Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
G
go-sso
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
6
Issues
6
List
Boards
Labels
Service Desk
Milestones
Merge Requests
2
Merge Requests
2
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Repository
Value Stream
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
id
go-sso
Commits
7fec26e6
Commit
7fec26e6
authored
Nov 16, 2018
by
ale
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Allow enabling keystore on a group basis
Using the new configuration variable 'keystore_enable_groups'.
parent
bad3b6bd
Pipeline
#1568
passed with stages
in 1 minute and 29 seconds
Changes
2
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
Showing
2 changed files
with
43 additions
and
13 deletions
+43
-13
server/config.go
server/config.go
+1
-0
server/http.go
server/http.go
+42
-13
No files found.
server/config.go
View file @
7fec26e6
...
...
@@ -38,6 +38,7 @@ type Config struct {
URLPrefix
string
`yaml:"url_path_prefix"`
DeviceManager
*
device
.
Config
`yaml:"device_manager"`
KeyStore
*
clientutil
.
BackendConfig
`yaml:"keystore"`
KeyStoreEnableGroups
[]
string
`yaml:"keystore_enable_groups"`
allowedServicesRx
[]
*
regexp
.
Regexp
}
...
...
server/http.go
View file @
7fec26e6
...
...
@@ -4,6 +4,7 @@ package server
//go:generate go-bindata --nocompress --pkg server static/... templates/...
import
(
"context"
"encoding/gob"
"encoding/json"
"fmt"
...
...
@@ -88,6 +89,7 @@ type Server struct {
loginHandler
*
loginHandler
loginService
*
LoginService
keystore
ksclient
.
Client
keystoreGroups
[]
string
csrfSecret
[]
byte
tpl
*
template
.
Template
urlPrefix
string
...
...
@@ -134,6 +136,7 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi
}
log
.
Printf
(
"keystore client enabled"
)
s
.
keystore
=
ks
s
.
keystoreGroups
=
config
.
KeyStoreEnableGroups
}
devMgr
,
err
:=
device
.
New
(
config
.
DeviceManager
)
...
...
@@ -145,25 +148,51 @@ func New(loginService *LoginService, authClient authclient.Client, config *Confi
return
s
,
nil
}
func
inAnyGroups
(
groups
,
ref
[]
string
)
bool
{
for
_
,
rr
:=
range
ref
{
for
_
,
gg
:=
range
groups
{
if
gg
==
rr
{
return
true
}
}
}
return
false
}
// We unlock the keystore if the following conditions are met:
// keystore_enable_groups is set, userinfo is not nil, and the groups match.
func
(
h
*
Server
)
maybeUnlockKeystore
(
ctx
context
.
Context
,
username
,
password
string
,
userinfo
*
auth
.
UserInfo
)
(
bool
,
error
)
{
if
h
.
keystore
==
nil
{
return
false
,
nil
}
var
shard
string
if
len
(
h
.
keystoreGroups
)
>
0
{
if
userinfo
==
nil
{
return
false
,
nil
}
if
!
inAnyGroups
(
userinfo
.
Groups
,
h
.
keystoreGroups
)
{
return
false
,
nil
}
shard
=
userinfo
.
Shard
}
return
true
,
h
.
keystore
.
Open
(
ctx
,
shard
,
username
,
password
,
int
(
h
.
authSessionLifetime
.
Seconds
()))
}
func
(
h
*
Server
)
loginCallback
(
w
http
.
ResponseWriter
,
req
*
http
.
Request
,
username
,
password
string
,
userinfo
*
auth
.
UserInfo
)
error
{
// Open the keystore for this user with the password used to
// authenticate. Set the TTL to the duration of the
// authenticated session.
var
kmsg
string
if
h
.
keystore
!=
nil
{
var
shard
string
if
userinfo
!=
nil
{
shard
=
userinfo
.
Shard
kmsg
=
fmt
.
Sprintf
(
" (unlocked key on shard %s)"
,
shard
)
}
else
{
kmsg
=
" (unlocked key)"
}
if
err
:=
h
.
keystore
.
Open
(
req
.
Context
(),
shard
,
username
,
password
,
int
(
h
.
authSessionLifetime
.
Seconds
()));
err
!=
nil
{
log
.
Printf
(
"failed to unlock keystore for user %s: %v"
,
username
,
err
)
return
err
}
decrypted
,
err
:=
h
.
maybeUnlockKeystore
(
req
.
Context
(),
username
,
password
,
userinfo
)
if
err
!=
nil
{
log
.
Printf
(
"failed to unlock keystore for user %s: %v"
,
username
,
err
)
return
err
}
var
kmsg
string
if
decrypted
{
kmsg
=
" (key unlocked)"
}
log
.
Printf
(
"successful login for user %s%s"
,
username
,
kmsg
)
// Create cookie-based session for the authenticated user.
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment