Mirrors/wg-portal
1
0
Fork 0
mirror of https://github.com/h44z/wg-portal.git synced 2025-06-27 16:57:01 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Enable allowed_domains in oauth and oidc providers (#416)

Browse Source 
* Enable allowed_domains in oauth and oidc providers

Signed-off-by: Vladimir DOMBROVSKI <vladimir.dombrovski@bso.co>

* Domain check code cleanup

* Run gofmt on domain validation code

---------

Signed-off-by: Vladimir DOMBROVSKI <vladimir.dombrovski@bso.co>
This commit is contained in:
Vladimir Dombrovski 2025-05-05 18:26:19 +02:00 committed by GitHub
parent d8a57edef9
commit 3eb84f0ee9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
internal/app/auth/auth.go
View File

@ -63,6 +63,8 @@ type AuthenticatorOauth interface {
ParseUserInfo(raw map[string]any) (*domain.AuthenticatorUserInfo, error) ParseUserInfo(raw map[string]any) (*domain.AuthenticatorUserInfo, error)
// RegistrationEnabled returns whether registration is enabled for the OAuth authenticator. // RegistrationEnabled returns whether registration is enabled for the OAuth authenticator.
RegistrationEnabled() bool RegistrationEnabled() bool
// GetAllowedDomains returns the list of whitelisted domains
GetAllowedDomains() []string
} }
// AuthenticatorLdap is the interface for all LDAP authenticators. // AuthenticatorLdap is the interface for all LDAP authenticators.
@ -392,6 +394,23 @@ func (a *Authenticator) randString(nByte int) (string, error) {
return base64.RawURLEncoding.EncodeToString(b), nil return base64.RawURLEncoding.EncodeToString(b), nil
} }
func isDomainAllowed(email string, allowedDomains []string) bool {
if len(allowedDomains) == 0 {
return true
}
parts := strings.Split(email, "@")
if len(parts) != 2 {
return false
}
domain := strings.ToLower(parts[1])
for _, allowed := range allowedDomains {
if domain == strings.ToLower(allowed) {
return true
}
}
return false
}
// OauthLoginStep2 finishes the oauth authentication flow by exchanging the code for an access token and // OauthLoginStep2 finishes the oauth authentication flow by exchanging the code for an access token and
// fetching the user information. // fetching the user information.
func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce, code string) (*domain.User, error) { func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce, code string) (*domain.User, error) {
@ -431,6 +450,10 @@ func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce,
return nil, fmt.Errorf("unable to process user information: %w", err) return nil, fmt.Errorf("unable to process user information: %w", err)
} }
if !isDomainAllowed(userInfo.Email, oauthProvider.GetAllowedDomains()) {
return nil, fmt.Errorf("user is not in allowed domains: %w", err)
}
if user.IsLocked() || user.IsDisabled() { if user.IsLocked() || user.IsDisabled() {
a.bus.Publish(app.TopicAuditLoginFailed, domain.AuditEventWrapper[audit.AuthEvent]{ a.bus.Publish(app.TopicAuditLoginFailed, domain.AuditEventWrapper[audit.AuthEvent]{
Ctx: ctx, Ctx: ctx,

6
internal/app/auth/auth_oauth.go
View File

@ -27,6 +27,7 @@ type PlainOauthAuthenticator struct {
userAdminMapping *config.OauthAdminMapping userAdminMapping *config.OauthAdminMapping
registrationEnabled bool registrationEnabled bool
userInfoLogging bool userInfoLogging bool
allowedDomains []string
} }
func newPlainOauthAuthenticator( func newPlainOauthAuthenticator(
@ -56,6 +57,7 @@ func newPlainOauthAuthenticator(
provider.userAdminMapping = &cfg.AdminMapping provider.userAdminMapping = &cfg.AdminMapping
provider.registrationEnabled = cfg.RegistrationEnabled provider.registrationEnabled = cfg.RegistrationEnabled
provider.userInfoLogging = cfg.LogUserInfo provider.userInfoLogging = cfg.LogUserInfo
provider.allowedDomains = cfg.AllowedDomains
return provider, nil return provider, nil
} }
@ -65,6 +67,10 @@ func (p PlainOauthAuthenticator) GetName() string {
return p.name return p.name
} }
func (p PlainOauthAuthenticator) GetAllowedDomains() []string {
return p.allowedDomains
}
// RegistrationEnabled returns whether registration is enabled for the OAuth authenticator. // RegistrationEnabled returns whether registration is enabled for the OAuth authenticator.
func (p PlainOauthAuthenticator) RegistrationEnabled() bool { func (p PlainOauthAuthenticator) RegistrationEnabled() bool {
return p.registrationEnabled return p.registrationEnabled

6
internal/app/auth/auth_oidc.go
View File

@ -24,6 +24,7 @@ type OidcAuthenticator struct {
userAdminMapping *config.OauthAdminMapping userAdminMapping *config.OauthAdminMapping
registrationEnabled bool registrationEnabled bool
userInfoLogging bool userInfoLogging bool
allowedDomains []string
} }
func newOidcAuthenticator( func newOidcAuthenticator(
@ -57,6 +58,7 @@ func newOidcAuthenticator(
provider.userAdminMapping = &cfg.AdminMapping provider.userAdminMapping = &cfg.AdminMapping
provider.registrationEnabled = cfg.RegistrationEnabled provider.registrationEnabled = cfg.RegistrationEnabled
provider.userInfoLogging = cfg.LogUserInfo provider.userInfoLogging = cfg.LogUserInfo
provider.allowedDomains = cfg.AllowedDomains
return provider, nil return provider, nil
} }
@ -66,6 +68,10 @@ func (o OidcAuthenticator) GetName() string {
return o.name return o.name
} }
func (o OidcAuthenticator) GetAllowedDomains() []string {
return o.allowedDomains
}
// RegistrationEnabled returns whether registration is enabled for this authenticator. // RegistrationEnabled returns whether registration is enabled for this authenticator.
func (o OidcAuthenticator) RegistrationEnabled() bool { func (o OidcAuthenticator) RegistrationEnabled() bool {
return o.registrationEnabled return o.registrationEnabled

6
internal/config/auth.go
View File

@ -188,6 +188,9 @@ type OpenIDConnectProvider struct {
// ExtraScopes specifies optional requested permissions. // ExtraScopes specifies optional requested permissions.
ExtraScopes []string `yaml:"extra_scopes"` ExtraScopes []string `yaml:"extra_scopes"`
// AllowedDomains defines the list of allowed domains
AllowedDomains []string `yaml:"allowed_domains"`
// FieldMap is used to map the names of the user-info endpoint fields to wg-portal fields // FieldMap is used to map the names of the user-info endpoint fields to wg-portal fields
FieldMap OauthFields `yaml:"field_map"` FieldMap OauthFields `yaml:"field_map"`
@ -226,6 +229,9 @@ type OAuthProvider struct {
// Scope specifies optional requested permissions. // Scope specifies optional requested permissions.
Scopes []string `yaml:"scopes"` Scopes []string `yaml:"scopes"`
// AllowedDomains defines the list of allowed domains
AllowedDomains []string `yaml:"allowed_domains"`
// FieldMap is used to map the names of the user-info endpoint fields to wg-portal fields // FieldMap is used to map the names of the user-info endpoint fields to wg-portal fields
FieldMap OauthFields `yaml:"field_map"` FieldMap OauthFields `yaml:"field_map"`