fix: use policy engine in oauth whitelist check (#904)

2026-05-26 22:20:15 +00:00 · 2026-05-26 00:07:46 +03:00
parent c3461131f5
commit 0a3e7bf265
7 changed files with 48 additions and 20 deletions
@@ -75,10 +75,11 @@ type AuthService struct {
 	runtime model.RuntimeConfig
 	context context.Context

-	ldap        *LdapService
-	queries     repository.Store
-	oauthBroker *OAuthBrokerService
-	tailscale   *TailscaleService
+	ldap         *LdapService
+	queries      repository.Store
+	oauthBroker  *OAuthBrokerService
+	tailscale    *TailscaleService
+	policyEngine *PolicyEngine

 	loginAttempts        map[string]*LoginAttempt
 	ldapGroupsCache      map[string]*LdapGroupsCache
@@ -101,6 +102,7 @@ func NewAuthService(
 	queries repository.Store,
 	oauthBroker *OAuthBrokerService,
 	tailscale *TailscaleService,
+	policy *PolicyEngine,
 ) *AuthService {
 	service := &AuthService{
 		log:                  log,
@@ -114,6 +116,7 @@ func NewAuthService(
 		queries:              queries,
 		oauthBroker:          oauthBroker,
 		tailscale:            tailscale,
+		policyEngine:         policy,
 	}

 	wg.Go(service.CleanupOAuthSessionsRoutine)
@@ -285,18 +288,27 @@ func (auth *AuthService) RecordLoginAttempt(identifier string, success bool) {
 	}
 }

+// We could also directly access the policyEngine.effectToAccess but
+// I believe it's better to use the exported functions instead
 func (auth *AuthService) IsEmailWhitelisted(provider string, email string) bool {
-	whitelist := auth.runtime.OAuthWhitelist
-	if providerConfig, ok := auth.runtime.OAuthProviders[provider]; ok && len(providerConfig.Whitelist) > 0 {
-		whitelist = providerConfig.Whitelist
-	}
-
-	match, err := utils.CheckFilter(strings.Join(whitelist, ","), email)
-	if err != nil {
-		auth.log.App.Warn().Err(err).Str("provider", provider).Str("email", email).Msg("Invalid email filter pattern")
-		return false
-	}
-	return match
+	return auth.policyEngine.EvaluateFunc(func() Effect {
+		whitelist := auth.runtime.OAuthWhitelist
+		if providerConfig, ok := auth.runtime.OAuthProviders[provider]; ok && len(providerConfig.Whitelist) > 0 {
+			whitelist = providerConfig.Whitelist
+		}
+		match, err := utils.CheckFilter(strings.Join(whitelist, ","), email)
+		if err != nil {
+			if err == utils.ErrFilterEmpty {
+				return EffectAbstain
+			}
+			auth.log.App.Error().Err(err).Str("email", email).Msg("Failed to evaluate email whitelist filter, defaulting to deny")
+			return EffectDeny
+		}
+		if match {
+			return EffectAllow
+		}
+		return EffectDeny
+	})
 }

 func (auth *AuthService) CreateSession(ctx context.Context, data repository.Session) (*http.Cookie, error) {
@@ -108,3 +108,7 @@ func (engine *PolicyEngine) Policy() Policy {
 func (engine *PolicyEngine) Rules() map[RuleName]Rule {
 	return engine.rules
 }
+
+func (engine *PolicyEngine) EvaluateFunc(f func() Effect) bool {
+	return engine.effectToAccess(f())
+}