From 9efcebe6afafd4dad01ee9a8d3fd8e7a4ebc8bb1 Mon Sep 17 00:00:00 2001 From: abelanger5 Date: Tue, 10 Sep 2024 12:07:55 -0400 Subject: [PATCH] fix: better logic for multiple restricted domains (#860) --- api/v1/server/handlers/users/github_oauth_callback.go | 4 ++++ api/v1/server/handlers/users/google_oauth_callback.go | 5 +++++ api/v1/server/handlers/users/service.go | 9 +++++---- api/v1/server/handlers/users/update_login.go | 6 ++++++ pkg/config/loader/loader.go | 3 ++- pkg/config/server/server.go | 5 ++++- 6 files changed, 26 insertions(+), 6 deletions(-) diff --git a/api/v1/server/handlers/users/github_oauth_callback.go b/api/v1/server/handlers/users/github_oauth_callback.go index 614c3a83c..10d20e5b1 100644 --- a/api/v1/server/handlers/users/github_oauth_callback.go +++ b/api/v1/server/handlers/users/github_oauth_callback.go @@ -38,6 +38,10 @@ func (u *UserService) UserUpdateGithubOauthCallback(ctx echo.Context, _ gen.User user, err := u.upsertGithubUserFromToken(u.config, token) if err != nil { + if errors.Is(err, ErrNotInRestrictedDomain) { + return nil, redirect.GetRedirectWithError(ctx, u.config.Logger, err, "Email is not in the restricted domain group.") + } + if errors.Is(err, ErrGithubNotVerified) { return nil, redirect.GetRedirectWithError(ctx, u.config.Logger, err, "Please verify your email on Github.") } diff --git a/api/v1/server/handlers/users/google_oauth_callback.go b/api/v1/server/handlers/users/google_oauth_callback.go index 594729b1d..e257ff56a 100644 --- a/api/v1/server/handlers/users/google_oauth_callback.go +++ b/api/v1/server/handlers/users/google_oauth_callback.go @@ -3,6 +3,7 @@ package users import ( "context" "encoding/json" + "errors" "fmt" "io" "net/http" @@ -39,6 +40,10 @@ func (u *UserService) UserUpdateGoogleOauthCallback(ctx echo.Context, _ gen.User user, err := u.upsertGoogleUserFromToken(u.config, token) if err != nil { + if errors.Is(err, ErrNotInRestrictedDomain) { + return nil, redirect.GetRedirectWithError(ctx, u.config.Logger, err, "Email is not in the restricted domain group.") + } + return nil, redirect.GetRedirectWithError(ctx, u.config.Logger, err, "Internal error.") } diff --git a/api/v1/server/handlers/users/service.go b/api/v1/server/handlers/users/service.go index a3be6639e..f87f29bb6 100644 --- a/api/v1/server/handlers/users/service.go +++ b/api/v1/server/handlers/users/service.go @@ -2,7 +2,6 @@ package users import ( "errors" - "fmt" "strings" "github.com/hatchet-dev/hatchet/pkg/config/server" @@ -19,7 +18,7 @@ func NewUserService(config *server.ServerConfig) *UserService { } func (u *UserService) checkUserRestrictionsForEmail(conf *server.ServerConfig, email string) error { - if len(conf.Auth.ConfigFile.RestrictedEmailDomains) == 0 { + if len(conf.Auth.RestrictedEmailDomains) == 0 { return nil } @@ -34,16 +33,18 @@ func (u *UserService) checkUserRestrictionsForEmail(conf *server.ServerConfig, e return u.checkUserRestrictions(conf, domain) } +var ErrNotInRestrictedDomain = errors.New("email is not in the restricted domain group") + func (u *UserService) checkUserRestrictions(conf *server.ServerConfig, emailDomain string) error { if len(conf.Auth.ConfigFile.RestrictedEmailDomains) == 0 { return nil } - for _, domain := range conf.Auth.ConfigFile.RestrictedEmailDomains { + for _, domain := range conf.Auth.RestrictedEmailDomains { if domain == emailDomain { return nil } } - return fmt.Errorf("email is not in the restricted domain group") + return ErrNotInRestrictedDomain } diff --git a/api/v1/server/handlers/users/update_login.go b/api/v1/server/handlers/users/update_login.go index 7ddd31a3f..e5037a103 100644 --- a/api/v1/server/handlers/users/update_login.go +++ b/api/v1/server/handlers/users/update_login.go @@ -29,6 +29,12 @@ func (u *UserService) UserUpdateLogin(ctx echo.Context, request gen.UserUpdateLo return gen.UserUpdateLogin400JSONResponse(*apiErrors), nil } + if err := u.checkUserRestrictionsForEmail(u.config, string(request.Body.Email)); err != nil { + return gen.UserUpdateLogin401JSONResponse( + apierrors.NewAPIErrors("Email is not in the restricted domain group."), + ), nil + } + // determine if the user exists before attempting to write the user existingUser, err := u.config.APIRepository.User().GetUserByEmail(string(request.Body.Email)) if err != nil { diff --git a/pkg/config/loader/loader.go b/pkg/config/loader/loader.go index 1dd97988c..8b24599b6 100644 --- a/pkg/config/loader/loader.go +++ b/pkg/config/loader/loader.go @@ -331,7 +331,8 @@ func GetServerConfigFromConfigfile(dc *database.Config, cf *server.ServerConfigF } auth := server.AuthConfig{ - ConfigFile: cf.Auth, + RestrictedEmailDomains: getStrArr(cf.Auth.RestrictedEmailDomains), + ConfigFile: cf.Auth, } if cf.Auth.Google.Enabled { diff --git a/pkg/config/server/server.go b/pkg/config/server/server.go index ebaf8b4b1..fa9051f78 100644 --- a/pkg/config/server/server.go +++ b/pkg/config/server/server.go @@ -223,7 +223,8 @@ type EncryptionConfigFileCloudKMS struct { type ConfigFileAuth struct { // RestrictedEmailDomains sets the restricted email domains for the instance. - RestrictedEmailDomains []string `mapstructure:"restrictedEmailDomains" json:"restrictedEmailDomains,omitempty"` + // NOTE: do not use this on the server from the config file. + RestrictedEmailDomains string `mapstructure:"restrictedEmailDomains" json:"restrictedEmailDomains,omitempty"` // BasedAuthEnabled controls whether email and password-based login is enabled for this // Hatchet instance @@ -302,6 +303,8 @@ type PostmarkConfigFile struct { } type AuthConfig struct { + RestrictedEmailDomains []string + ConfigFile ConfigFileAuth GoogleOAuthConfig *oauth2.Config