Exemplo n.º 1
0
func newAuth(c *Context, e *empire.Empire) *auth.Auth {
	authBackend := c.String(FlagServerAuth)

	// For backwards compatibility. If the auth backend is unspecified, but
	// a github client id is provided, assume the GitHub auth backend.
	if authBackend == "" {
		if c.String(FlagGithubClient) != "" {
			authBackend = "github"
		} else {
			authBackend = "fake"
		}
	}

	// If a GitHub client id is provided, we'll use GitHub as an
	// authentication backend. Otherwise, we'll just use a static username
	// and password backend.
	switch authBackend {
	case "fake":
		log.Println("Using static authentication backend")
		// Fake authentication password where the user is "fake" and
		// password is blank.
		return &auth.Auth{
			Strategies: auth.Strategies{
				{
					Name:          auth.StrategyUsernamePassword,
					Authenticator: auth.StaticAuthenticator("fake", "", "", &empire.User{Name: "fake"}),
				},
			},
		}
	case "github":
		config := &oauth2.Config{
			ClientID:     c.String(FlagGithubClient),
			ClientSecret: c.String(FlagGithubClientSecret),
			Scopes:       []string{"repo_deployment", "read:org"},
		}

		client := githubauth.NewClient(config)
		client.URL = c.String(FlagGithubApiURL)

		log.Println("Using GitHub authentication backend with the following configuration:")
		log.Println(fmt.Sprintf("  ClientID: %v", config.ClientID))
		log.Println(fmt.Sprintf("  ClientSecret: ****"))
		log.Println(fmt.Sprintf("  Scopes: %v", config.Scopes))
		log.Println(fmt.Sprintf("  GitHubAPI: %v", client.URL))

		// an authenticator for authenticating requests with a users github
		// credentials.
		authenticator := githubauth.NewAuthenticator(client)
		a := &auth.Auth{
			Strategies: auth.Strategies{
				{
					Name:          auth.StrategyUsernamePassword,
					Authenticator: authenticator,
				},
			},
		}

		// After the user is authenticated, check their GitHub Organization membership.
		if org := c.String(FlagGithubOrg); org != "" {
			authorizer := githubauth.NewOrganizationAuthorizer(client)
			authorizer.Organization = org

			log.Println("Adding GitHub Organization authorizer with the following configuration:")
			log.Println(fmt.Sprintf("  Organization: %v ", org))

			a.Authorizer = auth.CacheAuthorization(authorizer, 30*time.Minute)
		}

		// After the user is authenticated, check their GitHub Team membership.
		if teamID := c.String(FlagGithubTeam); teamID != "" {
			authorizer := githubauth.NewTeamAuthorizer(client)
			authorizer.TeamID = teamID

			log.Println("Adding GitHub Team authorizer with the following configuration:")
			log.Println(fmt.Sprintf("  Team ID: %v ", teamID))

			// Cache the team check for 30 minutes
			a.Authorizer = auth.CacheAuthorization(authorizer, 30*time.Minute)
		}

		return a
	case "saml":
		loginURL := c.String(FlagURL) + "/saml/login"

		// When using the SAML authentication backend, access tokens are
		// created through the browser, so username/password
		// authentication should be disabled.
		usernamePasswordDisabled := auth.AuthenticatorFunc(func(username, password, otp string) (*empire.User, error) {
			return nil, fmt.Errorf("Authentication via username/password is disabled. Login at %s", loginURL)
		})

		return &auth.Auth{
			Strategies: auth.Strategies{
				{
					Name:          auth.StrategyUsernamePassword,
					Authenticator: usernamePasswordDisabled,
					// Ensure that this strategy isn't used
					// by default.
					Disabled: true,
				},
			},
		}
	default:
		panic("unreachable")
	}
}
Exemplo n.º 2
0
func newAuthenticator(c *cli.Context, e *empire.Empire) auth.Authenticator {
	// an authenticator authenticating requests with a users empire acccess
	// token.
	authenticators := []auth.Authenticator{
		auth.NewAccessTokenAuthenticator(e),
	}

	var client *githubauth.Client
	// If a GitHub client id is provided, we'll use GitHub as an
	// authentication backend. Otherwise, we'll just use a static username
	// and password backend.
	if c.String(FlagGithubClient) == "" {
		log.Println("Using static authentication backend")
		// Fake authentication password where the user is "fake" and
		// password is blank.
		authenticators = append(authenticators, auth.StaticAuthenticator("fake", "", "", &empire.User{
			Name: "fake",
		}))
	} else {
		config := &oauth2.Config{
			ClientID:     c.String(FlagGithubClient),
			ClientSecret: c.String(FlagGithubClientSecret),
			Scopes:       []string{"repo_deployment", "read:org"},
		}

		client = githubauth.NewClient(config)
		client.URL = c.String(FlagGithubApiURL)

		log.Println("Using GitHub authentication backend with the following configuration:")
		log.Println(fmt.Sprintf("  ClientID: %v", config.ClientID))
		log.Println(fmt.Sprintf("  ClientSecret: ****"))
		log.Println(fmt.Sprintf("  Scopes: %v", config.Scopes))
		log.Println(fmt.Sprintf("  GitHubAPI: %v", client.URL))

		// an authenticator for authenticating requests with a users github
		// credentials.
		authenticators = append(authenticators, githubauth.NewAuthenticator(client))
	}

	// try access token before falling back to github.
	authenticator := auth.MultiAuthenticator(authenticators...)

	// After the user is authenticated, check their GitHub Organization membership.
	if org := c.String(FlagGithubOrg); org != "" {
		authorizer := githubauth.NewOrganizationAuthorizer(client)
		authorizer.Organization = org

		log.Println("Adding GitHub Organization authorizer with the following configuration:")
		log.Println(fmt.Sprintf("  Organization: %v ", org))

		return auth.WithAuthorization(
			authenticator,
			// Cache the organization check for 30 minutes since
			// it's pretty slow.
			auth.CacheAuthorization(authorizer, 30*time.Minute),
		)
	}

	// After the user is authenticated, check their GitHub Team membership.
	if teamID := c.String(FlagGithubTeam); teamID != "" {
		authorizer := githubauth.NewTeamAuthorizer(client)
		authorizer.TeamID = teamID

		log.Println("Adding GitHub Team authorizer with the following configuration:")
		log.Println(fmt.Sprintf("  Team ID: %v ", teamID))

		return auth.WithAuthorization(
			authenticator,
			// Cache the team check for 30 minutes
			auth.CacheAuthorization(authorizer, 30*time.Minute),
		)
	}

	return authenticator
}