FEATURE: Filter groups

This commit is contained in:
Rafael dos Santos Silva 2017-10-26 18:49:29 -02:00
parent 22af9254a5
commit 511cfe8dd5
1 changed files with 26 additions and 1 deletions

27
main.go
View File

@ -6,6 +6,7 @@ import (
"encoding/base64"
"encoding/hex"
"fmt"
"github.com/adam-hanna/arrayOperations"
"github.com/golang/groupcache/lru"
"github.com/namsral/flag"
"github.com/pborman/uuid"
@ -31,6 +32,8 @@ type Config struct {
GroupsHeaderPtr *string
CookieSecret string
AllowAllPtr *bool
AllowedGroupsPtr *string
AllowedGroupsList *[]string
}
func main() {
@ -42,6 +45,7 @@ func main() {
config.SsoSecretPtr = flag.String("sso-secret", "", "SSO secret for origin")
config.SsoUriPtr = flag.String("sso-url", "", "SSO endpoint eg: http://discourse.forum.com")
config.AllowAllPtr = flag.Bool("allow-all", false, "allow all discourse users (default: admin users only)")
config.AllowedGroupsPtr = flag.String("allowed-groups", "", "if set, will only auth if the user is member of at least one specified group. eg: 'admins,build'")
config.BasicAuthPtr = flag.String("basic-auth", "", "HTTP Basic authentication credentials to let through directly")
config.UsernameHeaderPtr = flag.String("username-header", "Discourse-User-Name", "Request header to pass authenticated username into")
config.GroupsHeaderPtr = flag.String("groups-header", "Discourse-User-Groups", "Request header to pass authenticated groups into")
@ -74,6 +78,10 @@ func main() {
*config.ListenUriPtr = proxyUrl.Host
}
if *config.AllowedGroupsPtr != "" {
*config.AllowedGroupsList = strings.Split(*config.AllowedGroupsPtr, ",")
}
if *config.ProxyUriPtr == "" || *config.OriginUriPtr == "" || *config.SsoSecretPtr == "" || *config.SsoUriPtr == "" || *config.ListenUriPtr == "" {
flag.Usage()
os.Exit(1)
@ -168,7 +176,7 @@ func redirectIfNoCookie(handler http.Handler, r *http.Request, w http.ResponseWr
admin := parsedQuery["admin"]
nonce := parsedQuery["nonce"]
if len(nonce) > 0 && len(admin) > 0 && len(username) > 0 && (admin[0] == "true" || *config.AllowAllPtr) {
if len(nonce) > 0 && len(admin) > 0 && len(username) > 0 && (admin[0] == "true" || *config.AllowAllPtr) && groupsIntersect(groups, *config.AllowedGroupsList) {
returnUrl, err := getReturnUrl(*config.SsoSecretPtr, sso, sig, nonce[0])
if err != nil {
@ -261,3 +269,20 @@ func ComputeHmac256(message string, secret string) string {
h.Write([]byte(message))
return hex.EncodeToString(h.Sum(nil))
}
func groupsIntersect(payloadGroups []string, allowedGroups []string) bool {
if len(allowedGroups) == 0 {
return true
} else {
_, ok := arrayOperations.Intersect(payloadGroups, allowedGroups)
if !ok {
return false
} else {
return true
}
}
}