func newAuth(c *Context, e *empire.Empire) *auth.Auth {
authBackend := c.String(FlagServerAuth)
// For backwards compatibility. If the auth backend is unspecified, but
// a github client id is provided, assume the GitHub auth backend.
if authBackend == "" {
if c.String(FlagGithubClient) != "" {
authBackend = "github"
} else {
authBackend = "fake"
}
}
// If a GitHub client id is provided, we'll use GitHub as an
// authentication backend. Otherwise, we'll just use a static username
// and password backend.
switch authBackend {
case "fake":
log.Println("Using static authentication backend")
// Fake authentication password where the user is "fake" and
// password is blank.
return &auth.Auth{
Strategies: auth.Strategies{
{
Name: auth.StrategyUsernamePassword,
Authenticator: auth.StaticAuthenticator("fake", "", "", &empire.User{Name: "fake"}),
},
},
}
case "github":
config := &oauth2.Config{
ClientID: c.String(FlagGithubClient),
ClientSecret: c.String(FlagGithubClientSecret),
Scopes: []string{"repo_deployment", "read:org"},
}
client := githubauth.NewClient(config)
client.URL = c.String(FlagGithubApiURL)
log.Println("Using GitHub authentication backend with the following configuration:")
log.Println(fmt.Sprintf(" ClientID: %v", config.ClientID))
log.Println(fmt.Sprintf(" ClientSecret: ****"))
log.Println(fmt.Sprintf(" Scopes: %v", config.Scopes))
log.Println(fmt.Sprintf(" GitHubAPI: %v", client.URL))
// an authenticator for authenticating requests with a users github
// credentials.
authenticator := githubauth.NewAuthenticator(client)
a := &auth.Auth{
Strategies: auth.Strategies{
{
Name: auth.StrategyUsernamePassword,
Authenticator: authenticator,
},
},
}
// After the user is authenticated, check their GitHub Organization membership.
if org := c.String(FlagGithubOrg); org != "" {
authorizer := githubauth.NewOrganizationAuthorizer(client)
authorizer.Organization = org
log.Println("Adding GitHub Organization authorizer with the following configuration:")
log.Println(fmt.Sprintf(" Organization: %v ", org))
a.Authorizer = auth.CacheAuthorization(authorizer, 30*time.Minute)
}
// After the user is authenticated, check their GitHub Team membership.
if teamID := c.String(FlagGithubTeam); teamID != "" {
authorizer := githubauth.NewTeamAuthorizer(client)
authorizer.TeamID = teamID
log.Println("Adding GitHub Team authorizer with the following configuration:")
log.Println(fmt.Sprintf(" Team ID: %v ", teamID))
// Cache the team check for 30 minutes
a.Authorizer = auth.CacheAuthorization(authorizer, 30*time.Minute)
}
return a
case "saml":
loginURL := c.String(FlagURL) + "/saml/login"
// When using the SAML authentication backend, access tokens are
// created through the browser, so username/password
// authentication should be disabled.
usernamePasswordDisabled := auth.AuthenticatorFunc(func(username, password, otp string) (*empire.User, error) {
return nil, fmt.Errorf("Authentication via username/password is disabled. Login at %s", loginURL)
})
return &auth.Auth{
Strategies: auth.Strategies{
{
Name: auth.StrategyUsernamePassword,
Authenticator: usernamePasswordDisabled,
// Ensure that this strategy isn't used
// by default.
Disabled: true,
},
},
}
default:
panic("unreachable")
}
}
func newAuthenticator(c *cli.Context, e *empire.Empire) auth.Authenticator {
// an authenticator authenticating requests with a users empire acccess
// token.
authenticators := []auth.Authenticator{
auth.NewAccessTokenAuthenticator(e),
}
var client *githubauth.Client
// If a GitHub client id is provided, we'll use GitHub as an
// authentication backend. Otherwise, we'll just use a static username
// and password backend.
if c.String(FlagGithubClient) == "" {
log.Println("Using static authentication backend")
// Fake authentication password where the user is "fake" and
// password is blank.
authenticators = append(authenticators, auth.StaticAuthenticator("fake", "", "", &empire.User{
Name: "fake",
}))
} else {
config := &oauth2.Config{
ClientID: c.String(FlagGithubClient),
ClientSecret: c.String(FlagGithubClientSecret),
Scopes: []string{"repo_deployment", "read:org"},
}
client = githubauth.NewClient(config)
client.URL = c.String(FlagGithubApiURL)
log.Println("Using GitHub authentication backend with the following configuration:")
log.Println(fmt.Sprintf(" ClientID: %v", config.ClientID))
log.Println(fmt.Sprintf(" ClientSecret: ****"))
log.Println(fmt.Sprintf(" Scopes: %v", config.Scopes))
log.Println(fmt.Sprintf(" GitHubAPI: %v", client.URL))
// an authenticator for authenticating requests with a users github
// credentials.
authenticators = append(authenticators, githubauth.NewAuthenticator(client))
}
// try access token before falling back to github.
authenticator := auth.MultiAuthenticator(authenticators...)
// After the user is authenticated, check their GitHub Organization membership.
if org := c.String(FlagGithubOrg); org != "" {
authorizer := githubauth.NewOrganizationAuthorizer(client)
authorizer.Organization = org
log.Println("Adding GitHub Organization authorizer with the following configuration:")
log.Println(fmt.Sprintf(" Organization: %v ", org))
return auth.WithAuthorization(
authenticator,
// Cache the organization check for 30 minutes since
// it's pretty slow.
auth.CacheAuthorization(authorizer, 30*time.Minute),
)
}
// After the user is authenticated, check their GitHub Team membership.
if teamID := c.String(FlagGithubTeam); teamID != "" {
authorizer := githubauth.NewTeamAuthorizer(client)
authorizer.TeamID = teamID
log.Println("Adding GitHub Team authorizer with the following configuration:")
log.Println(fmt.Sprintf(" Team ID: %v ", teamID))
return auth.WithAuthorization(
authenticator,
// Cache the team check for 30 minutes
auth.CacheAuthorization(authorizer, 30*time.Minute),
)
}
return authenticator
}