diff options
author | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2019-09-24 13:12:11 +0300 |
---|---|---|
committer | Grzegorz Bizon <grzesiek.bizon@gmail.com> | 2019-09-24 13:17:46 +0300 |
commit | 83376dd5016d918e579342d935c18ad2002c1dca (patch) | |
tree | 004ab0eb1579570618bf8721a183e5e3001a5038 /internal/auth | |
parent | 602eb300822f23e65c8e961111d8b16096158285 (diff) |
Encapsulate groups config in the source package
Diffstat (limited to 'internal/auth')
-rw-r--r-- | internal/auth/auth.go | 24 | ||||
-rw-r--r-- | internal/auth/auth_test.go | 11 |
2 files changed, 17 insertions, 18 deletions
diff --git a/internal/auth/auth.go b/internal/auth/auth.go index 154d86da..95a26250 100644 --- a/internal/auth/auth.go +++ b/internal/auth/auth.go @@ -11,7 +11,6 @@ import ( "net/http" "net/url" "strings" - "sync" "time" "github.com/gorilla/securecookie" @@ -22,7 +21,7 @@ import ( "gitlab.com/gitlab-org/gitlab-pages/internal/httperrors" "gitlab.com/gitlab-org/gitlab-pages/internal/httptransport" "gitlab.com/gitlab-org/gitlab-pages/internal/request" - "gitlab.com/gitlab-org/gitlab-pages/internal/source/dirs" + "gitlab.com/gitlab-org/gitlab-pages/internal/source" "golang.org/x/crypto/hkdf" ) @@ -108,7 +107,7 @@ func (a *Auth) checkSession(w http.ResponseWriter, r *http.Request) (*sessions.S } // TryAuthenticate tries to authenticate user and fetch access token if request is a callback to auth -func (a *Auth) TryAuthenticate(w http.ResponseWriter, r *http.Request, dm dirs.Map, lock *sync.RWMutex) bool { +func (a *Auth) TryAuthenticate(w http.ResponseWriter, r *http.Request, domains *source.Domains) bool { if a == nil { return false @@ -126,7 +125,7 @@ func (a *Auth) TryAuthenticate(w http.ResponseWriter, r *http.Request, dm dirs.M logRequest(r).Info("Receive OAuth authentication callback") - if a.handleProxyingAuth(session, w, r, dm, lock) { + if a.handleProxyingAuth(session, w, r, domains) { return true } @@ -200,16 +199,17 @@ func (a *Auth) checkAuthenticationResponse(session *sessions.Session, w http.Res http.Redirect(w, r, redirectURI, 302) } -func (a *Auth) domainAllowed(domain string, dm dirs.Map, lock *sync.RWMutex) bool { - lock.RLock() - defer lock.RUnlock() +func (a *Auth) domainAllowed(domain string, domains *source.Domains) bool { + domainConfigured := (domain == a.pagesDomain) || strings.HasSuffix("."+domain, a.pagesDomain) - domain = strings.ToLower(domain) - _, present := dm[domain] - return domain == a.pagesDomain || strings.HasSuffix("."+domain, a.pagesDomain) || present + if domainConfigured { + return true + } + + return domains.HasDomain(domain) } -func (a *Auth) handleProxyingAuth(session *sessions.Session, w http.ResponseWriter, r *http.Request, dm dirs.Map, lock *sync.RWMutex) bool { +func (a *Auth) handleProxyingAuth(session *sessions.Session, w http.ResponseWriter, r *http.Request, domains *source.Domains) bool { // If request is for authenticating via custom domain if shouldProxyAuth(r) { domain := r.URL.Query().Get("domain") @@ -228,7 +228,7 @@ func (a *Auth) handleProxyingAuth(session *sessions.Session, w http.ResponseWrit host = proxyurl.Host } - if !a.domainAllowed(host, dm, lock) { + if !a.domainAllowed(host, domains) { logRequest(r).WithField("domain", host).Warn("Domain is not configured") httperrors.Serve401(w) return true diff --git a/internal/auth/auth_test.go b/internal/auth/auth_test.go index 8102a5d1..e8ff5e94 100644 --- a/internal/auth/auth_test.go +++ b/internal/auth/auth_test.go @@ -5,14 +5,13 @@ import ( "net/http" "net/http/httptest" "net/url" - "sync" "testing" "github.com/gorilla/sessions" "github.com/stretchr/testify/require" "gitlab.com/gitlab-org/gitlab-pages/internal/request" - "gitlab.com/gitlab-org/gitlab-pages/internal/source/dirs" + "gitlab.com/gitlab-org/gitlab-pages/internal/source" ) func createAuth(t *testing.T) *Auth { @@ -55,7 +54,7 @@ func TestTryAuthenticate(t *testing.T) { require.NoError(t, err) r := request.WithHTTPSFlag(&http.Request{URL: reqURL}, true) - require.Equal(t, false, auth.TryAuthenticate(result, r, make(dirs.Map), &sync.RWMutex{})) + require.Equal(t, false, auth.TryAuthenticate(result, r, new(source.Domains))) } func TestTryAuthenticateWithError(t *testing.T) { @@ -66,7 +65,7 @@ func TestTryAuthenticateWithError(t *testing.T) { require.NoError(t, err) r := request.WithHTTPSFlag(&http.Request{URL: reqURL}, true) - require.Equal(t, true, auth.TryAuthenticate(result, r, make(dirs.Map), &sync.RWMutex{})) + require.Equal(t, true, auth.TryAuthenticate(result, r, new(source.Domains))) require.Equal(t, 401, result.Code) } @@ -83,7 +82,7 @@ func TestTryAuthenticateWithCodeButInvalidState(t *testing.T) { session.Values["state"] = "state" session.Save(r, result) - require.Equal(t, true, auth.TryAuthenticate(result, r, make(dirs.Map), &sync.RWMutex{})) + require.Equal(t, true, auth.TryAuthenticate(result, r, new(source.Domains))) require.Equal(t, 401, result.Code) } @@ -123,7 +122,7 @@ func testTryAuthenticateWithCodeAndState(t *testing.T, https bool) { }) result := httptest.NewRecorder() - require.Equal(t, true, auth.TryAuthenticate(result, r, make(dirs.Map), &sync.RWMutex{})) + require.Equal(t, true, auth.TryAuthenticate(result, r, new(source.Domains))) require.Equal(t, 302, result.Code) require.Equal(t, "https://pages.gitlab-example.com/project/", result.Header().Get("Location")) require.Equal(t, 600, result.Result().Cookies()[0].MaxAge) |