Skip to content

Commit

Permalink
feat: Add way to forbid an oidc authorization access item in list
Browse files Browse the repository at this point in the history
  • Loading branch information
@oxyno-zeta
oxyno-zeta committed Aug 16, 2024
1 parent 8ad1850 commit 099c26a
Show file tree
Hide file tree
Showing 5 changed files with 89 additions and 12 deletions.
11 changes: 6 additions & 5 deletions docs/configuration/structure.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -424,11 +424,12 @@ This authentication method should be used only with a software like [Oauth2-prox

## HeaderOIDCAuthorizationAccesses

| Key | Type | Required | Default | Description |
| ------ | ------- | ---------------------- | ------- | ---------------------------------------------- |
| group | String | Required without email | None | Group name |
| email | String | Required without group | None | Email |
| regexp | Boolean | No | `false` | Consider group or email as regexp for matching |
| Key | Type | Required | Default | Description |
| --------- | ------- | ---------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| group | String | Required without email | None | Group name |
| email | String | Required without group | None | Email |
| regexp | Boolean | No | `false` | Consider group or email as regexp for matching |
| forbidden | Boolean | No | `false` | This will consider anything matching group or email as a forbidden matching (regex enabled or not). This have been done because there isn't way to do a negative match on regex. |

## ResourceBasic

Expand Down
39 changes: 39 additions & 0 deletions docs/feature-guide/authorization-accesses.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -156,3 +156,42 @@ Accesses will be:
- Jean Dupont: authorized
- Astérix: authorized
- Obélix: forbidden

### Forbidden case

<!-- prettier-ignore-start -->
!!! note

This have been done because there isn't any way of doing a negative match on regex. The only way is to match a regex with a forbidden flag enabled.
<!-- prettier-ignore-end -->

Example of authorization accesses configuration:

```yaml
targets:
target1:
resources:
- path: /*
provider: provider1
oidc:
authorizationAccesses:
- email: [email protected]
regex: true
forbidden: true
- email: .*@fake.com
regex: true
bucket:
...
```

We consider those users:

- Jean Dupont with `[email protected]` email
- Astérix with `[email protected]` email
- Obélix with `[email protected]` email

Accesses will be:

- Jean Dupont: authorized
- Astérix: forbidden because it is marked as forbidden and it is the first in the list
- Obélix: forbidden
8 changes: 4 additions & 4 deletions pkg/s3-proxy/authx/authorization/header-oidc.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,27 +21,27 @@ func isHeaderOIDCAuthorizedBasic(groups []string, email string, authorizationAcc
for _, grp := range groups {
// Try matching for group regexp
if item.GroupRegexp.MatchString(grp) {
return true
return !item.Forbidden
}
}
}

// Check email case
if item.Email != "" && item.EmailRegexp.MatchString(email) {
return true
return !item.Forbidden
}
} else {
// Not a regex case
// Check group case
if item.Group != "" {
result := funk.Contains(groups, item.Group)
if result {
return true
return !item.Forbidden
}
}
// Check email case
if item.Email != "" && item.Email == email {
return true
return !item.Forbidden
}
}
}
Expand Down
36 changes: 36 additions & 0 deletions pkg/s3-proxy/authx/authorization/header-oidc_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,42 @@ func Test_isHeaderOIDCAuthorizedBasic(t *testing.T) {
},
want: true,
},
{
name: "should be forbidden if email regexp is matching but forbidden",
args: args{
groups: make([]string, 0),
email: "[email protected]",
authorizationAccesses: []*config.HeaderOIDCAuthorizationAccess{
{
Regexp: true,
Email: ".*@valid.test",
EmailRegexp: regexp.MustCompile(".*@valid.test"),
Forbidden: true,
},
},
},
want: false,
},
{
name: "should be forbidden if email regexp is matching but forbidden but second have ok for groups",
args: args{
groups: []string{"grp1"},
email: "[email protected]",
authorizationAccesses: []*config.HeaderOIDCAuthorizationAccess{
{
Regexp: true,
Email: ".*@valid.test",
EmailRegexp: regexp.MustCompile(".*@valid.test"),
Forbidden: true,
},
{
Regexp: true,
Group: "grp1",
},
},
},
want: false,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
Expand Down
7 changes: 4 additions & 3 deletions pkg/s3-proxy/config/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,9 +210,10 @@ type OIDCAuthConfig struct {
type HeaderOIDCAuthorizationAccess struct {
GroupRegexp *regexp.Regexp `json:"-"`
EmailRegexp *regexp.Regexp `json:"-"`
Group string `json:"group" mapstructure:"group" validate:"required_without=Email"`
Email string `json:"email" mapstructure:"email" validate:"required_without=Group"`
Regexp bool `json:"regexp" mapstructure:"regexp"`
Group string `json:"group" mapstructure:"group" validate:"required_without=Email"`
Email string `json:"email" mapstructure:"email" validate:"required_without=Group"`
Regexp bool `json:"regexp" mapstructure:"regexp"`
Forbidden bool `json:"forbidden" mapstructure:"forbidden"`
}

// BasicAuthConfig Basic auth configurations.
Expand Down

0 comments on commit 099c26a

Please sign in to comment.