barbercollie/tinyauth
1
0
Fork 1
mirror of https://github.com/steveiliop56/tinyauth.git synced 2026-05-16 01:00:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: review comments

Browse Source
This commit is contained in:
Stavros
2026-05-12 18:17:01 +03:00
parent 3fd56272d2
commit b9abab2f17
3 changed files with 17 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/model/config.go
+4 -4
View File
@@ -24,7 +24,7 @@ func NewDefaultConfiguration() *Config {
SessionMaxLifetime: 0, // disabled SessionMaxLifetime: 0, // disabled
LoginTimeout: 300, // 5 minutes LoginTimeout: 300, // 5 minutes
LoginMaxRetries: 3, LoginMaxRetries: 3,
ACLS: ACLSConfig{ ACLs: ACLsConfig{
Policy: "allow", Policy: "allow",
}, },
}, },
@@ -117,7 +117,7 @@ type AuthConfig struct {
LoginTimeout int `description:"Login timeout in seconds." yaml:"loginTimeout"` LoginTimeout int `description:"Login timeout in seconds." yaml:"loginTimeout"`
LoginMaxRetries int `description:"Maximum login retries." yaml:"loginMaxRetries"` LoginMaxRetries int `description:"Maximum login retries." yaml:"loginMaxRetries"`
TrustedProxies []string `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"` TrustedProxies []string `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
ACLS ACLSConfig `description:"ACLs configuration." yaml:"acls"` ACLs ACLsConfig `description:"ACLs configuration." yaml:"acls"`
} }
type UserAttributes struct { type UserAttributes struct {
@@ -227,8 +227,8 @@ type OIDCClientConfig struct {
Name string `description:"Client name in UI." yaml:"name"` Name string `description:"Client name in UI." yaml:"name"`
} }
type ACLSConfig struct { type ACLsConfig struct {
Policy string `description:"ACL policy for allow-by-default or deny-by-defaut, available options are allow and deny default is allow." yaml:"policy"` Policy string `description:"ACL policy for allow-by-default or deny-by-default, available options are allow and deny, default is allow." yaml:"policy"`
} }
// ACLs // ACLs
internal/service/access_controls_service.go
+10 -11
View File
@@ -13,17 +13,17 @@ type AccessControlPolicy string
const ( const (
PolicyAllow AccessControlPolicy = "allow" PolicyAllow AccessControlPolicy = "allow"
PolicyBlock AccessControlPolicy = "block" PolicyDeny AccessControlPolicy = "deny"
) )
func accessControlPolicyFromString(s string) (AccessControlPolicy, bool) { func accessControlPolicyFromString(s string) (AccessControlPolicy, bool) {
switch strings.ToLower(s) { switch strings.ToLower(s) {
case "allow": case "allow":
return PolicyAllow, true return PolicyAllow, true
case "block": case "deny":
return PolicyBlock, true return PolicyDeny, true
default: default:
return "", false return PolicyAllow, false
} }
} }
@@ -49,17 +49,16 @@ func NewAccessControlsService(
labelProvider: labelProvider, labelProvider: labelProvider,
} }
policy, ok := accessControlPolicyFromString(config.Auth.ACLS.Policy) policy, ok := accessControlPolicyFromString(config.Auth.ACLs.Policy)
if !ok { if !ok {
log.App.Warn().Str("policy", config.Auth.ACLS.Policy).Msg("Invalid ACL policy in config, defaulting to 'allow'") log.App.Warn().Str("policy", config.Auth.ACLs.Policy).Msg("Invalid ACL policy in config, defaulting to 'allow'")
service.policy = PolicyAllow
} }
if policy == PolicyAllow { if policy == PolicyAllow {
log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked") log.App.Debug().Msg("Using 'allow' ACL policy: access to apps will be allowed by default unless explicitly blocked")
} else { } else {
log.App.Debug().Msg("Using 'block' ACL policy: access to apps will be blocked by default unless explicitly allowed") log.App.Debug().Msg("Using 'deny' ACL policy: access to apps will be blocked by default unless explicitly allowed")
} }
service.policy = policy service.policy = policy
@@ -121,7 +120,7 @@ func (service *AccessControlsService) IsUserAllowed(context model.UserContext, a
} }
service.log.App.Debug().Msg("Checking users allow list") service.log.App.Debug().Msg("Checking users allow list")
return utils.CheckFilter(acls.Users.Allow, context.GetUsername()) return service.policyResult(utils.CheckFilter(acls.Users.Allow, context.GetUsername()))
} }
func (service *AccessControlsService) IsInOAuthGroup(context model.UserContext, acls *model.App) bool { func (service *AccessControlsService) IsInOAuthGroup(context model.UserContext, acls *model.App) bool {
@@ -211,8 +210,8 @@ func (service *AccessControlsService) IsIPAllowed(ip string, acls *model.App) bo
} }
// Merge the global and app IP filter // Merge the global and app IP filter
blockedIps := append(service.config.Auth.IP.Block, acls.IP.Block...) blockedIps := append(acls.IP.Block, service.config.Auth.IP.Block...)
allowedIPs := append(service.config.Auth.IP.Allow, acls.IP.Allow...) allowedIPs := append(acls.IP.Allow, service.config.Auth.IP.Allow...)
for _, blocked := range blockedIps { for _, blocked := range blockedIps {
res, err := utils.FilterIP(blocked, ip) res, err := utils.FilterIP(blocked, ip)
internal/test/test.go
+3
View File
@@ -40,6 +40,9 @@ func CreateTestConfigs(t *testing.T) (model.Config, model.RuntimeConfig) {
SessionExpiry: 10, SessionExpiry: 10,
LoginTimeout: 10, LoginTimeout: 10,
LoginMaxRetries: 3, LoginMaxRetries: 3,
ACLs: model.ACLsConfig{
Policy: "allow",
},
}, },
Database: model.DatabaseConfig{ Database: model.DatabaseConfig{
Path: filepath.Join(tempDir, "test.db"), Path: filepath.Join(tempDir, "test.db"),