func newAuthenticator(c *cli.Context, e *empire.Empire) auth.Authenticator { // an authenticator authenticating requests with a users empire acccess // token. authenticators := []auth.Authenticator{ auth.NewAccessTokenAuthenticator(e), } var client *github.Client // If a GitHub client id is provided, we'll use GitHub as an // authentication backend. Otherwise, we'll just use a static username // and password backend. if c.String(FlagGithubClient) == "" { log.Println("Using static authentication backend") // Fake authentication password where the user is "fake" and // password is blank. authenticators = append(authenticators, auth.StaticAuthenticator("fake", "", "", &empire.User{ Name: "fake", })) } else { config := &oauth2.Config{ ClientID: c.String(FlagGithubClient), ClientSecret: c.String(FlagGithubClientSecret), Scopes: []string{"repo_deployment", "read:org"}, } client = github.NewClient(config) client.URL = c.String(FlagGithubApiURL) log.Println("Using GitHub authentication backend with the following configuration:") log.Println(fmt.Sprintf(" ClientID: %v", config.ClientID)) log.Println(fmt.Sprintf(" ClientSecret: ****")) log.Println(fmt.Sprintf(" Scopes: %v", config.Scopes)) log.Println(fmt.Sprintf(" GitHubAPI: %v", client.URL)) // an authenticator for authenticating requests with a users github // credentials. authenticators = append(authenticators, github.NewAuthenticator(client)) } // try access token before falling back to github. authenticator := auth.MultiAuthenticator(authenticators...) // After the user is authenticated, check their GitHub Organization membership. if org := c.String(FlagGithubOrg); org != "" { authorizer := github.NewOrganizationAuthorizer(client) authorizer.Organization = org log.Println("Adding GitHub Organization authorizer with the following configuration:") log.Println(fmt.Sprintf(" Organization: %v ", org)) return auth.WithAuthorization( authenticator, // Cache the organization check for 30 minutes since // it's pretty slow. auth.CacheAuthorization(authorizer, 30*time.Minute), ) } return authenticator }
func newAuth(c *Context, e *empire.Empire) *auth.Auth { authBackend := c.String(FlagServerAuth) // For backwards compatibility. If the auth backend is unspecified, but // a github client id is provided, assume the GitHub auth backend. if authBackend == "" { if c.String(FlagGithubClient) != "" { authBackend = "github" } else { authBackend = "fake" } } // If a GitHub client id is provided, we'll use GitHub as an // authentication backend. Otherwise, we'll just use a static username // and password backend. switch authBackend { case "fake": log.Println("Using static authentication backend") // Fake authentication password where the user is "fake" and // password is blank. return &auth.Auth{ Strategies: auth.Strategies{ { Name: auth.StrategyUsernamePassword, Authenticator: auth.StaticAuthenticator("fake", "", "", &empire.User{Name: "fake"}), }, }, } case "github": config := &oauth2.Config{ ClientID: c.String(FlagGithubClient), ClientSecret: c.String(FlagGithubClientSecret), Scopes: []string{"repo_deployment", "read:org"}, } client := githubauth.NewClient(config) client.URL = c.String(FlagGithubApiURL) log.Println("Using GitHub authentication backend with the following configuration:") log.Println(fmt.Sprintf(" ClientID: %v", config.ClientID)) log.Println(fmt.Sprintf(" ClientSecret: ****")) log.Println(fmt.Sprintf(" Scopes: %v", config.Scopes)) log.Println(fmt.Sprintf(" GitHubAPI: %v", client.URL)) // an authenticator for authenticating requests with a users github // credentials. authenticator := githubauth.NewAuthenticator(client) a := &auth.Auth{ Strategies: auth.Strategies{ { Name: auth.StrategyUsernamePassword, Authenticator: authenticator, }, }, } // After the user is authenticated, check their GitHub Organization membership. if org := c.String(FlagGithubOrg); org != "" { authorizer := githubauth.NewOrganizationAuthorizer(client) authorizer.Organization = org log.Println("Adding GitHub Organization authorizer with the following configuration:") log.Println(fmt.Sprintf(" Organization: %v ", org)) a.Authorizer = auth.CacheAuthorization(authorizer, 30*time.Minute) } // After the user is authenticated, check their GitHub Team membership. if teamID := c.String(FlagGithubTeam); teamID != "" { authorizer := githubauth.NewTeamAuthorizer(client) authorizer.TeamID = teamID log.Println("Adding GitHub Team authorizer with the following configuration:") log.Println(fmt.Sprintf(" Team ID: %v ", teamID)) // Cache the team check for 30 minutes a.Authorizer = auth.CacheAuthorization(authorizer, 30*time.Minute) } return a case "saml": loginURL := c.String(FlagURL) + "/saml/login" // When using the SAML authentication backend, access tokens are // created through the browser, so username/password // authentication should be disabled. usernamePasswordDisabled := auth.AuthenticatorFunc(func(username, password, otp string) (*empire.User, error) { return nil, fmt.Errorf("Authentication via username/password is disabled. Login at %s", loginURL) }) return &auth.Auth{ Strategies: auth.Strategies{ { Name: auth.StrategyUsernamePassword, Authenticator: usernamePasswordDisabled, // Ensure that this strategy isn't used // by default. Disabled: true, }, }, } default: panic("unreachable") } }