authz: add ability to require specific group

2023-03-08 14:32:46 +00:00 · 2023-03-08 14:32:46 +00:00 · 15eece9f46
parent 20f0f6c047
commit 15eece9f46
2 changed files with 30 additions and 7 deletions
--- a/default.nix
+++ b/default.nix
@ -5,7 +5,7 @@ buildGoModule rec {

  src = ./.;

-  vendorSha256 = "sha256-fskmRb9zXLGkL0sJ4P1/sNjzZkUZhAguOCSN1etQ2tU=";
+  vendorSha256 = "sha256-yJHwZLNlZHB9Jo+Xo9c1wy00faiY4oURyYbhNx3yMK8=";

  meta = with lib; {
    description = "Simple distributed authentication system";
--- a/internal/webui/pg_auth.go
+++ b/internal/webui/pg_auth.go
@ -13,17 +13,40 @@ func (s *Service) authGet(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	headers := w.Header()
-	headers.Add("X-Webauth-UserID", tok.Subject())
-	headers.Add("X-Webauth-User", tok.PreferredUsername())
-	headers.Add("X-Webauth-Email", tok.Email())
+	if err := r.ParseForm(); err != nil {
+		zap.S().Errorf("Error parsing request parameters: %v", err)
+		s.renderBadRequest(w, r)
+		return
+	}

 	groups, err := getTokenGroupIDs(tok)
 	if err != nil {
 		zap.S().Errorf("Error getting groups from token: %v", err)
-	} else {
-		headers["X-Webauth-Groups"] = groups
+		s.renderError(w)
+		return
 	}

+	if reqGroup := r.FormValue("required_group"); reqGroup != "" {
+		found := false
+		for _, g := range groups {
+			if g == reqGroup {
+				found = true
+				break
+			}
+		}
+
+		if !found {
+			zap.S().Debug("User %s doesn't have required group %s", tok.Subject(), reqGroup)
+			s.renderForbidden(w, r)
+			return
+		}
+	}
+
+	headers := w.Header()
+	headers.Add("X-Webauth-UserID", tok.Subject())
+	headers.Add("X-Webauth-User", tok.PreferredUsername())
+	headers.Add("X-Webauth-Email", tok.Email())
+	headers["X-Webauth-Groups"] = groups
+
 	w.WriteHeader(http.StatusNoContent)
 }