Skip to content

Commit

Permalink
Allow grouping of tokens for simpler ACL
Browse files Browse the repository at this point in the history 
Signed-off-by: Knut Ahlers <knut@ahlers.me>
  • Loading branch information
@Luzifer
Luzifer committed Feb 4, 2018
1 parent 07062c3 commit 64bf3d1
Show file tree
Hide file tree
Showing 3 changed files with 29 additions and 6 deletions.
6 changes: 5 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -180,9 +180,13 @@ providers:
tokens:
tokenname: "MYTOKEN"
mycli: "kQHjQLuQdkSPwdJ1mueniLMPSjCc6GVt"

# Groupname to token mapping
groups:
mytokengroup: ["tokenname"]
```

This provider does not support grouping: Each token needs to be white-listed explicitly. When accessing the sites using a token this header is expected:
When accessing the sites using a token this header is expected:

`Authorization: Token MYTOKEN`

Expand Down
23 changes: 19 additions & 4 deletions auth_token.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ import (
"net/http"
"strings"

"github.com/Luzifer/go_helpers/str"

yaml "gopkg.in/yaml.v2"
)

Expand All @@ -12,7 +14,8 @@ func init() {
}

type authToken struct {
Tokens map[string]string `yaml:"tokens"`
Tokens map[string]string `yaml:"tokens"`
Groups map[string][]string `yaml:"groups"`
}

// AuthenticatorID needs to return an unique string to identify
Expand Down Expand Up @@ -57,13 +60,25 @@ func (a authToken) DetectUser(res http.ResponseWriter, r *http.Request) (string,
tmp := strings.SplitN(authHeader, " ", 2)
suppliedToken := tmp[1]

for user, token := range a.Tokens {
var user, token string
for user, token = range a.Tokens {
if token == suppliedToken {
return user, nil, nil
break
}
}

if user == "" {
return "", nil, errNoValidUserFound
}

groups := []string{}
for group, users := range a.Groups {
if str.StringInSlice(user, users) {
groups = append(groups, group)
}
}

return "", nil, errNoValidUserFound
return user, groups, nil
}

// Login is called when the user submits the login form and needs
Expand Down
6 changes: 5 additions & 1 deletion config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,12 +43,16 @@ providers:
admins: ["luzifer"]

# Authentication against embedded token directory
# Supports: Users
# Supports: Users, Groups
token:
# Mapping of unique token names to the token
tokens:
tokenname: "MYTOKEN"

# Groupname to token mapping
groups:
mytokengroup: ["tokenname"]

# Authentication against Yubikey cloud validation servers
# Supports: Users, Groups
yubikey:
Expand Down

0 comments on commit 64bf3d1

Please sign in to comment.