mirror of
https://github.com/oauth2-proxy/oauth2-proxy.git
synced 2024-11-24 08:52:25 +02:00
42475c28f7
* Initial commit of multiple provider logic: 1. Created new provider options. 2. Created legacy provider options and conversion options. 3. Added Providers to alpha Options. 4. Started Validation migration of multiple providers 5. Tests. * fixed lint issues * additional lint fixes * Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options * fixed typo * removed weird : file * small CR changes * Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG * Update pkg/apis/options/providers.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/apis/options/providers.go Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> * Update pkg/apis/options/providers.go Co-authored-by: Nick Meves <nick.meves@greenhouse.io> * Initial commit of multiple provider logic: 1. Created new provider options. 2. Created legacy provider options and conversion options. 3. Added Providers to alpha Options. 4. Started Validation migration of multiple providers 5. Tests. * fixed lint issues * additional lint fixes * Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options * small CR changes * auto generates alpha_config.md * rebase (mainly service alpha options related conflicts) * removed : * Nits and alterations based on CR: manliy splitting large providers validation function and adding comments to provider options * small CR changes * Removed GoogleGroups validation due to new allowed-groups (including tests). Added line in CHANGELOG * "cntd. rebase" * ran make generate again * last conflicts * removed duplicate client id validation * 1. Removed provider prefixes 2. altered optionsWithNilProvider logic 3. altered default provider logic 4. moved change in CHANELOG to 7.0.0 * fixed TestGoogleGroupOptions test * ran make generate * moved CHANGLOG line to 7.1.1 * moved changelog comment to 7.1.2 (additional rebase) Co-authored-by: Yana Segal <yana.segal@nielsen.com> Co-authored-by: Joel Speed <Joel.speed@hotmail.co.uk> Co-authored-by: Nick Meves <nick.meves@greenhouse.io>
84 lines
2.5 KiB
Go
84 lines
2.5 KiB
Go
package validation
|
|
|
|
import (
|
|
"fmt"
|
|
"io/ioutil"
|
|
|
|
"github.com/oauth2-proxy/oauth2-proxy/v7/pkg/apis/options"
|
|
)
|
|
|
|
// validateProviders is the initial validation migration for multiple providrers
|
|
// It currently includes only logic that can verify the providers one by one and does not break the valdation pipe
|
|
func validateProviders(o *options.Options) []string {
|
|
msgs := []string{}
|
|
|
|
// validate general multiple provider configuration
|
|
if len(o.Providers) == 0 {
|
|
msgs = append(msgs, "at least one provider has to be defined")
|
|
}
|
|
if o.SkipProviderButton && len(o.Providers) > 1 {
|
|
msgs = append(msgs, "SkipProviderButton and multiple providers are mutually exclusive")
|
|
}
|
|
|
|
providerIDs := make(map[string]struct{})
|
|
|
|
for _, provider := range o.Providers {
|
|
msgs = append(msgs, validateProvider(provider, providerIDs)...)
|
|
}
|
|
|
|
return msgs
|
|
}
|
|
|
|
func validateProvider(provider options.Provider, providerIDs map[string]struct{}) []string {
|
|
msgs := []string{}
|
|
|
|
if provider.ID == "" {
|
|
msgs = append(msgs, "provider has empty id: ids are required for all providers")
|
|
}
|
|
|
|
// Ensure provider IDs are unique
|
|
if _, ok := providerIDs[provider.ID]; ok {
|
|
msgs = append(msgs, fmt.Sprintf("multiple providers found with id %s: provider ids must be unique", provider.ID))
|
|
}
|
|
providerIDs[provider.ID] = struct{}{}
|
|
|
|
if provider.ClientID == "" {
|
|
msgs = append(msgs, "provider missing setting: client-id")
|
|
}
|
|
|
|
// login.gov uses a signed JWT to authenticate, not a client-secret
|
|
if provider.Type != "login.gov" {
|
|
if provider.ClientSecret == "" && provider.ClientSecretFile == "" {
|
|
msgs = append(msgs, "missing setting: client-secret or client-secret-file")
|
|
}
|
|
if provider.ClientSecret == "" && provider.ClientSecretFile != "" {
|
|
_, err := ioutil.ReadFile(provider.ClientSecretFile)
|
|
if err != nil {
|
|
msgs = append(msgs, "could not read client secret file: "+provider.ClientSecretFile)
|
|
}
|
|
}
|
|
}
|
|
|
|
msgs = append(msgs, validateGoogleConfig(provider)...)
|
|
|
|
return msgs
|
|
}
|
|
|
|
func validateGoogleConfig(provider options.Provider) []string {
|
|
msgs := []string{}
|
|
if len(provider.GoogleConfig.Groups) > 0 ||
|
|
provider.GoogleConfig.AdminEmail != "" ||
|
|
provider.GoogleConfig.ServiceAccountJSON != "" {
|
|
if len(provider.GoogleConfig.Groups) < 1 {
|
|
msgs = append(msgs, "missing setting: google-group")
|
|
}
|
|
if provider.GoogleConfig.AdminEmail == "" {
|
|
msgs = append(msgs, "missing setting: google-admin-email")
|
|
}
|
|
if provider.GoogleConfig.ServiceAccountJSON == "" {
|
|
msgs = append(msgs, "missing setting: google-service-account-json")
|
|
}
|
|
}
|
|
return msgs
|
|
}
|