Remove exempted users. Remove ValidateExemtions (not used)

This commit is contained in:
Lukasz Leszczuk 2019-09-10 13:33:13 +02:00
parent 3ff441026c
commit 8439e72320
5 changed files with 1 additions and 40 deletions

View File

@ -26,7 +26,6 @@ func main() {
jwtIssuers := StringArray{} jwtIssuers := StringArray{}
googleGroups := StringArray{} googleGroups := StringArray{}
permittedGroups := StringArray{} permittedGroups := StringArray{}
exemptedUsers := StringArray{}
redisSentinelConnectionURLs := StringArray{} redisSentinelConnectionURLs := StringArray{}
config := flagSet.String("config", "", "path to config file") config := flagSet.String("config", "", "path to config file")
@ -45,7 +44,6 @@ func main() {
flagSet.String("filter-groups", "", "exclude groups that do not contain this value in its 'displayName' (Azure only)") flagSet.String("filter-groups", "", "exclude groups that do not contain this value in its 'displayName' (Azure only)")
flagSet.Var(&permittedGroups, "permit-groups", "restrict logins to members of this group (may be given multiple times; Azure).") flagSet.Var(&permittedGroups, "permit-groups", "restrict logins to members of this group (may be given multiple times; Azure).")
flagSet.String("groups-delimiter", "|", "delimiter between group names if more than one found. By default it is '|' symbol") flagSet.String("groups-delimiter", "|", "delimiter between group names if more than one found. By default it is '|' symbol")
flagSet.Var(&exemptedUsers, "permit-users", "let these users in if azure call to check group membership fails (may be given multiple times; Azure).")
flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header") flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header") flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream") flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")

View File

@ -803,7 +803,7 @@ func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.R
} }
if session != nil && session.Email != "" { if session != nil && session.Email != "" {
if !p.Validator(session.Email) || !p.provider.ValidateGroup(session.Email) { if !p.Validator(session.Email) || !p.provider.ValidateGroupWithSession(session) {
logger.Printf(session.Email, req, logger.AuthFailure, "Invalid authentication via session: removing session %s", session) logger.Printf(session.Email, req, logger.AuthFailure, "Invalid authentication via session: removing session %s", session)
session = nil session = nil
saveSession = false saveSession = false

View File

@ -175,16 +175,6 @@ func (p *AzureProvider) GetGroups(s *sessions.SessionState, f string) (map[strin
return groupsMap, nil return groupsMap, nil
} }
// ValidateExemptions checks if we can allow user login dispite group membership returned failure
func (p *AzureProvider) ValidateExemptions(s *sessions.SessionState) (bool, string) {
for eAccount, eGroup := range p.ExemptedUsers {
if eAccount == s.Email || eAccount == s.Email+":"+s.ID {
return true, eGroup
}
}
return false, ""
}
func (p *AzureProvider) GetLoginURL(redirectURI, state string) string { func (p *AzureProvider) GetLoginURL(redirectURI, state string) string {
var a url.URL var a url.URL
a = *p.LoginURL a = *p.LoginURL
@ -264,24 +254,3 @@ func (p *AzureProvider) ValidateGroupWithSession(s *sessions.SessionState) bool
} }
return false return false
} }
func (p *AzureProvider) GroupPermitted(gName *string, gID *string) bool {
// Validate provided group
// if "PermitGroups" are defined, for each user group membership, include only those groups that
// marked in list
//
// NOTE: if group in "PermitGroups" does not have group_id defined, this parameter is ignored
if len(p.PermittedGroups) != 0 {
for pGroupName, pGroupID := range p.PermittedGroups {
if pGroupName == *gName {
if pGroupID == "" || gID == nil {
return true
} else if pGroupID == *gID {
return true
}
}
}
return false
}
return true
}

View File

@ -136,11 +136,6 @@ func (p *ProviderData) ValidateGroup(email string) bool {
return true return true
} }
// ValidateExemptions checks if we can allow user login despite group membership returned failure
func (p *ProviderData) ValidateExemptions(*sessions.SessionState) (bool, string) {
return false, ""
}
func (p *ProviderData) ValidateGroupWithSession(s *sessions.SessionState) bool { func (p *ProviderData) ValidateGroupWithSession(s *sessions.SessionState) bool {
return p.ValidateGroup(s.Email) return p.ValidateGroup(s.Email)
} }

View File

@ -14,7 +14,6 @@ type Provider interface {
Redeem(string, string) (*sessions.SessionState, error) Redeem(string, string) (*sessions.SessionState, error)
ValidateGroup(string) bool ValidateGroup(string) bool
ValidateGroupWithSession(*sessions.SessionState) bool ValidateGroupWithSession(*sessions.SessionState) bool
ValidateExemptions(*sessions.SessionState) (bool, string)
ValidateSessionState(*sessions.SessionState) bool ValidateSessionState(*sessions.SessionState) bool
GetLoginURL(redirectURI, finalRedirect string) string GetLoginURL(redirectURI, finalRedirect string) string
RefreshSessionIfNeeded(*sessions.SessionState) (bool, error) RefreshSessionIfNeeded(*sessions.SessionState) (bool, error)