,6 @@ func (p *ProviderData) ValidateGroup(email string) bool { return true } -// ValidateExemptions checks if we can allow user login despite group membership returned failure -func (p *ProviderData) ValidateExemptions(*sessions.SessionState) (bool, string) { - return false, "" -} - func (p *ProviderData) ValidateGroupWithSession(s *sessions.SessionState) bool { return p.ValidateGroup(s.Email) } diff --git a/providers/providers.go b/providers/providers.go index 87632b0..6984b68 100644 --- a/providers/providers.go +++ b/providers/providers.go @@ -14,7 +14,6 @@ type Provider interface { Redeem(string, string) (*sessions.SessionState, error) ValidateGroup(string) bool ValidateGroupWithSession(*sessions.SessionState) bool - ValidateExemptions(*sessions.SessionState) (bool, string) ValidateSessionState(*sessions.SessionState) bool GetLoginURL(redirectURI, finalRedirect string) string RefreshSessionIfNeeded(*sessions.SessionState) (bool, error)