From b49aeb222b820b13a8e9f5430c1201a24cf52b13 Mon Sep 17 00:00:00 2001 From: Carlos Alexandro Becker Date: Mon, 11 Mar 2019 14:52:08 -0300 Subject: [PATCH 1/3] fix: should check if email is verified --- providers/github.go | 6 +++--- providers/github_test.go | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/providers/github.go b/providers/github.go index d39ee2b..26d8c3f 100644 --- a/providers/github.go +++ b/providers/github.go @@ -202,8 +202,8 @@ func (p *GitHubProvider) hasOrgAndTeam(accessToken string) (bool, error) { func (p *GitHubProvider) GetEmailAddress(s *SessionState) (string, error) { var emails []struct { - Email string `json:"email"` - Primary bool `json:"primary"` + Email string `json:"email"` + Verified bool `json:"verified"` } // if we require an Org or Team, check that first @@ -248,7 +248,7 @@ func (p *GitHubProvider) GetEmailAddress(s *SessionState) (string, error) { } for _, email := range emails { - if email.Primary { + if email.Verified { return email.Email, nil } } diff --git a/providers/github_test.go b/providers/github_test.go index c96877c..2da2a32 100644 --- a/providers/github_test.go +++ b/providers/github_test.go @@ -97,7 +97,7 @@ func TestGitHubProviderOverrides(t *testing.T) { } func TestGitHubProviderGetEmailAddress(t *testing.T) { - b := testGitHubBackend([]string{`[ {"email": "michael.bland@gsa.gov", "primary": true} ]`}) + b := testGitHubBackend([]string{`[ {"email": "michael.bland@gsa.gov", "verified": true} ]`}) defer b.Close() bURL, _ := url.Parse(b.URL) @@ -111,8 +111,8 @@ func TestGitHubProviderGetEmailAddress(t *testing.T) { func TestGitHubProviderGetEmailAddressWithOrg(t *testing.T) { b := testGitHubBackend([]string{ - `[ {"email": "michael.bland@gsa.gov", "primary": true, "login":"testorg"} ]`, - `[ {"email": "michael.bland1@gsa.gov", "primary": true, "login":"testorg1"} ]`, + `[ {"email": "michael.bland@gsa.gov", "verified": true, "login":"testorg"} ]`, + `[ {"email": "michael.bland1@gsa.gov", "verified": true, "login":"testorg1"} ]`, `[ ]`, }) defer b.Close() From 58b8bbe491d8d47909ab239fa6b3b646292993f0 Mon Sep 17 00:00:00 2001 From: Carlos Alexandro Becker Date: Mon, 11 Mar 2019 14:55:02 -0300 Subject: [PATCH 2/3] fix: changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 68954d0..4d011a5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ ## Changes since v3.1.0 +- [#96](https://github.com/bitly/oauth2_proxy/pull/96) Check if email is verified on GitHub (@caarlos0) - [#92](https://github.com/pusher/oauth2_proxy/pull/92) Merge websocket proxy feature from openshift/oauth-proxy (@butzist) - [#57](https://github.com/pusher/oauth2_proxy/pull/57) Fall back to using OIDC Subject instead of Email (@aigarius) - [#85](https://github.com/pusher/oauth2_proxy/pull/85) Use non-root user in docker images (@kskewes) From 24f36f27a73a7ec2bcd687220e1f9688fc293783 Mon Sep 17 00:00:00 2001 From: Carlos Alexandro Becker Date: Wed, 20 Mar 2019 13:52:30 -0300 Subject: [PATCH 3/3] fix: check if it is both primary and verified --- providers/github.go | 3 ++- providers/github_test.go | 19 ++++++++++++++++--- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/providers/github.go b/providers/github.go index 26d8c3f..798b140 100644 --- a/providers/github.go +++ b/providers/github.go @@ -203,6 +203,7 @@ func (p *GitHubProvider) GetEmailAddress(s *SessionState) (string, error) { var emails []struct { Email string `json:"email"` + Primary bool `json:"primary"` Verified bool `json:"verified"` } @@ -248,7 +249,7 @@ func (p *GitHubProvider) GetEmailAddress(s *SessionState) (string, error) { } for _, email := range emails { - if email.Verified { + if email.Primary && email.Verified { return email.Email, nil } } diff --git a/providers/github_test.go b/providers/github_test.go index 2da2a32..4b093ca 100644 --- a/providers/github_test.go +++ b/providers/github_test.go @@ -97,7 +97,7 @@ func TestGitHubProviderOverrides(t *testing.T) { } func TestGitHubProviderGetEmailAddress(t *testing.T) { - b := testGitHubBackend([]string{`[ {"email": "michael.bland@gsa.gov", "verified": true} ]`}) + b := testGitHubBackend([]string{`[ {"email": "michael.bland@gsa.gov", "verified": true, "primary": true} ]`}) defer b.Close() bURL, _ := url.Parse(b.URL) @@ -109,10 +109,23 @@ func TestGitHubProviderGetEmailAddress(t *testing.T) { assert.Equal(t, "michael.bland@gsa.gov", email) } +func TestGitHubProviderGetEmailAddressNotVerified(t *testing.T) { + b := testGitHubBackend([]string{`[ {"email": "michael.bland@gsa.gov", "verified": false, "primary": true} ]`}) + defer b.Close() + + bURL, _ := url.Parse(b.URL) + p := testGitHubProvider(bURL.Host) + + session := &SessionState{AccessToken: "imaginary_access_token"} + email, err := p.GetEmailAddress(session) + assert.Equal(t, nil, err) + assert.Empty(t, "", email) +} + func TestGitHubProviderGetEmailAddressWithOrg(t *testing.T) { b := testGitHubBackend([]string{ - `[ {"email": "michael.bland@gsa.gov", "verified": true, "login":"testorg"} ]`, - `[ {"email": "michael.bland1@gsa.gov", "verified": true, "login":"testorg1"} ]`, + `[ {"email": "michael.bland@gsa.gov", "primary": true, "verified": true, "login":"testorg"} ]`, + `[ {"email": "michael.bland1@gsa.gov", "primary": true, "verified": true, "login":"testorg1"} ]`, `[ ]`, }) defer b.Close()