1
0
Fork 0
mirror of https://github.com/Luzifer/nginx-sso.git synced 2024-12-20 21:01:17 +00:00

Allow grouping of tokens for simpler ACL

Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
Knut Ahlers 2018-02-04 11:34:04 +01:00
parent 07062c318a
commit 64bf3d17cd
Signed by: luzifer
GPG key ID: DC2729FDD34BE99E
3 changed files with 29 additions and 6 deletions

View file

@ -180,9 +180,13 @@ providers:
tokens: tokens:
tokenname: "MYTOKEN" tokenname: "MYTOKEN"
mycli: "kQHjQLuQdkSPwdJ1mueniLMPSjCc6GVt" mycli: "kQHjQLuQdkSPwdJ1mueniLMPSjCc6GVt"
# Groupname to token mapping
groups:
mytokengroup: ["tokenname"]
``` ```
This provider does not support grouping: Each token needs to be white-listed explicitly. When accessing the sites using a token this header is expected: When accessing the sites using a token this header is expected:
`Authorization: Token MYTOKEN` `Authorization: Token MYTOKEN`

View file

@ -4,6 +4,8 @@ import (
"net/http" "net/http"
"strings" "strings"
"github.com/Luzifer/go_helpers/str"
yaml "gopkg.in/yaml.v2" yaml "gopkg.in/yaml.v2"
) )
@ -13,6 +15,7 @@ func init() {
type authToken struct { type authToken struct {
Tokens map[string]string `yaml:"tokens"` Tokens map[string]string `yaml:"tokens"`
Groups map[string][]string `yaml:"groups"`
} }
// AuthenticatorID needs to return an unique string to identify // AuthenticatorID needs to return an unique string to identify
@ -57,15 +60,27 @@ func (a authToken) DetectUser(res http.ResponseWriter, r *http.Request) (string,
tmp := strings.SplitN(authHeader, " ", 2) tmp := strings.SplitN(authHeader, " ", 2)
suppliedToken := tmp[1] suppliedToken := tmp[1]
for user, token := range a.Tokens { var user, token string
for user, token = range a.Tokens {
if token == suppliedToken { if token == suppliedToken {
return user, nil, nil break
} }
} }
if user == "" {
return "", nil, errNoValidUserFound return "", nil, errNoValidUserFound
} }
groups := []string{}
for group, users := range a.Groups {
if str.StringInSlice(user, users) {
groups = append(groups, group)
}
}
return user, groups, nil
}
// Login is called when the user submits the login form and needs // Login is called when the user submits the login form and needs
// to authenticate the user or throw an error. If the user has // to authenticate the user or throw an error. If the user has
// successfully logged in the persistent cookie should be written // successfully logged in the persistent cookie should be written

View file

@ -43,12 +43,16 @@ providers:
admins: ["luzifer"] admins: ["luzifer"]
# Authentication against embedded token directory # Authentication against embedded token directory
# Supports: Users # Supports: Users, Groups
token: token:
# Mapping of unique token names to the token # Mapping of unique token names to the token
tokens: tokens:
tokenname: "MYTOKEN" tokenname: "MYTOKEN"
# Groupname to token mapping
groups:
mytokengroup: ["tokenname"]
# Authentication against Yubikey cloud validation servers # Authentication against Yubikey cloud validation servers
# Supports: Users, Groups # Supports: Users, Groups
yubikey: yubikey: