Support new option "github-user" #421
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
yyoshiki41
requested review from
JoelSpeed,
steakunderscore and
loshz
as code owners
Closed
|
I'm not a pro, nor a maintainer, but this seems to be ok. |
JoelSpeed
reviewed
Mar 1, 2020
main.go
Outdated
| @@ -64,6 +64,7 @@ func main() { | |||
| flagSet.String("bitbucket-repository", "", "restrict logins to user with access to this repository") | |||
| flagSet.String("github-org", "", "restrict logins to members of this organisation") | |||
| flagSet.String("github-team", "", "restrict logins to members of this team") | |||
| flagSet.String("github-user", "", "restrict logins to these users") | |||
There was a problem hiding this comment.
We have a number of options that allow the flag to be specified multiple times, eg whitelist-domain, would it be possible to follow the same pattern?
There was a problem hiding this comment.
fixed by using flagSet.StringSlice.
|
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
|
Sorry for late reply.
Thanks! |
JoelSpeed
reviewed
May 21, 2020
options.go
Outdated
| @@ -56,6 +56,7 @@ type Options struct { | |||
| GitHubTeam string `flag:"github-team" cfg:"github_team" env:"OAUTH2_PROXY_GITHUB_TEAM"` | |||
| GitHubRepo string `flag:"github-repo" cfg:"github_repo" env:"OAUTH2_PROXY_GITHUB_REPO"` | |||
| GitHubToken string `flag:"github-token" cfg:"github_token" env:"OAUTH2_PROXY_GITHUB_TOKEN"` | |||
| GitHubUsers []string `flag:"github-user" cfg:"github_user" env:"OAUTH2_PROXY_GITHUB_USER"` | |||
There was a problem hiding this comment.
To be consistent with other list options, will also need to update the docs
Suggested change
| GitHubUsers []string `flag:"github-user" cfg:"github_user" env:"OAUTH2_PROXY_GITHUB_USER"` | |
| GitHubUsers []string `flag:"github-user" cfg:"github_users" env:"OAUTH2_PROXY_GITHUB_USERS"` |
providers/github.go
Outdated
Comment on lines
88
to
96
| for _, user := range users { | ||
| us := strings.Split(user, ",") | ||
| for _, u := range us { | ||
| // Validate empty string (e.g. --github-user="octcat,,") | ||
| if len(u) > 0 { | ||
| p.Users = append(p.Users, u) | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
This will be covered by viper, the configuration loader
providers/github.go
Outdated
| } | ||
|
|
||
| if p.isVerifiedUser(user.Login) { | ||
| log.Printf("Found Github User: %q", user.Login) |
There was a problem hiding this comment.
Will this log line become noisy? Same for the one below?
providers/github.go
Outdated
Comment on lines
442
to
443
| } else if p.Repo != "" { | ||
| if p.Token == "" { // If we have a token we'll do the collaborator check in GetUserName |
|
@JoelSpeed |
JoelSpeed
reviewed
May 23, 2020
options.go
Outdated
| @@ -56,6 +56,7 @@ type Options struct { | |||
| GitHubTeam string `flag:"github-team" cfg:"github_team" env:"OAUTH2_PROXY_GITHUB_TEAM"` | |||
| GitHubRepo string `flag:"github-repo" cfg:"github_repo" env:"OAUTH2_PROXY_GITHUB_REPO"` | |||
| GitHubToken string `flag:"github-token" cfg:"github_token" env:"OAUTH2_PROXY_GITHUB_TOKEN"` | |||
| GitHubUsers []string `flag:"github-users" cfg:"github_users" env:"OAUTH2_PROXY_GITHUB_USERS"` | |||
There was a problem hiding this comment.
Sorry, I wasn't very clear in my previous comment. The flag should be singular, while the other two should be pluralised (yes this is very confusing, but it's what we have for now).
Suggested change
| GitHubUsers []string `flag:"github-users" cfg:"github_users" env:"OAUTH2_PROXY_GITHUB_USERS"` | |
| GitHubUsers []string `flag:"github-user" cfg:"github_users" env:"OAUTH2_PROXY_GITHUB_USERS"` |
There was a problem hiding this comment.
Thanks for your explanation, I understood!
5dc1192
JoelSpeed
reviewed
May 23, 2020
providers/github.go
Outdated
| if p.isVerifiedUser(user.Login) { | ||
| return true, nil | ||
| } | ||
| log.Printf("Missing Github User: %q in %v", user.Login, p.Users) |
There was a problem hiding this comment.
I think we should drop this log too, could get noisy
There was a problem hiding this comment.
Remove logging 19f9b34
|
@yyoshiki41 Could you please rebase this and then I'll give it another review |
|
@JoelSpeed Thanks! |
JoelSpeed
reviewed
May 31, 2020
docs/2_auth.md
Outdated
| @@ -103,6 +103,8 @@ Note: When using the Azure Auth provider with nginx and the cookie session store | |||
|
|
|||
| The GitHub auth provider supports two additional ways to restrict authentication to either organization and optional team level access, or to collaborators of a repository. Restricting by these options is normally accompanied with `--email-domain=*` | |||
|
|
|||
| NOTE: When `--github-user` is set, the specified users are allowed logins even if they do not belong to the specified org and team or collaborators. | |||
There was a problem hiding this comment.
This will read better this way
Suggested change
| NOTE: When `--github-user` is set, the specified users are allowed logins even if they do not belong to the specified org and team or collaborators. | |
| NOTE: When `--github-user` is set, the specified users are allowed to login even if they do not belong to the specified org and team or collaborators. |
docs/2_auth.md
Outdated
| @@ -119,6 +121,10 @@ If you'd like to allow access to users with **read only** access to a **public** | |||
|
|
|||
| -github-token="": the token to use when verifying repository collaborators | |||
|
|
|||
| To allow logins by usernames even if they do not belong to the specified org and team or collaborators, separated by a comma | |||
There was a problem hiding this comment.
Suggested change
| To allow logins by usernames even if they do not belong to the specified org and team or collaborators, separated by a comma | |
| To allow a user to login with their username even if they do not belong to the specified org and team or collaborators, separated by a comma |
docs/configuration/configuration.md
Outdated
| @@ -56,6 +56,7 @@ An example [oauth2-proxy.cfg]({{ site.gitweb }}/contrib/oauth2-proxy.cfg.example | |||
| | `--github-team` | string | restrict logins to members of any of these teams (slug), separated by a comma | | | |||
| | `--github-repo` | string | restrict logins to collaborators of this repository formatted as `orgname/repo` | | | |||
| | `--github-token` | string | the token to use when verifying repository collaborators (must have push access to the repository) | | | |||
| | `--github-user` | string | To allow logins by username even if they do not belong to the specified org and team or collaborators, separated by a comma | | | |||
There was a problem hiding this comment.
Suggested change
| | `--github-user` | string | To allow logins by username even if they do not belong to the specified org and team or collaborators, separated by a comma | | | |
| | `--github-user` | string \| list | To allow users to login by username even if they do not belong to the specified org and team or collaborators | | |
pkg/apis/options/options.go
Outdated
| @@ -256,6 +257,7 @@ func NewFlagSet() *pflag.FlagSet { | |||
| flagSet.String("github-team", "", "restrict logins to members of this team") | |||
| flagSet.String("github-repo", "", "restrict logins to collaborators of this repository") | |||
| flagSet.String("github-token", "", "the token to use when verifying repository collaborators (must have push access to the repository)") | |||
| flagSet.StringSlice("github-user", []string{}, "allowed usernames even if they do not belong to the specified org and team or collaborators (may be given multiple times)") | |||
There was a problem hiding this comment.
Suggested change
| flagSet.StringSlice("github-user", []string{}, "allowed usernames even if they do not belong to the specified org and team or collaborators (may be given multiple times)") | |
| flagSet.StringSlice("github-user", []string{}, "allowed users with these usernames to login even if they do not belong to the specified org and team or collaborators (may be given multiple times)") |
providers/github.go
Outdated
| @@ -80,6 +82,11 @@ func (p *GitHubProvider) SetRepo(repo, token string) { | |||
| p.Token = token | |||
| } | |||
|
|
|||
| // SetUsers configures allowed usernames | |||
| func (p *GitHubProvider) SetUsers(users []string) { | |||
| p.Users = append(p.Users, users...) | |||
There was a problem hiding this comment.
Why not just overwrite here? That is what I think I would have expected
Suggested change
| p.Users = append(p.Users, users...) | |
| p.Users = users |
There was a problem hiding this comment.
Sorry, I missed this points.
fixed by 86cadbf
providers/github_test.go
Outdated
|
|
||
| bURL, _ := url.Parse(b.URL) | ||
| p := testGitHubProvider(bURL.Host) | ||
| p.SetUsers([]string{"mbland", "octcat"}) |
There was a problem hiding this comment.
Suggested change
| p.SetUsers([]string{"mbland", "octcat"}) | |
| p.SetUsers([]string{"mbland", "octocat"}) |
providers/github_test.go
Outdated
|
|
||
| bURL, _ := url.Parse(b.URL) | ||
| p := testGitHubProvider(bURL.Host) | ||
| p.SetUsers([]string{"octcat"}) |
There was a problem hiding this comment.
Suggested change
| p.SetUsers([]string{"octcat"}) | |
| p.SetUsers([]string{"octocat"}) |
JoelSpeed
reviewed
Jun 1, 2020
JoelSpeed
approved these changes
Jun 1, 2020
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Add new option
github-user.Motivation and Context
That allowed the specified github users that is not on team or org.
e.g.) Username list (comma-separated)
"github-user:octocat,yyoshiki41"
fixed below issue.
#342
How Has This Been Tested?
My develop environment works this option.
Checklist:
This change is