Allow grouping of tokens for simpler ACL

Signed-off-by: Knut Ahlers <knut@ahlers.me>

README.md

@@ -180,9 +180,13 @@ providers:
     tokens:
       tokenname: "MYTOKEN"
       mycli: "kQHjQLuQdkSPwdJ1mueniLMPSjCc6GVt"
+
+    # Groupname to token mapping
+    groups:
+      mytokengroup: ["tokenname"]
 ```
 
-This provider does not support grouping: Each token needs to be white-listed explicitly. When accessing the sites using a token this header is expected:
+When accessing the sites using a token this header is expected:
 
 `Authorization: Token MYTOKEN`
 

auth_token.go

@@ -4,6 +4,8 @@ import (
 	"net/http"
 	"strings"
 
+	"github.com/Luzifer/go_helpers/str"
+
 	yaml "gopkg.in/yaml.v2"
 )
 
@@ -13,6 +15,7 @@ func init() {
 
 type authToken struct {
 	Tokens map[string]string   `yaml:"tokens"`
+	Groups map[string][]string `yaml:"groups"`
 }
 
 // AuthenticatorID needs to return an unique string to identify
@@ -57,13 +60,25 @@ func (a authToken) DetectUser(res http.ResponseWriter, r *http.Request) (string,
 	tmp := strings.SplitN(authHeader, " ", 2)
 	suppliedToken := tmp[1]
 
-	for user, token := range a.Tokens {
+	var user, token string
+	for user, token = range a.Tokens {
 		if token == suppliedToken {
-			return user, nil, nil
+			break
 		}
 	}
 
+	if user == "" {
 		return "", nil, errNoValidUserFound
+	}
+
+	groups := []string{}
+	for group, users := range a.Groups {
+		if str.StringInSlice(user, users) {
+			groups = append(groups, group)
+		}
+	}
+
+	return user, groups, nil
 }
 
 // Login is called when the user submits the login form and needs

config.yaml

@@ -43,12 +43,16 @@ providers:
       admins: ["luzifer"]
 
   # Authentication against embedded token directory
-  # Supports: Users
+  # Supports: Users, Groups
   token:
     # Mapping of unique token names to the token
     tokens:
       tokenname: "MYTOKEN"
 
+    # Groupname to token mapping
+    groups:
+      mytokengroup: ["tokenname"]
+
   # Authentication against Yubikey cloud validation servers
   # Supports: Users, Groups
   yubikey: