From 36fffd23829c9d7986b14a5d85bec7905a4e8ad1 Mon Sep 17 00:00:00 2001 From: Mathieu Cantin <41298167+mathcantin@users.noreply.github.com> Date: Mon, 29 Oct 2018 14:21:29 -0400 Subject: [PATCH 1/3] Fix demo config COOKIE_SECRET was renamed SECRET --- example/docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/example/docker-compose.yml b/example/docker-compose.yml index 9f610d1..e5eb84d 100644 --- a/example/docker-compose.yml +++ b/example/docker-compose.yml @@ -27,7 +27,7 @@ services: environment: - CLIENT_ID=your-client-id - CLIENT_SECRET=your-client-secret - - COOKIE_SECRET=something-random + - SECRET=something-random - COOKIE_SECURE=false - DOMAIN=yourcompany.com networks: From eaad0a9054fad152c1b0df0c1d9a91e37d90c0f0 Mon Sep 17 00:00:00 2001 From: Jasper Lammens Date: Sun, 26 Aug 2018 15:19:16 +0200 Subject: [PATCH 2/3] Allow a whitelist of email addresses --- README.md | 1 + forwardauth.go | 12 +++++++++++- forwardauth_test.go | 14 ++++++++++++++ main.go | 6 ++++++ 4 files changed, 32 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index c0ef51b..2d5f680 100644 --- a/README.md +++ b/README.md @@ -33,6 +33,7 @@ The following configuration is supported: |-csrf-cookie-name|string|CSRF Cookie Name (default "_forward_auth_csrf")| |-direct|bool|Run in direct mode (use own hostname as oppose to
X-Forwarded-Host, used for testing/development) |-domain|string|Comma separated list of email domains to allow| +|-whitelist|string|Comma separated list of email addresses to allow (Omit -domain)| |-lifetime|int|Session length in seconds (default 43200)| |-url-path|string|Callback URL (default "_oauth")| |-prompt|string|Space separated list of [OpenID prompt options](https://developers.google.com/identity/protocols/OpenIDConnect#prompt)| diff --git a/forwardauth.go b/forwardauth.go index 3bc90c7..975e305 100644 --- a/forwardauth.go +++ b/forwardauth.go @@ -38,6 +38,7 @@ type ForwardAuth struct { CookieSecure bool Domain []string + Whitelist []string Direct bool @@ -86,12 +87,12 @@ func (f *ForwardAuth) ValidateCookie(r *http.Request, c *http.Cookie) (bool, str // Validate email func (f *ForwardAuth) ValidateEmail(email string) bool { + found := false if len(f.Domain) > 0 { parts := strings.Split(email, "@") if len(parts) < 2 { return false } - found := false for _, domain := range f.Domain { if domain == parts[1] { found = true @@ -100,6 +101,15 @@ func (f *ForwardAuth) ValidateEmail(email string) bool { if !found { return false } + } else if len(f.Whitelist) > 0 { + for _, wlEmail := range f.Whitelist { + if wlEmail == email { + found = true + } + } + if !found { + return false + } } return true diff --git a/forwardauth_test.go b/forwardauth_test.go index a5fd09d..8cd0e50 100644 --- a/forwardauth_test.go +++ b/forwardauth_test.go @@ -81,6 +81,20 @@ func TestValidateEmail(t *testing.T) { if !fw.ValidateEmail("test@test.com") { t.Error("Should allow user from allowed domain") } + + // Should block non whitelisted email address + fw.Domain = []string{} + fw.Whitelist = []string{"test@test.com"} + if fw.ValidateEmail("one@two.com") { + t.Error("Should not allow user not in whitelist.") + } + + // Should allow matching whitelisted email address + fw.Domain = []string{} + fw.Whitelist = []string{"test@test.com"} + if !fw.ValidateEmail("test@test.com") { + t.Error("Should allow user in whitelist.") + } } func TestGetLoginURL(t *testing.T) { diff --git a/main.go b/main.go index fd96f52..d846106 100644 --- a/main.go +++ b/main.go @@ -141,6 +141,7 @@ func main() { cookieSecret := flag.String("cookie-secret", "", "depreciated") cookieSecure := flag.Bool("cookie-secure", true, "Use secure cookies") domainList := flag.String("domain", "", "Comma separated list of email domains to allow") + emailWhitelist := flag.String("whitelist", "", "Comma separated list of emails to allow") direct := flag.Bool("direct", false, "Run in direct mode (use own hostname as oppose to X-Forwarded-Host, used for testing/development)") prompt := flag.String("prompt", "", "Space separated list of OpenID prompt options") @@ -182,6 +183,10 @@ func main() { if *domainList != "" { domain = strings.Split(*domainList, ",") } + var whitelist []string + if *emailWhitelist != "" { + whitelist = strings.Split(*emailWhitelist, ",") + } // Setup fw = &ForwardAuth{ @@ -215,6 +220,7 @@ func main() { CookieSecure: *cookieSecure, Domain: domain, + Whitelist: whitelist, Direct: *direct, From 1832672f5e9178394d7e24627f7341d23cbe21b5 Mon Sep 17 00:00:00 2001 From: Thom Seddon Date: Tue, 6 Nov 2018 14:01:06 +0000 Subject: [PATCH 3/3] Modify whitelist implementation + expand docs Closes #4 --- README.md | 11 ++++++++++- forwardauth.go | 24 ++++++++++-------------- 2 files changed, 20 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 2d5f680..0154bbb 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ The following configuration is supported: |-csrf-cookie-name|string|CSRF Cookie Name (default "_forward_auth_csrf")| |-direct|bool|Run in direct mode (use own hostname as oppose to
X-Forwarded-Host, used for testing/development) |-domain|string|Comma separated list of email domains to allow| -|-whitelist|string|Comma separated list of email addresses to allow (Omit -domain)| +|-whitelist|string|Comma separated list of email addresses to allow| |-lifetime|int|Session length in seconds (default 43200)| |-url-path|string|Callback URL (default "_oauth")| |-prompt|string|Space separated list of [OpenID prompt options](https://developers.google.com/identity/protocols/OpenIDConnect#prompt)| @@ -50,6 +50,15 @@ Create a new project then search for and select "Credentials" in the search bar. Click, "Create Credentials" > "OAuth client ID". Select "Web Application", fill in the name of your app, skip "Authorized JavaScript origins" and fill "Authorized redirect URIs" with all the domains you will allow authentication from, appended with the `url-path` (e.g. https://app.test.com/_oauth) +## User Restriction + +You can restrict who can login with the following parameters: + +* `-domain` - Use this to limit logins to a specific domain, e.g. test.com only +* `-whitelist` - Use this to only allow specific users to login e.g. thom@test.com only + +Note, if you pass `whitelist` then only this is checked and `domain` is effectively ignored. + ## Cookie Domains You can supply a comma separated list of cookie domains, if the host of the original request is a subdomain of any given cookie domain, the authentication cookie will set with the given domain. diff --git a/forwardauth.go b/forwardauth.go index 975e305..ecd8ae2 100644 --- a/forwardauth.go +++ b/forwardauth.go @@ -88,7 +88,13 @@ func (f *ForwardAuth) ValidateCookie(r *http.Request, c *http.Cookie) (bool, str // Validate email func (f *ForwardAuth) ValidateEmail(email string) bool { found := false - if len(f.Domain) > 0 { + if len(f.Whitelist) > 0 { + for _, whitelist := range f.Whitelist { + if email == whitelist { + found = true + } + } + } else if len(f.Domain) > 0 { parts := strings.Split(email, "@") if len(parts) < 2 { return false @@ -98,21 +104,11 @@ func (f *ForwardAuth) ValidateEmail(email string) bool { found = true } } - if !found { - return false - } - } else if len(f.Whitelist) > 0 { - for _, wlEmail := range f.Whitelist { - if wlEmail == email { - found = true - } - } - if !found { - return false - } + } else { + return true } - return true + return found }