1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-03-17 21:17:53 +02:00

Streamline Google to use default Authorize

This commit is contained in:
Nick Meves 2020-09-26 19:24:06 -07:00
parent eb58ea2ed9
commit b92fd4b0bb
No known key found for this signature in database
GPG Key ID: 93BA8A3CEDCDD1CF
6 changed files with 40 additions and 44 deletions

View File

@ -6,6 +6,11 @@
- [#905](https://github.com/oauth2-proxy/oauth2-proxy/pull/905) Existing sessions from v6.0.0 or earlier are no longer valid. They will trigger a reauthentication.
- [#826](https://github.com/oauth2-proxy/oauth2-proxy/pull/826) `skip-auth-strip-headers` now applies to all requests, not just those where authentication would be skipped.
- [#797](https://github.com/oauth2-proxy/oauth2-proxy/pull/797) The behavior of the Google provider Groups restriction changes with this
- Either `--google-group` or the new `--allowed-group` will work for Google now (`--google-group` will be used it both are set)
- Group membership lists will be passed to the backend with the `X-Forwarded-Groups` header
- If you change the list of allowed groups, existing sessions that now don't have a valid group will be logged out immediately.
- Previously, group membership was only checked on session creation and refresh.
- [#789](https://github.com/oauth2-proxy/oauth2-proxy/pull/789) `--skip-auth-route` is (almost) backwards compatible with `--skip-auth-regex`
- We are marking `--skip-auth-regex` as DEPRECATED and will remove it in the next major version.
- If your regex contains an `=` and you want it for all methods, you will need to add a leading `=` (this is the area where `--skip-auth-regex` doesn't port perfectly)
@ -18,6 +23,9 @@
## Breaking Changes
- [#911](https://github.com/oauth2-proxy/oauth2-rpoxy/pull/911) Specifying a non-existent provider will cause OAuth2-Proxy to fail on startup instead of defaulting to "google".
- [#797](https://github.com/oauth2-proxy/oauth2-proxy/pull/797) Security changes to Google provider group authorization flow
- If you change the list of allowed groups, existing sessions that now don't have a valid group will be logged out immediately.
- Previously, group membership was only checked on session creation and refresh.
- [#722](https://github.com/oauth2-proxy/oauth2-proxy/pull/722) When a Redis session store is configured, OAuth2-Proxy will fail to start up unless connection and health checks to Redis pass
- [#800](https://github.com/oauth2-proxy/oauth2-proxy/pull/800) Fix import path for v7. The import path has changed to support the go get installation.
- You can now `go get github.com/oauth2-proxy/oauth2-proxy/v7` to get the latest `v7` version of OAuth2 Proxy
@ -40,6 +48,7 @@
- [#905](https://github.com/oauth2-proxy/oauth2-proxy/pull/905) Remove v5 legacy sessions support (@NickMeves)
- [#904](https://github.com/oauth2-proxy/oauth2-proxy/pull/904) Set `skip-auth-strip-headers` to `true` by default (@NickMeves)
- [#826](https://github.com/oauth2-proxy/oauth2-proxy/pull/826) Integrate new header injectors into project (@JoelSpeed)
- [#797](https://github.com/oauth2-proxy/oauth2-proxy/pull/797) Create universal Authorization behavior across providers (@NickMeves)
- [#898](https://github.com/oauth2-proxy/oauth2-proxy/pull/898) Migrate documentation to Docusaurus (@JoelSpeed)
- [#754](https://github.com/oauth2-proxy/oauth2-proxy/pull/754) Azure token refresh (@codablock)
- [#825](https://github.com/oauth2-proxy/oauth2-proxy/pull/825) Fix code coverage reporting on GitHub actions(@JoelSpeed)

View File

@ -1133,8 +1133,6 @@ func TestUserInfoEndpointAccepted(t *testing.T) {
Email: "john.doe@example.com", AccessToken: "my_access_token"}
err = test.SaveSession(startSession)
assert.NoError(t, err)
return
}
func TestUserInfoEndpointUnauthorizedOnNoCookieSetError(t *testing.T) {

View File

@ -257,7 +257,13 @@ func parseProviderInfo(o *options.Options, msgs []string) []string {
if err != nil {
msgs = append(msgs, "invalid Google credentials file: "+o.GoogleServiceAccountJSON)
} else {
p.SetGroupRestriction(o.GoogleGroups, o.GoogleAdminEmail, file)
groups := o.AllowedGroups
// Backwards compatibility with `--google-group` option
if len(o.GoogleGroups) > 0 {
groups = o.GoogleGroups
p.SetAllowedGroups(groups)
}
p.SetGroupRestriction(groups, o.GoogleAdminEmail, file)
}
}
case *providers.BitbucketProvider:

View File

@ -27,11 +27,14 @@ type GoogleProvider struct {
*ProviderData
RedeemRefreshURL *url.URL
// GroupValidator is a function that determines if the user in the passed
// session is a member of any of the configured Google groups.
GroupValidator func(*sessions.SessionState, bool) bool
allowedGroups map[string]struct{}
//
// This hits the Google API for each group, so it is called on Redeem &
// Refresh. `Authorize` uses the results of this saved in `session.Groups`
// Since it is called on every request.
GroupValidator func(*sessions.SessionState) bool
}
var _ Provider = (*GoogleProvider)(nil)
@ -89,7 +92,7 @@ func NewGoogleProvider(p *ProviderData) *GoogleProvider {
ProviderData: p,
// Set a default GroupValidator to just always return valid (true), it will
// be overwritten if we configured a Google group restriction.
GroupValidator: func(*sessions.SessionState, bool) bool {
GroupValidator: func(*sessions.SessionState) bool {
return true
},
}
@ -172,45 +175,27 @@ func (p *GoogleProvider) Redeem(ctx context.Context, redirectURL, code string) (
Email: c.Email,
User: c.Subject,
}
p.GroupValidator(s, true)
p.GroupValidator(s)
return s, nil
}
func (p *GoogleProvider) Authorize(ctx context.Context, s *sessions.SessionState) (bool, error) {
return p.GroupValidator(s, false), nil
}
// SetGroupRestriction configures the GoogleProvider to restrict access to the
// specified group(s). AdminEmail has to be an administrative email on the domain that is
// checked. CredentialsFile is the path to a json file containing a Google service
// account credentials.
func (p *GoogleProvider) SetGroupRestriction(groups []string, adminEmail string, credentialsReader io.Reader) {
adminService := getAdminService(adminEmail, credentialsReader)
for _, group := range groups {
p.allowedGroups[group] = struct{}{}
}
p.GroupValidator = func(s *sessions.SessionState, sync bool) bool {
if sync {
// Reset our saved Groups in case membership changed
s.Groups = make([]string, 0, len(groups))
for _, group := range groups {
if userInGroup(adminService, group, s.Email) {
s.Groups = append(s.Groups, group)
}
}
return len(s.Groups) > 0
}
// Don't resync with Google, handles when OAuth2-Proxy settings
// alter allowed groups but existing sessions are still valid
for _, group := range s.Groups {
if _, ok := p.allowedGroups[group]; ok {
return true
p.GroupValidator = func(s *sessions.SessionState) bool {
// Reset our saved Groups in case membership changed
// This is used by `Authorize` on every request
s.Groups = make([]string, 0, len(groups))
for _, group := range groups {
if userInGroup(adminService, group, s.Email) {
s.Groups = append(s.Groups, group)
}
}
return false
return len(s.Groups) > 0
}
}
@ -282,7 +267,7 @@ func (p *GoogleProvider) RefreshSessionIfNeeded(ctx context.Context, s *sessions
}
// re-check that the user is in the proper google group(s)
if !p.GroupValidator(s, true) {
if !p.GroupValidator(s) {
return false, fmt.Errorf("%s is no longer in the group(s)", s.Email)
}

View File

@ -10,7 +10,7 @@ import (
"net/url"
"testing"
"github.com/oauth2-proxy/oauth2-proxy/pkg/apis/sessions"
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/sessions"
. "github.com/onsi/gomega"
"github.com/stretchr/testify/assert"
admin "google.golang.org/api/admin/directory/v1"
@ -110,19 +110,19 @@ func TestGoogleProviderGetEmailAddress(t *testing.T) {
assert.Equal(t, "refresh12345", session.RefreshToken)
}
func TestGoogleProviderAuthorize(t *testing.T) {
func TestGoogleProviderGroupValidator(t *testing.T) {
const sessionEmail = "michael.bland@gsa.gov"
testCases := map[string]struct {
session *sessions.SessionState
validatorFunc func(*sessions.SessionState, bool) bool
validatorFunc func(*sessions.SessionState) bool
expectedAuthZ bool
}{
"Email is authorized with GroupValidator": {
session: &sessions.SessionState{
Email: sessionEmail,
},
validatorFunc: func(s *sessions.SessionState, _ bool) bool {
validatorFunc: func(s *sessions.SessionState) bool {
return s.Email == sessionEmail
},
expectedAuthZ: true,
@ -131,7 +131,7 @@ func TestGoogleProviderAuthorize(t *testing.T) {
session: &sessions.SessionState{
Email: sessionEmail,
},
validatorFunc: func(s *sessions.SessionState, _ bool) bool {
validatorFunc: func(s *sessions.SessionState) bool {
return s.Email != sessionEmail
},
expectedAuthZ: false,
@ -151,9 +151,7 @@ func TestGoogleProviderAuthorize(t *testing.T) {
if tc.validatorFunc != nil {
p.GroupValidator = tc.validatorFunc
}
authorized, err := p.Authorize(context.Background(), tc.session)
g.Expect(err).ToNot(HaveOccurred())
g.Expect(authorized).To(Equal(tc.expectedAuthZ))
g.Expect(p.GroupValidator(tc.session)).To(Equal(tc.expectedAuthZ))
})
}
}

View File

@ -52,7 +52,7 @@ func (p *ProviderData) GetClientSecret() (clientSecret string, err error) {
// SetAllowedGroups organizes a group list into the AllowedGroups map
// to be consumed by Authorize implementations
func (p *ProviderData) SetAllowedGroups(groups []string) {
p.AllowedGroups = map[string]struct{}{}
p.AllowedGroups = make(map[string]struct{}, len(groups))
for _, group := range groups {
p.AllowedGroups[group] = struct{}{}
}