-
-
Notifications
You must be signed in to change notification settings - Fork 409
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow override of domains and whitelist in rules (#169)
Co-authored-by: Mathieu Cantin <[email protected]> Co-authored-by: Pete Shaw <[email protected]>
- Loading branch information
1 parent
41560fe
commit 04f5499
Showing
5 changed files
with
164 additions
and
46 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -321,6 +321,7 @@ All options can be supplied in any of the following ways, in the following prece | |
- `action` - same usage as [`default-action`](#default-action), supported values: | ||
- `auth` (default) | ||
- `allow` | ||
- `domains` - optional, same usage as [`domain`](#domain) | ||
- `provider` - same usage as [`default-provider`](#default-provider), supported values: | ||
- `google` | ||
- `oidc` | ||
|
@@ -333,6 +334,7 @@ All options can be supplied in any of the following ways, in the following prece | |
- ``Path(`path`, `/articles/{category}/{id:[0-9]+}`, ...)`` | ||
- ``PathPrefix(`/products/`, `/articles/{category}/{id:[0-9]+}`)`` | ||
- ``Query(`foo=bar`, `bar=baz`)`` | ||
- `whitelist` - optional, same usage as whitelist`](#whitelist) | ||
|
||
For example: | ||
``` | ||
|
@@ -348,6 +350,11 @@ All options can be supplied in any of the following ways, in the following prece | |
rule.oidc.action = auth | ||
rule.oidc.provider = oidc | ||
rule.oidc.rule = PathPrefix(`/github`) | ||
|
||
# Allow [email protected] to `/janes-eyes-only` | ||
rule.two.action = allow | ||
rule.two.rule = Path(`/janes-eyes-only`) | ||
rule.two.whitelist = [email protected] | ||
``` | ||
|
||
Note: It is possible to break your redirect flow with rules, please be careful not to create an `allow` rule that matches your redirect_uri unless you know what you're doing. This limitation is being tracked in in #101 and the behaviour will change in future releases. | ||
|
@@ -361,7 +368,7 @@ You can restrict who can login with the following parameters: | |
* `domain` - Use this to limit logins to a specific domain, e.g. test.com only | ||
* `whitelist` - Use this to only allow specific users to login e.g. [email protected] only | ||
|
||
Note, if you pass both `whitelist` and `domain`, then the default behaviour is for only `whitelist` to be used and `domain` will be effectively ignored. You can allow users matching *either* `whitelist` or `domain` by passing the `match-whitelist-or-domain` parameter (this will be the default behaviour in v3). | ||
Note, if you pass both `whitelist` and `domain`, then the default behaviour is for only `whitelist` to be used and `domain` will be effectively ignored. You can allow users matching *either* `whitelist` or `domain` by passing the `match-whitelist-or-domain` parameter (this will be the default behaviour in v3). If you set `domains` or `whitelist` on a rule, the global configuration is ignored. | ||
|
||
### Forwarded Headers | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -65,57 +65,132 @@ func TestAuthValidateEmail(t *testing.T) { | |
assert := assert.New(t) | ||
config, _ = NewConfig([]string{}) | ||
|
||
// Should allow any | ||
v := ValidateEmail("[email protected]") | ||
// Should allow any with no whitelist/domain is specified | ||
v := ValidateEmail("[email protected]", "default") | ||
assert.True(v, "should allow any domain if email domain is not defined") | ||
v = ValidateEmail("[email protected]") | ||
v = ValidateEmail("[email protected]", "default") | ||
assert.True(v, "should allow any domain if email domain is not defined") | ||
|
||
// Should block non matching domain | ||
config.Domains = []string{"test.com"} | ||
v = ValidateEmail("[email protected]") | ||
assert.False(v, "should not allow user from another domain") | ||
|
||
// Should allow matching domain | ||
config.Domains = []string{"test.com"} | ||
v = ValidateEmail("[email protected]") | ||
v = ValidateEmail("[email protected]", "default") | ||
assert.False(v, "should not allow user from another domain") | ||
v = ValidateEmail("[email protected]", "default") | ||
assert.True(v, "should allow user from allowed domain") | ||
|
||
// Should block non whitelisted email address | ||
config.Domains = []string{} | ||
config.Whitelist = []string{"[email protected]"} | ||
v = ValidateEmail("[email protected]") | ||
assert.False(v, "should not allow user not in whitelist") | ||
|
||
// Should allow matching whitelisted email address | ||
config.Domains = []string{} | ||
config.Whitelist = []string{"[email protected]"} | ||
v = ValidateEmail("[email protected]") | ||
v = ValidateEmail("[email protected]", "default") | ||
assert.False(v, "should not allow user not in whitelist") | ||
v = ValidateEmail("[email protected]", "default") | ||
assert.True(v, "should allow user in whitelist") | ||
|
||
// Should allow only matching email address when | ||
// MatchWhitelistOrDomain is disabled | ||
config.Domains = []string{"example.com"} | ||
config.Whitelist = []string{"[email protected]"} | ||
config.MatchWhitelistOrDomain = false | ||
v = ValidateEmail("[email protected]") | ||
assert.True(v, "should allow user in whitelist") | ||
