wn/traefik-forward-auth
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'lammensj-whitelist'

Browse Source
This commit is contained in:
Thom Seddon 2018-11-06 14:04:07 +00:00
commit 91775ff0a8
4 changed files with 42 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@ -33,6 +33,7 @@ The following configuration is supported:
|-csrf-cookie-name|string|CSRF Cookie Name (default "_forward_auth_csrf")| |-csrf-cookie-name|string|CSRF Cookie Name (default "_forward_auth_csrf")|
|-direct|bool|Run in direct mode (use own hostname as oppose to <br>X-Forwarded-Host, used for testing/development) |-direct|bool|Run in direct mode (use own hostname as oppose to <br>X-Forwarded-Host, used for testing/development)
|-domain|string|Comma separated list of email domains to allow| |-domain|string|Comma separated list of email domains to allow|
|-whitelist|string|Comma separated list of email addresses to allow|
|-lifetime|int|Session length in seconds (default 43200)| |-lifetime|int|Session length in seconds (default 43200)|
|-url-path|string|Callback URL (default "_oauth")| |-url-path|string|Callback URL (default "_oauth")|
|-prompt|string|Space separated list of [OpenID prompt options](https://developers.google.com/identity/protocols/OpenIDConnect#prompt)| |-prompt|string|Space separated list of [OpenID prompt options](https://developers.google.com/identity/protocols/OpenIDConnect#prompt)|
@ -49,6 +50,15 @@ Create a new project then search for and select "Credentials" in the search bar.
Click, "Create Credentials" > "OAuth client ID". Select "Web Application", fill in the name of your app, skip "Authorized JavaScript origins" and fill "Authorized redirect URIs" with all the domains you will allow authentication from, appended with the `url-path` (e.g. https://app.test.com/_oauth) Click, "Create Credentials" > "OAuth client ID". Select "Web Application", fill in the name of your app, skip "Authorized JavaScript origins" and fill "Authorized redirect URIs" with all the domains you will allow authentication from, appended with the `url-path` (e.g. https://app.test.com/_oauth)
## User Restriction
You can restrict who can login with the following parameters:
* `-domain` - Use this to limit logins to a specific domain, e.g. test.com only
* `-whitelist` - Use this to only allow specific users to login e.g. thom@test.com only
Note, if you pass `whitelist` then only this is checked and `domain` is effectively ignored.
## Cookie Domains ## Cookie Domains
You can supply a comma separated list of cookie domains, if the host of the original request is a subdomain of any given cookie domain, the authentication cookie will set with the given domain. You can supply a comma separated list of cookie domains, if the host of the original request is a subdomain of any given cookie domain, the authentication cookie will set with the given domain.

18
forwardauth.go
View File

@ -38,6 +38,7 @@ type ForwardAuth struct {
CookieSecure bool CookieSecure bool
Domain []string Domain []string
Whitelist []string
Direct bool Direct bool
@ -86,23 +87,28 @@ func (f *ForwardAuth) ValidateCookie(r *http.Request, c *http.Cookie) (bool, str
// Validate email // Validate email
func (f *ForwardAuth) ValidateEmail(email string) bool { func (f *ForwardAuth) ValidateEmail(email string) bool {
if len(f.Domain) > 0 { found := false
if len(f.Whitelist) > 0 {
for _, whitelist := range f.Whitelist {
if email == whitelist {
found = true
}
}
} else if len(f.Domain) > 0 {
parts := strings.Split(email, "@") parts := strings.Split(email, "@")
if len(parts) < 2 { if len(parts) < 2 {
return false return false
} }
found := false
for _, domain := range f.Domain { for _, domain := range f.Domain {
if domain == parts[1] { if domain == parts[1] {
found = true found = true
} }
} }
if !found { } else {
return false return true
}
} }
return true return found
} }

14
forwardauth_test.go
View File

@ -81,6 +81,20 @@ func TestValidateEmail(t *testing.T) {
if !fw.ValidateEmail("test@test.com") { if !fw.ValidateEmail("test@test.com") {
t.Error("Should allow user from allowed domain") t.Error("Should allow user from allowed domain")
} }
// Should block non whitelisted email address
fw.Domain = []string{}
fw.Whitelist = []string{"test@test.com"}
if fw.ValidateEmail("one@two.com") {
t.Error("Should not allow user not in whitelist.")
}
// Should allow matching whitelisted email address
fw.Domain = []string{}
fw.Whitelist = []string{"test@test.com"}
if !fw.ValidateEmail("test@test.com") {
t.Error("Should allow user in whitelist.")
}
} }
func TestGetLoginURL(t *testing.T) { func TestGetLoginURL(t *testing.T) {

6
main.go
View File

@ -141,6 +141,7 @@ func main() {
cookieSecret := flag.String("cookie-secret", "", "depreciated") cookieSecret := flag.String("cookie-secret", "", "depreciated")
cookieSecure := flag.Bool("cookie-secure", true, "Use secure cookies") cookieSecure := flag.Bool("cookie-secure", true, "Use secure cookies")
domainList := flag.String("domain", "", "Comma separated list of email domains to allow") domainList := flag.String("domain", "", "Comma separated list of email domains to allow")
emailWhitelist := flag.String("whitelist", "", "Comma separated list of emails to allow")
direct := flag.Bool("direct", false, "Run in direct mode (use own hostname as oppose to X-Forwarded-Host, used for testing/development)") direct := flag.Bool("direct", false, "Run in direct mode (use own hostname as oppose to X-Forwarded-Host, used for testing/development)")
prompt := flag.String("prompt", "", "Space separated list of OpenID prompt options") prompt := flag.String("prompt", "", "Space separated list of OpenID prompt options")
@ -182,6 +183,10 @@ func main() {
if *domainList != "" { if *domainList != "" {
domain = strings.Split(*domainList, ",") domain = strings.Split(*domainList, ",")
} }
var whitelist []string
if *emailWhitelist != "" {
whitelist = strings.Split(*emailWhitelist, ",")
}
// Setup // Setup
fw = &ForwardAuth{ fw = &ForwardAuth{
@ -215,6 +220,7 @@ func main() {
CookieSecure: *cookieSecure, CookieSecure: *cookieSecure,
Domain: domain, Domain: domain,
Whitelist: whitelist,
Direct: *direct, Direct: *direct,