mirror of
https://github.com/steveiliop56/tinyauth.git
synced 2026-05-18 18:20:15 +00:00
chore: review comments
This commit is contained in:
Stavros
@@ -49,36 +49,48 @@ func (app *BootstrapApp) setupServices() error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
|
func (app *BootstrapApp) getLabelProvider() (service.LabelProvider, error) {
|
||||||
if app.config.LabelProvider == "none" {
|
switch app.config.LabelProvider {
|
||||||
return nil, nil
|
case "none", "docker", "kubernetes", "auto":
|
||||||
}
|
if app.config.LabelProvider == "none" {
|
||||||
|
return nil, nil
|
||||||
useKubernetes := app.config.LabelProvider == "kubernetes" ||
|
|
||||||
(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")
|
|
||||||
|
|
||||||
if useKubernetes {
|
|
||||||
app.log.App.Debug().Msg("Using Kubernetes label provider")
|
|
||||||
|
|
||||||
kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
app.services.kubernetesService = kubernetesService
|
useKubernetes := app.config.LabelProvider == "kubernetes" ||
|
||||||
return kubernetesService, nil
|
(app.config.LabelProvider == "auto" && os.Getenv("KUBERNETES_SERVICE_HOST") != "")
|
||||||
|
|
||||||
|
if useKubernetes {
|
||||||
|
app.log.App.Debug().Msg("Using Kubernetes label provider")
|
||||||
|
|
||||||
|
kubernetesService, err := service.NewKubernetesService(app.log, app.ctx, &app.wg)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to initialize kubernetes service: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
app.services.kubernetesService = kubernetesService
|
||||||
|
return kubernetesService, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
app.log.App.Debug().Msg("Using Docker label provider")
|
||||||
|
|
||||||
|
dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)
|
||||||
|
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("failed to initialize docker service: %w", err)
|
||||||
|
}
|
||||||
|
|
||||||
|
if dockerService == nil {
|
||||||
|
if app.config.LabelProvider == "docker" {
|
||||||
|
app.log.App.Warn().Msg("Docker label provider selected but Docker is not available, will continue without it")
|
||||||
|
}
|
||||||
|
return nil, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
app.services.dockerService = dockerService
|
||||||
|
return dockerService, nil
|
||||||
|
default:
|
||||||
|
return nil, fmt.Errorf("invalid label provider: %s", app.config.LabelProvider)
|
||||||
}
|
}
|
||||||
|
|
||||||
app.log.App.Debug().Msg("Using Docker label provider")
|
|
||||||
|
|
||||||
dockerService, err := service.NewDockerService(app.log, app.ctx, &app.wg)
|
|
||||||
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("failed to initialize docker service: %w", err)
|
|
||||||
}
|
|
||||||
|
|
||||||
app.services.dockerService = dockerService
|
|
||||||
return dockerService, nil
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func (app *BootstrapApp) setupPolicyEngine() error {
|
func (app *BootstrapApp) setupPolicyEngine() error {
|
||||||
|
|||||||
@@ -33,6 +33,16 @@ func TestUserAllowedRule(t *testing.T) {
|
|||||||
},
|
},
|
||||||
expected: EffectAbstain,
|
expected: EffectAbstain,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "abstains when user context is nil",
|
||||||
|
ctx: &ACLContext{
|
||||||
|
ACLs: &model.App{
|
||||||
|
OAuth: model.AppOAuth{Whitelist: "alice"},
|
||||||
|
},
|
||||||
|
UserContext: nil,
|
||||||
|
},
|
||||||
|
expected: EffectAbstain,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "allows OAuth user when email matches whitelist",
|
name: "allows OAuth user when email matches whitelist",
|
||||||
ctx: &ACLContext{
|
ctx: &ACLContext{
|
||||||
@@ -204,6 +214,16 @@ func TestOAuthGroupRule(t *testing.T) {
|
|||||||
},
|
},
|
||||||
expected: EffectAbstain,
|
expected: EffectAbstain,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "abstains when user context is nil",
|
||||||
|
ctx: &ACLContext{
|
||||||
|
ACLs: &model.App{
|
||||||
|
OAuth: model.AppOAuth{Whitelist: "alice"},
|
||||||
|
},
|
||||||
|
UserContext: nil,
|
||||||
|
},
|
||||||
|
expected: EffectAbstain,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "abstains when user is not OAuth",
|
name: "abstains when user is not OAuth",
|
||||||
ctx: &ACLContext{
|
ctx: &ACLContext{
|
||||||
@@ -324,6 +344,16 @@ func TestLDAPGroupRule(t *testing.T) {
|
|||||||
ctx: nil,
|
ctx: nil,
|
||||||
expected: EffectAbstain,
|
expected: EffectAbstain,
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
name: "abstains when user context is nil",
|
||||||
|
ctx: &ACLContext{
|
||||||
|
ACLs: &model.App{
|
||||||
|
OAuth: model.AppOAuth{Whitelist: "alice"},
|
||||||
|
},
|
||||||
|
UserContext: nil,
|
||||||
|
},
|
||||||
|
expected: EffectAbstain,
|
||||||
|
},
|
||||||
{
|
{
|
||||||
name: "abstains when user is not LDAP",
|
name: "abstains when user is not LDAP",
|
||||||
ctx: &ACLContext{
|
ctx: &ACLContext{
|
||||||
|
|||||||
@@ -25,7 +25,7 @@ type UserAllowedRule struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect {
|
func (rule *UserAllowedRule) Evaluate(ctx *ACLContext) Effect {
|
||||||
if ctx.ACLs == nil {
|
if ctx.ACLs == nil || ctx.UserContext == nil {
|
||||||
return EffectAbstain
|
return EffectAbstain
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -80,7 +80,7 @@ type OAuthGroupRule struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (rule *OAuthGroupRule) Evaluate(ctx *ACLContext) Effect {
|
func (rule *OAuthGroupRule) Evaluate(ctx *ACLContext) Effect {
|
||||||
if ctx.ACLs == nil {
|
if ctx.ACLs == nil || ctx.UserContext == nil {
|
||||||
return EffectAbstain
|
return EffectAbstain
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -114,7 +114,7 @@ type LDAPGroupRule struct {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (rule *LDAPGroupRule) Evaluate(ctx *ACLContext) Effect {
|
func (rule *LDAPGroupRule) Evaluate(ctx *ACLContext) Effect {
|
||||||
if ctx == nil {
|
if ctx == nil || ctx.UserContext == nil {
|
||||||
return EffectAbstain
|
return EffectAbstain
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -31,19 +31,25 @@ func NewAccessControlsService(
|
|||||||
|
|
||||||
func (service *AccessControlsService) lookupStaticACLs(domain string) *model.App {
|
func (service *AccessControlsService) lookupStaticACLs(domain string) *model.App {
|
||||||
var appAcls *model.App
|
var appAcls *model.App
|
||||||
|
|
||||||
|
// first pass - try to find an exact match for the domain
|
||||||
for app, config := range service.config.Apps {
|
for app, config := range service.config.Apps {
|
||||||
if config.Config.Domain == domain {
|
if config.Config.Domain == domain {
|
||||||
service.log.App.Debug().Str("name", app).Msg("Found matching container by domain")
|
service.log.App.Debug().Str("name", app).Msg("Found matching container by domain")
|
||||||
appAcls = &config
|
appAcls = &config
|
||||||
break // If we find a match by domain, we can stop searching
|
break // If we find a match by domain, we can stop searching
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// second pass - if we didn't find a match by domain, try to find a match by app name (subdomain)
|
||||||
|
for app, config := range service.config.Apps {
|
||||||
if strings.SplitN(domain, ".", 2)[0] == app {
|
if strings.SplitN(domain, ".", 2)[0] == app {
|
||||||
service.log.App.Debug().Str("name", app).Msg("Found matching container by app name")
|
service.log.App.Debug().Str("name", app).Msg("Found matching container by app name")
|
||||||
appAcls = &config
|
appAcls = &config
|
||||||
break // If we find a match by app name, we can stop searching
|
break // If we find a match by app name, we can stop searching
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return appAcls
|
return appAcls
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -57,7 +63,7 @@ func (service *AccessControlsService) GetAccessControls(domain string) (*model.A
|
|||||||
}
|
}
|
||||||
|
|
||||||
// If we have a label provider configured, try to get ACLs from it
|
// If we have a label provider configured, try to get ACLs from it
|
||||||
if service.labelProvider != nil {
|
if service.labelProvider != nil && *service.labelProvider != nil {
|
||||||
return (*service.labelProvider).GetLabels(domain)
|
return (*service.labelProvider).GetLabels(domain)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -85,12 +85,16 @@ func (docker *DockerService) GetLabels(appDomain string) (*model.App, error) {
|
|||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
for appName, appLabels := range labels.Apps {
|
// fist pass - try to find an exact match for the domain
|
||||||
|
for _, appLabels := range labels.Apps {
|
||||||
if appLabels.Config.Domain == appDomain {
|
if appLabels.Config.Domain == appDomain {
|
||||||
docker.log.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by domain")
|
docker.log.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by domain")
|
||||||
return &appLabels, nil
|
return &appLabels, nil
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
// second pass - if we didn't find a match by domain, try to find a match by app name (subdomain)
|
||||||
|
for appName, appLabels := range labels.Apps {
|
||||||
if strings.SplitN(appDomain, ".", 2)[0] == appName {
|
if strings.SplitN(appDomain, ".", 2)[0] == appName {
|
||||||
docker.log.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by app name")
|
docker.log.App.Debug().Str("id", inspect.ID).Str("name", inspect.Name).Msg("Found matching container by app name")
|
||||||
return &appLabels, nil
|
return &appLabels, nil
|
||||||
|
|||||||
Reference in New Issue
Block a user