v = ValidateEmail("[email protected]") | ||
assert.False(v, "should not allow user from valid domain") | ||
v = ValidateEmail("[email protected]") | ||
v = ValidateEmail("[email protected]", "default") | ||
assert.False(v, "should not allow user not in either") | ||
v = ValidateEmail("[email protected]", "default") | ||
assert.False(v, "should not allow user from allowed domain") | ||
v = ValidateEmail("[email protected]", "default") | ||
assert.True(v, "should allow user in whitelist") | ||
|
||
// Should allow either matching domain or email address when | ||
// MatchWhitelistOrDomain is enabled | ||
config.Domains = []string{"example.com"} | ||
config.Whitelist = []string{"[email protected]"} | ||
config.MatchWhitelistOrDomain = true | ||
v = ValidateEmail("[email protected]") | ||
v = ValidateEmail("[email protected]", "default") | ||
assert.False(v, "should not allow user not in either") | ||
v = ValidateEmail("[email protected]", "default") | ||
assert.True(v, "should allow user from allowed domain") | ||
v = ValidateEmail("[email protected]", "default") | ||
assert.True(v, "should allow user in whitelist") | ||
v = ValidateEmail("[email protected]") | ||
assert.True(v, "should allow user from valid domain") | ||
v = ValidateEmail("[email protected]") | ||
|
||
// Rule testing | ||
|
||
// Should use global whitelist/domain when not specified on rule | ||
config.Domains = []string{"example.com"} | ||
config.Whitelist = []string{"[email protected]"} | ||
config.Rules = map[string]*Rule{"test": NewRule()} | ||
config.MatchWhitelistOrDomain = true | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.False(v, "should not allow user not in either") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.True(v, "should allow user from allowed global domain") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.True(v, "should allow user in global whitelist") | ||
|
||
// Should allow matching domain in rule | ||
config.Domains = []string{"testglobal.com"} | ||
config.Whitelist = []string{} | ||
rule := NewRule() | ||
config.Rules = map[string]*Rule{"test": rule} | ||
rule.Domains = []string{"testrule.com"} | ||
config.MatchWhitelistOrDomain = false | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.False(v, "should not allow user from another domain") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.False(v, "should not allow user from global domain") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.True(v, "should allow user from allowed domain") | ||
|
||
// Should allow matching whitelist in rule | ||
config.Domains = []string{} | ||
config.Whitelist = []string{"[email protected]"} | ||
rule = NewRule() | ||
config.Rules = map[string]*Rule{"test": rule} | ||
rule.Whitelist = []string{"[email protected]"} | ||
config.MatchWhitelistOrDomain = false | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.False(v, "should not allow user from another domain") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.False(v, "should not allow user from global domain") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.True(v, "should allow user from allowed domain") | ||
|
||
// Should allow only matching email address when | ||
// MatchWhitelistOrDomain is disabled | ||
config.Domains = []string{"exampleglobal.com"} | ||
config.Whitelist = []string{"[email protected]"} | ||
rule = NewRule() | ||
config.Rules = map[string]*Rule{"test": rule} | ||
rule.Domains = []string{"examplerule.com"} | ||
rule.Whitelist = []string{"[email protected]"} | ||
config.MatchWhitelistOrDomain = false | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.False(v, "should not allow user not in either") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.False(v, "should not allow user in global whitelist") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.False(v, "should not allow user from global domain") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.False(v, "should not allow user from allowed domain") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.True(v, "should allow user in whitelist") | ||
|
||
// Should allow either matching domain or email address when | ||
// MatchWhitelistOrDomain is enabled | ||
config.Domains = []string{"exampleglobal.com"} | ||
config.Whitelist = []string{"[email protected]"} | ||
rule = NewRule() | ||
config.Rules = map[string]*Rule{"test": rule} | ||
rule.Domains = []string{"examplerule.com"} | ||
rule.Whitelist = []string{"[email protected]"} | ||
config.MatchWhitelistOrDomain = true | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.False(v, "should not allow user not in either") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.False(v, "should not allow user in global whitelist") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.False(v, "should not allow user from global domain") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.True(v, "should allow user from allowed domain") | ||
v = ValidateEmail("[email protected]", "test") | ||
assert.True(v, "should allow user in whitelist") | ||
} | ||
|
||
func TestRedirectUri(t *testing.T) { | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters