Merge branch 'lammensj-whitelist'

2018-11-06 14:04:07 +00:00 · 2018-11-06 14:04:07 +00:00 · 91775ff0a8
commit 91775ff0a8
parent ccbda4ec8c 1832672f5e
4 changed files with 42 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -33,6 +33,7 @@ The following configuration is supported:
 |-csrf-cookie-name|string|CSRF Cookie Name (default "_forward_auth_csrf")|
 |-direct|bool|Run in direct mode (use own hostname as oppose to <br>X-Forwarded-Host, used for testing/development)
 |-domain|string|Comma separated list of email domains to allow|
+|-whitelist|string|Comma separated list of email addresses to allow|
 |-lifetime|int|Session length in seconds (default 43200)|
 |-url-path|string|Callback URL (default "_oauth")|
 |-prompt|string|Space separated list of [OpenID prompt options](https://developers.google.com/identity/protocols/OpenIDConnect#prompt)|
@ -49,6 +50,15 @@ Create a new project then search for and select "Credentials" in the search bar.

 Click, "Create Credentials" > "OAuth client ID". Select "Web Application", fill in the name of your app, skip "Authorized JavaScript origins" and fill "Authorized redirect URIs" with all the domains you will allow authentication from, appended with the `url-path` (e.g. https://app.test.com/_oauth)

+## User Restriction
+
+You can restrict who can login with the following parameters:
+
+* `-domain` - Use this to limit logins to a specific domain, e.g. test.com only
+* `-whitelist` - Use this to only allow specific users to login e.g. thom@test.com only
+
+Note, if you pass `whitelist` then only this is checked and `domain` is effectively ignored.
+
 ## Cookie Domains

 You can supply a comma separated list of cookie domains, if the host of the original request is a subdomain of any given cookie domain, the authentication cookie will set with the given domain.
--- a/forwardauth.go
+++ b/forwardauth.go
@ -38,6 +38,7 @@ type ForwardAuth struct {
  CookieSecure bool

  Domain []string
+  Whitelist []string

  Direct bool

@ -86,23 +87,28 @@ func (f *ForwardAuth) ValidateCookie(r *http.Request, c *http.Cookie) (bool, str

 // Validate email
 func (f *ForwardAuth) ValidateEmail(email string) bool {
-  if len(f.Domain) > 0 {
+  found := false
+  if len(f.Whitelist) > 0 {
+    for _, whitelist := range f.Whitelist {
+      if email == whitelist {
+        found = true
+      }
+    }
+  } else if len(f.Domain) > 0 {
    parts := strings.Split(email, "@")
    if len(parts) < 2 {
      return false
    }
-    found := false
    for _, domain := range f.Domain {
      if domain == parts[1] {
        found = true
      }
    }
-    if !found {
-      return false
-    }
+  } else {
+    return true
  }

-  return true
+  return found
 }


--- a/forwardauth_test.go
+++ b/forwardauth_test.go
@ -81,6 +81,20 @@ func TestValidateEmail(t *testing.T) {
  if !fw.ValidateEmail("test@test.com") {
    t.Error("Should allow user from allowed domain")
  }
+
+  // Should block non whitelisted email address
+  fw.Domain = []string{}
+  fw.Whitelist = []string{"test@test.com"}
+  if fw.ValidateEmail("one@two.com") {
+    t.Error("Should not allow user not in whitelist.")
+  }
+
+  // Should allow matching whitelisted email address
+  fw.Domain = []string{}
+  fw.Whitelist = []string{"test@test.com"}
+  if !fw.ValidateEmail("test@test.com") {
+    t.Error("Should allow user in whitelist.")
+  }
 }

 func TestGetLoginURL(t *testing.T) {
--- a/main.go
+++ b/main.go
@ -141,6 +141,7 @@ func main() {
  cookieSecret := flag.String("cookie-secret", "", "depreciated")
  cookieSecure := flag.Bool("cookie-secure", true, "Use secure cookies")
  domainList := flag.String("domain", "", "Comma separated list of email domains to allow")
+  emailWhitelist := flag.String("whitelist", "", "Comma separated list of emails to allow")
  direct := flag.Bool("direct", false, "Run in direct mode (use own hostname as oppose to X-Forwarded-Host, used for testing/development)")
  prompt := flag.String("prompt", "", "Space separated list of OpenID prompt options")

@ -182,6 +183,10 @@ func main() {
  if *domainList != "" {
    domain = strings.Split(*domainList, ",")
  }
+  var whitelist []string
+  if *emailWhitelist != "" {
+    whitelist = strings.Split(*emailWhitelist, ",")
+  }

  // Setup
  fw = &ForwardAuth{
@ -215,6 +220,7 @@ func main() {
    CookieSecure: *cookieSecure,

    Domain: domain,
+    Whitelist: whitelist,

    Direct: *direct,