mirror of
https://github.com/Luzifer/nginx-sso.git
synced 2024-12-20 21:01:17 +00:00
Allow grouping of tokens for simpler ACL
Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
parent
07062c318a
commit
64bf3d17cd
3 changed files with 29 additions and 6 deletions
|
@ -180,9 +180,13 @@ providers:
|
||||||
tokens:
|
tokens:
|
||||||
tokenname: "MYTOKEN"
|
tokenname: "MYTOKEN"
|
||||||
mycli: "kQHjQLuQdkSPwdJ1mueniLMPSjCc6GVt"
|
mycli: "kQHjQLuQdkSPwdJ1mueniLMPSjCc6GVt"
|
||||||
|
|
||||||
|
# Groupname to token mapping
|
||||||
|
groups:
|
||||||
|
mytokengroup: ["tokenname"]
|
||||||
```
|
```
|
||||||
|
|
||||||
This provider does not support grouping: Each token needs to be white-listed explicitly. When accessing the sites using a token this header is expected:
|
When accessing the sites using a token this header is expected:
|
||||||
|
|
||||||
`Authorization: Token MYTOKEN`
|
`Authorization: Token MYTOKEN`
|
||||||
|
|
||||||
|
|
|
@ -4,6 +4,8 @@ import (
|
||||||
"net/http"
|
"net/http"
|
||||||
"strings"
|
"strings"
|
||||||
|
|
||||||
|
"github.com/Luzifer/go_helpers/str"
|
||||||
|
|
||||||
yaml "gopkg.in/yaml.v2"
|
yaml "gopkg.in/yaml.v2"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
@ -13,6 +15,7 @@ func init() {
|
||||||
|
|
||||||
type authToken struct {
|
type authToken struct {
|
||||||
Tokens map[string]string `yaml:"tokens"`
|
Tokens map[string]string `yaml:"tokens"`
|
||||||
|
Groups map[string][]string `yaml:"groups"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// AuthenticatorID needs to return an unique string to identify
|
// AuthenticatorID needs to return an unique string to identify
|
||||||
|
@ -57,15 +60,27 @@ func (a authToken) DetectUser(res http.ResponseWriter, r *http.Request) (string,
|
||||||
tmp := strings.SplitN(authHeader, " ", 2)
|
tmp := strings.SplitN(authHeader, " ", 2)
|
||||||
suppliedToken := tmp[1]
|
suppliedToken := tmp[1]
|
||||||
|
|
||||||
for user, token := range a.Tokens {
|
var user, token string
|
||||||
|
for user, token = range a.Tokens {
|
||||||
if token == suppliedToken {
|
if token == suppliedToken {
|
||||||
return user, nil, nil
|
break
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if user == "" {
|
||||||
return "", nil, errNoValidUserFound
|
return "", nil, errNoValidUserFound
|
||||||
}
|
}
|
||||||
|
|
||||||
|
groups := []string{}
|
||||||
|
for group, users := range a.Groups {
|
||||||
|
if str.StringInSlice(user, users) {
|
||||||
|
groups = append(groups, group)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return user, groups, nil
|
||||||
|
}
|
||||||
|
|
||||||
// Login is called when the user submits the login form and needs
|
// Login is called when the user submits the login form and needs
|
||||||
// to authenticate the user or throw an error. If the user has
|
// to authenticate the user or throw an error. If the user has
|
||||||
// successfully logged in the persistent cookie should be written
|
// successfully logged in the persistent cookie should be written
|
||||||
|
|
|
@ -43,12 +43,16 @@ providers:
|
||||||
admins: ["luzifer"]
|
admins: ["luzifer"]
|
||||||
|
|
||||||
# Authentication against embedded token directory
|
# Authentication against embedded token directory
|
||||||
# Supports: Users
|
# Supports: Users, Groups
|
||||||
token:
|
token:
|
||||||
# Mapping of unique token names to the token
|
# Mapping of unique token names to the token
|
||||||
tokens:
|
tokens:
|
||||||
tokenname: "MYTOKEN"
|
tokenname: "MYTOKEN"
|
||||||
|
|
||||||
|
# Groupname to token mapping
|
||||||
|
groups:
|
||||||
|
mytokengroup: ["tokenname"]
|
||||||
|
|
||||||
# Authentication against Yubikey cloud validation servers
|
# Authentication against Yubikey cloud validation servers
|
||||||
# Supports: Users, Groups
|
# Supports: Users, Groups
|
||||||
yubikey:
|
yubikey:
|
||||||
|
|
Loading…
Reference in a new issue