Extend email-domain validation with sub-domain capability (#1233)

* Extend email-domain validation with sub-domain capability

* Adding the CHANGELOG entry

* Fixing lint erros

* Fixing lint erros

* Renamed the emailDomains to allowedDomains, plus tests

* Bringing together all basic test-cases

* Fixing unit tests

* Add unit tests to validate additional vulnerability concerns

validator.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	"encoding/csv"
-	"fmt"
 	"io"
 	"os"
 	"strings"
@@ -83,7 +82,7 @@ func newValidatorImpl(domains []string, usersFile string,
 			allowAll = true
 			continue
 		}
-		domains[i] = fmt.Sprintf("@%s", strings.ToLower(domain))
+		domains[i] = strings.ToLower(domain)
 	}
 
 	validator := func(email string) (valid bool) {
@@ -91,9 +90,7 @@ func newValidatorImpl(domains []string, usersFile string,
 			return
 		}
 		email = strings.ToLower(email)
-		for _, domain := range domains {
-			valid = valid || strings.HasSuffix(email, domain)
-		}
+		valid = isEmailValidWithDomains(email, domains)
 		if !valid {
 			valid = validUsers.IsValid(email)
 		}
@@ -109,3 +106,21 @@ func newValidatorImpl(domains []string, usersFile string,
 func NewValidator(domains []string, usersFile string) func(string) bool {
 	return newValidatorImpl(domains, usersFile, nil, func() {})
 }
+
+// isEmailValidWithDomains checks if the authenticated email is validated against the provided domain
+func isEmailValidWithDomains(email string, allowedDomains []string) bool {
+	for _, domain := range allowedDomains {
+		// allow if the domain is perfect suffix match with the email
+		if strings.HasSuffix(email, "@"+domain) {
+			return true
+		}
+
+		// allow if the domain is prefixed with . and
+		// the last element (split on @) has the suffix as the domain
+		atoms := strings.Split(email, "@")
+		if strings.HasPrefix(domain, ".") && strings.HasSuffix(atoms[len(atoms)-1], domain) {
+			return true
+		}
+	}
+	return false
+}