Added group member check

go.mod

@@ -12,6 +12,7 @@ require (
 	github.com/coreos/go-oidc v2.1.0+incompatible
 	github.com/go-acme/lego v2.5.0+incompatible // indirect
 	github.com/go-kit/kit v0.8.0 // indirect
+	github.com/go-playground/validator/v10 v10.2.0
 	github.com/gogo/protobuf v1.3.1 // indirect
 	github.com/googleapis/gnostic v0.3.1 // indirect
 	github.com/gorilla/context v1.1.1 // indirect
@@ -36,6 +37,8 @@ require (
 	golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e // indirect
 	golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456 // indirect
 	golang.org/x/time v0.0.0-20191024005414-555d28b269f0 // indirect
+	gopkg.in/go-playground/assert.v1 v1.2.1 // indirect
+	gopkg.in/go-playground/validator.v9 v9.31.0
 	gopkg.in/square/go-jose.v2 v2.3.1 // indirect
 	gopkg.in/yaml.v2 v2.2.4
 	gotest.tools v2.2.0+incompatible

go.sum

@@ -50,6 +50,14 @@ github.com/go-openapi/jsonpointer v0.0.0-20160704185906-46af16f9f7b1/go.mod h1:+
 github.com/go-openapi/jsonreference v0.0.0-20160704190145-13c6e3589ad9/go.mod h1:W3Z9FmVs9qj+KR4zFKmDPGiLdk1D9Rlm7cyMvf57TTg=
 github.com/go-openapi/spec v0.0.0-20160808142527-6aced65f8501/go.mod h1:J8+jY1nAiCcj+friV/PDoE1/3eeccG9LYBs0tYvLOWc=
 github.com/go-openapi/swag v0.0.0-20160704191624-1d0bd113de87/go.mod h1:DXUve3Dpr1UfpPtxFw+EFuQ41HhCWZfha5jSVRG7C7I=
+github.com/go-playground/assert/v2 v2.0.1 h1:MsBgLAaY856+nPRTKrp3/OZK38U/wa0CcBYNjji3q3A=
+github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
+github.com/go-playground/locales v0.13.0 h1:HyWk6mgj5qFqCT5fjGBuRArbVDfE4hi8+e8ceBS/t7Q=
+github.com/go-playground/locales v0.13.0/go.mod h1:taPMhCMXrRLJO55olJkUXHZBHCxTMfnGwq/HNwmWNS8=
+github.com/go-playground/universal-translator v0.17.0 h1:icxd5fm+REJzpZx7ZfpaD876Lmtgy7VtROAbHHXk8no=
+github.com/go-playground/universal-translator v0.17.0/go.mod h1:UkSxE5sNxxRwHyU+Scu5vgOQjsIJAF8j9muTVoKLVtA=
+github.com/go-playground/validator/v10 v10.2.0 h1:KgJ0snyC2R9VXYN2rneOtQcw5aHQB1Vv0sFl1UcHBOY=
+github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI=
 github.com/gogo/protobuf v1.2.2-0.20190723190241-65acae22fc9d/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.1 h1:DqDEcV5aeaTmdFBePNpYsp3FlcVH/2ISVVM9Qf8PSls=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
@@ -114,6 +122,8 @@ github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORN
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/leodido/go-urn v1.2.0 h1:hpXL4XnriNwQ/ABnpepYM/1vCLWNDfUNts8dX3xTG6Y=
+github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
 github.com/mailru/easyjson v0.0.0-20160728113105-d5b7844b561a/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/miekg/dns v1.1.8 h1:1QYRAKU3lN5cRfLCkPU08hwvLJFhvjP6MqNMmQz6ZVI=
 github.com/miekg/dns v1.1.8/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
@@ -241,6 +251,10 @@ gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 h1:qIbj1fsPNlZgppZ+VLlY7N33
 gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/fsnotify.v1 v1.4.7 h1:xOHLXZwVvI9hhs+cLKq5+I5onOuwQLhQwiu63xxlHs4=
 gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys=
+gopkg.in/go-playground/assert.v1 v1.2.1 h1:xoYuJVE7KT85PYWrN730RguIQO0ePzVRfFMXadIrXTM=
+gopkg.in/go-playground/assert.v1 v1.2.1/go.mod h1:9RXL0bg/zibRAgZUYszZSwO/z8Y/a8bDuhia5mkpMnE=
+gopkg.in/go-playground/validator.v9 v9.31.0 h1:bmXmP2RSNtFES+bn4uYuHT7iJFJv7Vj+an+ZQdDaD1M=
+gopkg.in/go-playground/validator.v9 v9.31.0/go.mod h1:+c9/zcJMFNgbLvly1L1V+PpxWdVbfP1avr/N00E2vyQ=
 gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
 gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
 gopkg.in/square/go-jose.v2 v2.3.1 h1:SK5KegNXmKmqE342YYN2qPHEnUYeoMiXXl1poUlI+o4=

internal/authorization/authorizer.go

@@ -1,5 +1,5 @@
 package authorization
 
 type Authorizer interface {
-	Authorize(user User, requestVerb, requestResource string) (bool, error)
+	Authorize(m map[string]interface{}) (bool, error)
 }

internal/authorization/groupmemberof/groupmemberof.go

@@ -0,0 +1,46 @@
+package groupmemberof
+
+import (
+	"strings"
+
+	"github.com/go-playground/validator/v10"
+)
+
+// Authorize function interface methods
+func Authorize(m map[string]interface{}) (bool, error) {
+
+	validate := validator.New()
+
+	split := m["groupsMemberOf"].(string)
+	groupsMemberOf := strings.Split(split, " ")
+	errs := validate.Var(groupsMemberOf, "omitempty,required,min=1")
+	if errs != nil {
+		return false, errs
+	}
+
+	userGroups := m["userGroups"].([]string)
+	errs = validate.Var(userGroups, "omitempty,required,min=1")
+	if errs != nil {
+		return false, errs
+	}
+
+	found := Find(userGroups, groupsMemberOf)
+	if found {
+		return true, nil
+	}
+
+	return false, nil
+}
+
+// Find function utility
+func Find(groupsOIDC []string, groupsMemberOf []string) bool {
+
+	for _, oidc := range groupsOIDC {
+		for _, memberof := range groupsMemberOf {
+			if oidc == memberof {
+				return true
+			}
+		}
+	}
+	return false
+}

internal/authorization/groupmemberof/groupmemberof_test.go

@@ -0,0 +1,36 @@
+package groupmemberof
+
+import (
+	"testing"
+
+	"gotest.tools/assert"
+)
+
+type testCase struct {
+	userGroups     []string
+	groupsMemberOf string
+	should         bool
+}
+
+func TestGroupMemberOfAuthorizer_Authorize(t *testing.T) {
+
+	groupsMemberOf := "admin user"
+
+	userGroups1 := []string{"admin", "user", "group"}
+	userGroups2 := []string{"admin1", "user1"}
+
+	tests := []testCase{
+		testCase{userGroups: userGroups1, groupsMemberOf: groupsMemberOf, should: true},
+		testCase{userGroups: userGroups2, groupsMemberOf: groupsMemberOf, should: false},
+	}
+
+	for _, test := range tests {
+		m := map[string]interface{}{
+			"userGroups":     test.userGroups,
+			"groupsMemberOf": test.groupsMemberOf,
+		}
+
+		result, _ := Authorize(m)
+		assert.Equal(t, result, test.should)
+	}
+}

internal/authorization/rbac/rbac.go

@@ -107,7 +107,12 @@ func (ra *RBACAuthorizer) GetRoles(user authorization.User) (*rbacv1.ClusterRole
 }
 
