-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support new option "github-user" #421
Conversation
I'm not a pro, nor a maintainer, but this seems to be ok. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Generally looks ok, added a comment about trying to make the configuration more consistent though
main.go
Outdated
@@ -64,6 +64,7 @@ func main() { | |||
flagSet.String("bitbucket-repository", "", "restrict logins to user with access to this repository") | |||
flagSet.String("github-org", "", "restrict logins to members of this organisation") | |||
flagSet.String("github-team", "", "restrict logins to members of this team") | |||
flagSet.String("github-user", "", "restrict logins to these users") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have a number of options that allow the flag to be specified multiple times, eg whitelist-domain
, would it be possible to follow the same pattern?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed by using flagSet.StringSlice
.
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed. |
Sorry for late reply.
Thanks! |
options.go
Outdated
@@ -56,6 +56,7 @@ type Options struct { | |||
GitHubTeam string `flag:"github-team" cfg:"github_team" env:"OAUTH2_PROXY_GITHUB_TEAM"` | |||
GitHubRepo string `flag:"github-repo" cfg:"github_repo" env:"OAUTH2_PROXY_GITHUB_REPO"` | |||
GitHubToken string `flag:"github-token" cfg:"github_token" env:"OAUTH2_PROXY_GITHUB_TOKEN"` | |||
GitHubUsers []string `flag:"github-user" cfg:"github_user" env:"OAUTH2_PROXY_GITHUB_USER"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To be consistent with other list options, will also need to update the docs
GitHubUsers []string `flag:"github-user" cfg:"github_user" env:"OAUTH2_PROXY_GITHUB_USER"` | |
GitHubUsers []string `flag:"github-user" cfg:"github_users" env:"OAUTH2_PROXY_GITHUB_USERS"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
providers/github.go
Outdated
for _, user := range users { | ||
us := strings.Split(user, ",") | ||
for _, u := range us { | ||
// Validate empty string (e.g. --github-user="octcat,,") | ||
if len(u) > 0 { | ||
p.Users = append(p.Users, u) | ||
} | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will be covered by viper, the configuration loader
providers/github.go
Outdated
} | ||
|
||
if p.isVerifiedUser(user.Login) { | ||
log.Printf("Found Github User: %q", user.Login) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will this log line become noisy? Same for the one below?
providers/github.go
Outdated
} else if p.Repo != "" { | ||
if p.Token == "" { // If we have a token we'll do the collaborator check in GetUserName |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why split these two up?
@JoelSpeed |
options.go
Outdated
@@ -56,6 +56,7 @@ type Options struct { | |||
GitHubTeam string `flag:"github-team" cfg:"github_team" env:"OAUTH2_PROXY_GITHUB_TEAM"` | |||
GitHubRepo string `flag:"github-repo" cfg:"github_repo" env:"OAUTH2_PROXY_GITHUB_REPO"` | |||
GitHubToken string `flag:"github-token" cfg:"github_token" env:"OAUTH2_PROXY_GITHUB_TOKEN"` | |||
GitHubUsers []string `flag:"github-users" cfg:"github_users" env:"OAUTH2_PROXY_GITHUB_USERS"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I wasn't very clear in my previous comment. The flag should be singular, while the other two should be pluralised (yes this is very confusing, but it's what we have for now).
GitHubUsers []string `flag:"github-users" cfg:"github_users" env:"OAUTH2_PROXY_GITHUB_USERS"` | |
GitHubUsers []string `flag:"github-user" cfg:"github_users" env:"OAUTH2_PROXY_GITHUB_USERS"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your explanation, I understood!
