mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
Allow per user access control rules
This commit is contained in:
parent
2a73b1a431
commit
e310478e6d
|
@ -50,6 +50,9 @@ access_control:
|
|||
- group: dev
|
||||
allowed_domains:
|
||||
- secret2.test.local
|
||||
- user: harry
|
||||
allowed_domains:
|
||||
- secret1.test.local
|
||||
|
||||
|
||||
# Configuration of session cookies
|
||||
|
|
|
@ -5,13 +5,17 @@ var exceptions = require('../exceptions');
|
|||
var objectPath = require('object-path');
|
||||
var Promise = require('bluebird');
|
||||
|
||||
function get_allowed_domains(access_control, groups) {
|
||||
function get_allowed_domains(access_control, username, groups) {
|
||||
var allowed_domains = [];
|
||||
|
||||
for(var i = 0; i<access_control.length; ++i) {
|
||||
var rule = access_control[i];
|
||||
if('group' in rule && 'allowed_domains' in rule) {
|
||||
if(groups.indexOf(rule['group']) >= 0) {
|
||||
if('allowed_domains' in rule) {
|
||||
if('group' in rule && groups.indexOf(rule['group']) >= 0) {
|
||||
var domains = rule.allowed_domains;
|
||||
allowed_domains = allowed_domains.concat(domains);
|
||||
}
|
||||
else if('user' in rule && username == rule['user']) {
|
||||
var domains = rule.allowed_domains;
|
||||
allowed_domains = allowed_domains.concat(domains);
|
||||
}
|
||||
|
@ -58,7 +62,8 @@ function first_factor(req, res) {
|
|||
objectPath.set(req, 'session.auth_session.email', emails[0]);
|
||||
|
||||
if(config.access_control) {
|
||||
var allowed_domains = get_allowed_domains(config.access_control, groups);
|
||||
var allowed_domains = get_allowed_domains(config.access_control,
|
||||
username, groups);
|
||||
logger.debug('1st factor: allowed domains are %s', allowed_domains);
|
||||
objectPath.set(req, 'session.auth_session.allowed_domains',
|
||||
allowed_domains);
|
||||
|
|
|
@ -74,23 +74,45 @@ describe('test the first factor validation route', function() {
|
|||
});
|
||||
});
|
||||
|
||||
it('should store the allowed domains in the auth session', function() {
|
||||
config.access_control = [];
|
||||
config.access_control.push({
|
||||
group: 'group1',
|
||||
allowed_domains: ['domain1.example.com', 'domain2.example.com']
|
||||
});
|
||||
return new Promise(function(resolve, reject) {
|
||||
res.send = sinon.spy(function(data) {
|
||||
assert.deepEqual(['domain1.example.com', 'domain2.example.com'],
|
||||
req.session.auth_session.allowed_domains);
|
||||
assert.equal(204, res.status.getCall(0).args[0]);
|
||||
resolve();
|
||||
describe('store the allowed domains in the auth session', function() {
|
||||
it('should store the per group allowed domains', function() {
|
||||
config.access_control = [];
|
||||
config.access_control.push({
|
||||
group: 'group1',
|
||||
allowed_domains: ['domain1.example.com', 'domain2.example.com']
|
||||
});
|
||||
return new Promise(function(resolve, reject) {
|
||||
res.send = sinon.spy(function(data) {
|
||||
assert.deepEqual(['domain1.example.com', 'domain2.example.com'],
|
||||
req.session.auth_session.allowed_domains);
|
||||
assert.equal(204, res.status.getCall(0).args[0]);
|
||||
resolve();
|
||||
});
|
||||
ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
|
||||
ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
|
||||
ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
|
||||
first_factor(req, res);
|
||||
});
|
||||
});
|
||||
|
||||
it('should store the per group allowed domains', function() {
|
||||
config.access_control = [];
|
||||
config.access_control.push({
|
||||
user: 'username',
|
||||
allowed_domains: ['domain1.example.com', 'domain2.example.com']
|
||||
});
|
||||
return new Promise(function(resolve, reject) {
|
||||
res.send = sinon.spy(function(data) {
|
||||
assert.deepEqual(['domain1.example.com', 'domain2.example.com'],
|
||||
req.session.auth_session.allowed_domains);
|
||||
assert.equal(204, res.status.getCall(0).args[0]);
|
||||
resolve();
|
||||
});
|
||||
ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
|
||||
ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
|
||||
ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
|
||||
first_factor(req, res);
|
||||
});
|
||||
ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
|
||||
ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
|
||||
ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
|
||||
first_factor(req, res);
|
||||
});
|
||||
});
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user