mirror of
https://github.com/Luzifer/nginx-sso.git
synced 2024-12-20 12:51:17 +00:00
Allow grouping of tokens for simpler ACL
Signed-off-by: Knut Ahlers <knut@ahlers.me>
This commit is contained in:
parent
07062c318a
commit
64bf3d17cd
GPG key ID:
DC2729FDD34BE99E
3 changed files with 29 additions and 6 deletions
|
|
@ -180,9 +180,13 @@ providers:
|
|||
tokens:
|
||||
tokenname: "MYTOKEN"
|
||||
mycli: "kQHjQLuQdkSPwdJ1mueniLMPSjCc6GVt"
|
||||
|
||||
# Groupname to token mapping
|
||||
groups:
|
||||
mytokengroup: ["tokenname"]
|
||||
```
|
||||
|
||||
This provider does not support grouping: Each token needs to be white-listed explicitly. When accessing the sites using a token this header is expected:
|
||||
When accessing the sites using a token this header is expected:
|
||||
|
||||
`Authorization: Token MYTOKEN`
|
||||
|
||||
|
|
|
|||
|
|
@ -4,6 +4,8 @@ import (
|
|||
"net/http"
|
||||
"strings"
|
||||
|
||||
"github.com/Luzifer/go_helpers/str"
|
||||
|
||||
yaml "gopkg.in/yaml.v2"
|
||||
)
|
||||
|
||||
|
|
@ -13,6 +15,7 @@ func init() {
|
|||
|
||||
type authToken struct {
|
||||
Tokens map[string]string `yaml:"tokens"`
|
||||
Groups map[string][]string `yaml:"groups"`
|
||||
}
|
||||
|
||||
// AuthenticatorID needs to return an unique string to identify
|
||||
|
|
@ -57,15 +60,27 @@ func (a authToken) DetectUser(res http.ResponseWriter, r *http.Request) (string,
|
|||
tmp := strings.SplitN(authHeader, " ", 2)
|
||||
suppliedToken := tmp[1]
|
||||
|
||||
for user, token := range a.Tokens {
|
||||
var user, token string
|
||||
for user, token = range a.Tokens {
|
||||
if token == suppliedToken {
|
||||
return user, nil, nil
|
||||
break
|
||||
}
|
||||
}
|
||||
|
||||
if user == "" {
|
||||
return "", nil, errNoValidUserFound
|
||||
}
|
||||
|
||||
groups := []string{}
|
||||
for group, users := range a.Groups {
|
||||
if str.StringInSlice(user, users) {
|
||||
groups = append(groups, group)
|
||||
}
|
||||
}
|
||||
|
||||
return user, groups, nil
|
||||
}
|
||||
|
||||
// Login is called when the user submits the login form and needs
|
||||
// to authenticate the user or throw an error. If the user has
|
||||
// successfully logged in the persistent cookie should be written
|
||||
|
|
|
|||
|
|
@ -43,12 +43,16 @@ providers:
|
|||
admins: ["luzifer"]
|
||||
|
||||
# Authentication against embedded token directory
|
||||
# Supports: Users
|
||||
# Supports: Users, Groups
|
||||
token:
|
||||
# Mapping of unique token names to the token
|
||||
tokens:
|
||||
tokenname: "MYTOKEN"
|
||||
|
||||
# Groupname to token mapping
|
||||
groups:
|
||||
mytokengroup: ["tokenname"]
|
||||
|
||||
# Authentication against Yubikey cloud validation servers
|
||||
# Supports: Users, Groups
|
||||
yubikey:
|
||||
|
|
|
|||
Loading…
Reference in a new issue