5dc1192
providers/github.go
Outdated
if p.isVerifiedUser(user.Login) { | ||
return true, nil | ||
} | ||
log.Printf("Missing Github User: %q in %v", user.Login, p.Users) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should drop this log too, could get noisy
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Remove logging 19f9b34
@yyoshiki41 Could you please rebase this and then I'll give it another review |
@JoelSpeed Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added some suggestions to improve readability in the docs, and some other small things through the code, happy for those to all be commited, though I added one question to one of them which I'd like an answer on before merging if that's ok
docs/2_auth.md
Outdated
@@ -103,6 +103,8 @@ Note: When using the Azure Auth provider with nginx and the cookie session store | |||
|
|||
The GitHub auth provider supports two additional ways to restrict authentication to either organization and optional team level access, or to collaborators of a repository. Restricting by these options is normally accompanied with `--email-domain=*` | |||
|
|||
NOTE: When `--github-user` is set, the specified users are allowed logins even if they do not belong to the specified org and team or collaborators. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will read better this way
NOTE: When `--github-user` is set, the specified users are allowed logins even if they do not belong to the specified org and team or collaborators. | |
NOTE: When `--github-user` is set, the specified users are allowed to login even if they do not belong to the specified org and team or collaborators. |
docs/2_auth.md
Outdated
@@ -119,6 +121,10 @@ If you'd like to allow access to users with **read only** access to a **public** | |||
|
|||
-github-token="": the token to use when verifying repository collaborators | |||
|
|||
To allow logins by usernames even if they do not belong to the specified org and team or collaborators, separated by a comma |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To allow logins by usernames even if they do not belong to the specified org and team or collaborators, separated by a comma | |
To allow a user to login with their username even if they do not belong to the specified org and team or collaborators, separated by a comma |
docs/configuration/configuration.md
Outdated
@@ -56,6 +56,7 @@ An example [oauth2-proxy.cfg]({{ site.gitweb }}/contrib/oauth2-proxy.cfg.example | |||
| `--github-team` | string | restrict logins to members of any of these teams (slug), separated by a comma | | | |||
| `--github-repo` | string | restrict logins to collaborators of this repository formatted as `orgname/repo` | | | |||
| `--github-token` | string | the token to use when verifying repository collaborators (must have push access to the repository) | | | |||
| `--github-user` | string | To allow logins by username even if they do not belong to the specified org and team or collaborators, separated by a comma | | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| `--github-user` | string | To allow logins by username even if they do not belong to the specified org and team or collaborators, separated by a comma | | | |
| `--github-user` | string \| list | To allow users to login by username even if they do not belong to the specified org and team or collaborators | | |
pkg/apis/options/options.go
Outdated
@@ -256,6 +257,7 @@ func NewFlagSet() *pflag.FlagSet { | |||
flagSet.String("github-team", "", "restrict logins to members of this team") | |||
flagSet.String("github-repo", "", "restrict logins to collaborators of this repository") | |||
flagSet.String("github-token", "", "the token to use when verifying repository collaborators (must have push access to the repository)") | |||
flagSet.StringSlice("github-user", []string{}, "allowed usernames even if they do not belong to the specified org and team or collaborators (may be given multiple times)") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
flagSet.StringSlice("github-user", []string{}, "allowed usernames even if they do not belong to the specified org and team or collaborators (may be given multiple times)") | |
flagSet.StringSlice("github-user", []string{}, "allowed users with these usernames to login even if they do not belong to the specified org and team or collaborators (may be given multiple times)") |
providers/github.go
Outdated
@@ -80,6 +82,11 @@ func (p *GitHubProvider) SetRepo(repo, token string) { | |||
p.Token = token | |||
} | |||
|
|||
// SetUsers configures allowed usernames | |||
func (p *GitHubProvider) SetUsers(users []string) { | |||
p.Users = append(p.Users, users...) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not just overwrite here? That is what I think I would have expected
p.Users = append(p.Users, users...) | |
p.Users = users |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, I missed this points.
fixed by 86cadbf
providers/github_test.go
Outdated
|
||
bURL, _ := url.Parse(b.URL) | ||
p := testGitHubProvider(bURL.Host) | ||
p.SetUsers([]string{"mbland", "octcat"}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
p.SetUsers([]string{"mbland", "octcat"}) | |
p.SetUsers([]string{"mbland", "octocat"}) |
providers/github_test.go
Outdated
|
||
bURL, _ := url.Parse(b.URL) | ||
p := testGitHubProvider(bURL.Host) | ||
p.SetUsers([]string{"octcat"}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
p.SetUsers([]string{"octcat"}) | |
p.SetUsers([]string{"octocat"}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I fixed up one last little thing, LGTM
Thanks @yyoshiki41
Description
Add new option
github-user
.Motivation and Context
That allowed the specified github users that is not on team or org.
e.g.) Username list (comma-separated)
"github-user:octocat,yyoshiki41"
fixed below issue.
#342
How Has This Been Tested?
My develop environment works this option.
Checklist:
This change is