Remove exempted users. Remove ValidateExemtions (not used)

main.go

@@ -26,7 +26,6 @@ func main() {
 	jwtIssuers := StringArray{}
 	googleGroups := StringArray{}
 	permittedGroups := StringArray{}
-	exemptedUsers := StringArray{}
 	redisSentinelConnectionURLs := StringArray{}
 
 	config := flagSet.String("config", "", "path to config file")
@@ -45,7 +44,6 @@ func main() {
 	flagSet.String("filter-groups", "", "exclude groups that do not contain this value in its 'displayName' (Azure only)")
 	flagSet.Var(&permittedGroups, "permit-groups", "restrict logins to members of this group (may be given multiple times; Azure).")
 	flagSet.String("groups-delimiter", "|", "delimiter between group names if more than one found. By default it is '|' symbol")
-	flagSet.Var(&exemptedUsers, "permit-users", "let these users in if azure call to check group membership fails (may be given multiple times; Azure).")
 	flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
 	flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")
 	flagSet.Bool("pass-host-header", true, "pass the request Host Header to upstream")

oauthproxy.go

@@ -803,7 +803,7 @@ func (p *OAuthProxy) getAuthenticatedSession(rw http.ResponseWriter, req *http.R
 	}
 
 	if session != nil && session.Email != "" {
-		if !p.Validator(session.Email) || !p.provider.ValidateGroup(session.Email) {
+		if !p.Validator(session.Email) || !p.provider.ValidateGroupWithSession(session) {
 			logger.Printf(session.Email, req, logger.AuthFailure, "Invalid authentication via session: removing session %s", session)
 			session = nil
 			saveSession = false

providers/azure.go

@@ -175,16 +175,6 @@ func (p *AzureProvider) GetGroups(s *sessions.SessionState, f string) (map[strin
 	return groupsMap, nil
 }
 
-// ValidateExemptions checks if we can allow user login dispite group membership returned failure
-func (p *AzureProvider) ValidateExemptions(s *sessions.SessionState) (bool, string) {
-	for eAccount, eGroup := range p.ExemptedUsers {
-		if eAccount == s.Email || eAccount == s.Email+":"+s.ID {
-			return true, eGroup
-		}
-	}
-	return false, ""
-}
-
 func (p *AzureProvider) GetLoginURL(redirectURI, state string) string {
 	var a url.URL
 	a = *p.LoginURL
@@ -264,24 +254,3 @@ func (p *AzureProvider) ValidateGroupWithSession(s *sessions.SessionState) bool
 	}
 	return false
 }
-
-func (p *AzureProvider) GroupPermitted(gName *string, gID *string) bool {
-	// Validate provided group
-	// if "PermitGroups" are defined, for each user group membership, include only those groups that
-	// marked in list
-	//
-	// NOTE: if group in "PermitGroups" does not have group_id defined, this parameter is ignored
-	if len(p.PermittedGroups) != 0 {
-		for pGroupName, pGroupID := range p.PermittedGroups {
-			if pGroupName == *gName {
-				if pGroupID == "" || gID == nil {
-					return true
-				} else if pGroupID == *gID {
-					return true
-				}
-			}
-		}
-		return false
-	}
-	return true
-}

providers/provider_default.go

@@ -136,11 +136,6 @@ func (p *ProviderData) ValidateGroup(email string) bool {
 	return true
 }
 
-// ValidateExemptions checks if we can allow user login despite group membership returned failure
-func (p *ProviderData) ValidateExemptions(*sessions.SessionState) (bool, string) {
-	return false, ""
-}
-
 func (p *ProviderData) ValidateGroupWithSession(s *sessions.SessionState) bool {
 	return p.ValidateGroup(s.Email)
 }

providers/providers.go

@@ -14,7 +14,6 @@ type Provider interface {
 	Redeem(string, string) (*sessions.SessionState, error)
 	ValidateGroup(string) bool
 	ValidateGroupWithSession(*sessions.SessionState) bool
-	ValidateExemptions(*sessions.SessionState) (bool, string)
 	ValidateSessionState(*sessions.SessionState) bool
 	GetLoginURL(redirectURI, finalRedirect string) string
 	RefreshSessionIfNeeded(*sessions.SessionState) (bool, error)