Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions backend/helpers/oidchelper/authorization.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package oidchelper

import "strings"

func (c *Config) IsUserAllowed(email string) bool {
if len(c.AllowEmails) == 0 &&
len(c.AllowDomains) == 0 {
return true
}

email = strings.ToLower(strings.TrimSpace(email))

if _, ok := c.AllowEmails[email]; ok {
return true
}

_, domain, ok := strings.Cut(email, "@")
if ok {
if _, ok := c.AllowDomains[domain]; ok {
return true
}
}

return false
}
119 changes: 119 additions & 0 deletions backend/helpers/oidchelper/authorization_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,119 @@
/*
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package oidchelper

import "testing"

func TestIsUserAllowed(t *testing.T) {
cases := []struct {
name string
cfg Config
email string
want bool
}{
{
name: "no restrictions",
cfg: Config{},
email: "user@example.com",
want: true,
},
{
name: "allowed email",
cfg: Config{
AllowEmails: map[string]struct{}{
"user@example.com": {},
},
},
email: "user@example.com",
want: true,
},
{
name: "blocked email",
cfg: Config{
AllowEmails: map[string]struct{}{
"user@example.com": {},
},
},
email: "other@example.com",
want: false,
},
{
name: "allowed domain",
cfg: Config{
AllowDomains: map[string]struct{}{
"example.com": {},
},
},
email: "user@example.com",
want: true,
},
{
name: "blocked domain",
cfg: Config{
AllowDomains: map[string]struct{}{
"example.com": {},
},
},
email: "user@other.com",
want: false,
},
{
name: "email case insensitive",
cfg: Config{
AllowEmails: map[string]struct{}{
"user@example.com": {},
},
},
email: "USER@example.com",
want: true,
},
{
name: "domain case insensitive",
cfg: Config{
AllowDomains: map[string]struct{}{
"example.com": {},
},
},
email: "user@EXAMPLE.COM",
want: true,
},
{
name: "invalid email",
cfg: Config{
AllowDomains: map[string]struct{}{
"example.com": {},
},
},
email: "not-an-email",
want: false,
},
}

for _, tc := range cases {
t.Run(tc.name, func(t *testing.T) {
if got := tc.cfg.IsUserAllowed(tc.email); got != tc.want {
t.Errorf(
"IsUserAllowed(%q) = %v, want %v",
tc.email,
got,
tc.want,
)
}
})
}
}
24 changes: 24 additions & 0 deletions backend/helpers/oidchelper/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,11 @@ type Config struct {
Providers map[string]*ProviderConfig
LogoutRedirect bool

// Optional OIDC authorization restrictions.
// Empty means no restriction.
AllowEmails map[string]struct{}
AllowDomains map[string]struct{}

SessionSecret []byte
SessionTTL time.Duration

Expand Down Expand Up @@ -136,6 +141,8 @@ func LoadConfig(basicRes context.BasicRes) (*Config, error) {
SessionTTL: ttl,
CookieDomain: strings.TrimSpace(cfg.GetString("COOKIE_DOMAIN")),
CookieSecure: cookieSecure,
AllowEmails: parseStringSet(cfg.GetString("OIDC_ALLOW_EMAILS")),
AllowDomains: parseStringSet(cfg.GetString("OIDC_ALLOW_DOMAINS")),
}

if !out.OIDCEnabled {
Expand Down Expand Up @@ -205,6 +212,23 @@ func parseProviderNames(raw string) []string {
seen[n] = struct{}{}
out = append(out, n)
}

return out
}

func parseStringSet(raw string) map[string]struct{} {
out := make(map[string]struct{})

for _, v := range strings.Split(raw, ",") {
v = strings.ToLower(strings.TrimSpace(v))

if v == "" {
continue
}

out[v] = struct{}{}
}

return out
}

Expand Down
6 changes: 6 additions & 0 deletions backend/server/api/auth/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -308,6 +308,12 @@ func (s *Service) Callback(c *gin.Context) {
fail(c, http.StatusBadGateway, "extract claims", err)
return
}

if !s.cfg.IsUserAllowed(email) {
fail(c, http.StatusForbidden, "user is not allowed", nil)
return
}

jti := uuid.NewString()
jwt, expiresAt, err := oidchelper.IssueSession(s.cfg, jti, state.Provider, sub, email, name)
if err != nil {
Expand Down
4 changes: 4 additions & 0 deletions env.example
Original file line number Diff line number Diff line change
Expand Up @@ -162,3 +162,7 @@ SESSION_TTL=8h
COOKIE_DOMAIN=
# Set to false ONLY for local HTTP development.
COOKIE_SECURE=true

# Restrict OIDC logins to specific users or domains (comma-separated, case-insensitive)
OIDC_ALLOW_EMAILS=
OIDC_ALLOW_DOMAINS=
Loading