 // Interface methods
-func (ra *RBACAuthorizer) Authorize(user authorization.User, requestVerb, requestResource string) (bool, error) {
+func (ra *RBACAuthorizer) Authorize(m map[string]interface{}) (bool, error) {
+
+	user := m["user"].(authorization.User)
+	requestVerb := m["requestVerb"].(string)
+	requestResource := m["requestResource"].(string)
+
 	roles, err := ra.GetRoles(user)
 	if err != nil {
 		return false, err

internal/authorization/rbac/rbac_test.go

@@ -133,7 +133,12 @@ func TestRBACAuthorizer_Authorize(t *testing.T) {
 	a := getRBACAuthorizer(roles, bindings)
 
 	for _, test := range tests {
-		result, err := a.Authorize(test.user, test.verb, test.url)
+		m := map[string]interface{}{
+			"user":            test.user,
+			"requestVerb":     test.verb,
+			"requestResource": test.url,
+		}
+		result, err := a.Authorize(m)
 		assert.NilError(t, err)
 		assert.Equal(t, result, test.should)
 	}

internal/config.go

@@ -54,6 +54,7 @@ type Config struct {
 	GroupClaimPrefix        string               `long:"group-claim-prefix" env:"GROUP_CLAIM_PREFIX" default:"oidc:" description:"prefix oidc group claims with this value"`
 	SessionKey              string               `long:"session-key" env:"SESSION_KEY" description:"A session key used to encrypt browser sessions"`
 	GroupsAttributeName     string               `long:"groups-attribute-name" env:"GROUPS_ATTRIBUTE_NAME" default:"groups" description:"Map the correct attribute that contain the user groups"`
+	GroupsMemberOf          string               `long:"groups-member-of" env:"GROUPS_MEMBER_OF" description:"List of groups that the user must be member, at least one"`
 
 	// RBAC
 	EnableRBAC       bool               `long:"enable-rbac" env:"ENABLE_RBAC" description:"Indicates that RBAC support should be enabled"`

internal/server.go

@@ -9,6 +9,7 @@ import (
 	"github.com/containous/traefik/pkg/rules"
 	"github.com/coreos/go-oidc"
 	"github.com/gorilla/sessions"
+	"github.com/mesosphere/traefik-forward-auth/internal/authorization/groupmemberof"
 	"github.com/mesosphere/traefik-forward-auth/internal/authorization/rbac"
 	"github.com/sirupsen/logrus"
 	"golang.org/x/oauth2"
@@ -162,8 +163,13 @@ func (s *Server) AuthHandler(rule string) http.HandlerFunc {
 		if config.EnableRBAC && !s.authzIsBypassed(r) {
 			kubeUserInfo := s.getModifiedUserInfo(email, groups)
 
-			logger.Debugf("authorizing user: %s, groups: %s", kubeUserInfo.Name, kubeUserInfo.Groups)
-			authorized, err := s.authorizer.Authorize(kubeUserInfo, r.Method, r.URL.Path)
+			logger.Debugf("rbac authorizing user: %s, groups: %s", kubeUserInfo.Name, kubeUserInfo.Groups)
+			m := map[string]interface{}{
+				"user":            kubeUserInfo,
+				"requestVerb":     r.Method,
+				"requestResource": r.URL.Path,
+			}
+			authorized, err := s.authorizer.Authorize(m)
 			if err != nil {
 				logger.Errorf("error while authorizing %s: %v", kubeUserInfo, err)
 				http.Error(w, "Bad Gateway", 502)
@@ -178,6 +184,29 @@ func (s *Server) AuthHandler(rule string) http.HandlerFunc {
 			logger.Infof("user %s is authorized to `%s` in %s", kubeUserInfo.GetName(), r.Method, r.URL.Path)
 		}
 
+		if !config.EnableRBAC && config.GroupsMemberOf != "" {
+
+			logger.Debugf("group member authorizing user: %s, groups: %s", email, groups)
+			m := map[string]interface{}{
+				"userGroups":     groups,
+				"groupsMemberOf": config.GroupsMemberOf,
+			}
+
+			authorized, err := groupmemberof.Authorize(m)
+			if err != nil {
+				logger.Errorf("error while authorizing %s: %v", email, err)
+				http.Error(w, "Bad Gateway", 502)
+				return
+			}
+
+			if !authorized {
+				logger.Infof("user %s for is not authorized to `%s` in %s", email)
+				http.Error(w, "Not Authorized", 401)
+				return
+			}
+			logger.Infof("user %s is authorized to `%s` in %s", email, r.Method, r.URL.Path)
+		}
+
 		// Valid request
 		logger.Debugf("Allow request from %s", email)
 		w.Header().Set("X-Forwarded-User", email)