Merge pull request #1 from kentaro/authenticator

Add support for GitHub

Author: typester

README.md

@@ -1,8 +1,8 @@
 # "gate" for your private resources
 
-gate is a static file server and reverse proxy integrated with google account authentications.
+gate is a static file server and reverse proxy integrated with OAuth2 account authentication.
 
-With gate, you can safely serve your private resources with your company google apps authenticaiton.
+With gate, you can safely serve your private resources based on whether or not request user is a member of your company's Google Apps or GitHub organizations.
 
 ## Usage
 
@@ -26,15 +26,20 @@ auth:
     # authentication key for cookie store
     key: secret123
 
-  google:
-    # your google app keys
+  info:
+    # oauth2 provider name (`google` or `github`)
+    service: google
+    # your app keys for the service
     client_id: your client id
     client_secret: your client secret
-    # your google app redirect_url: path is always "/oauth2callback"
+    # your app redirect_url for the service: if the service is Google, path is always "/oauth2callback"
     redirect_url: https://yourapp.example.com/oauth2callback
 
-# # restrict domain. (optional)
-# domain: yourdomain.com
+# # restrict user request. (optional)
+# restrictions:
+#   - yourdomain.com    # domain of your Google App (Google)
+#   - [email protected] # specific email address (same as above)
+#   - your_company_org  # organization name (GitHub)
 
 # document root for static files
 htdocs: ./
@@ -48,7 +53,44 @@ proxy:
   - path: /influxdb
     dest: http://127.0.0.1:8086
     strip_path: yes
+```
+
+## Authentication Strategy
+
+gate now supports Google Apps and GitHub to authenticate users.
+
+### Example config for Google
+
+```yaml
+auth:
+  info:
+    service: google
+    client_id: your client id
+    client_secret: your client secret
+    redirect_url: https://yourapp.example.com/oauth2callback
+
+# restrict user request. (optional)
+restrictions:
+  - yourdomain.com    # domain of your Google App
+  - [email protected] # specific email address
+```
+
+### Example config for GitHub
+
+Unlike the example of Google Apps above, if the `service` is GitHub, gate uses whether request user is a member of organization designated like below:
+
+```yaml
+auth:
+  info:
+    service: github
+    client_id: your client id
+    client_secret: your client secret
+    redirect_url: https://yourapp.example.com/oauth2callback
 
+# restrict user request. (optional)
+restrictions:
+  - foo_organization
+  - bar_organization
 ```
 
 ## License

authenticator.go

@@ -0,0 +1,176 @@
+package main
+
+import (
+	"encoding/json"
+	"github.com/go-martini/martini"
+	gooauth2 "github.com/golang/oauth2"
+	"github.com/martini-contrib/oauth2"
+	"io/ioutil"
+	"log"
+	"net/http"
+	"strings"
+)
+
+type Authenticator interface {
+	Authenticate([]string, martini.Context, oauth2.Tokens, http.ResponseWriter, *http.Request)
+	Handler() martini.Handler
+}
+
+func NewAuthenticator(conf *Conf) Authenticator {
+	var authenticator Authenticator
+
+	if conf.Auth.Info.Service == "google" {
+		handler := oauth2.Google(&gooauth2.Options{
+			ClientID:     conf.Auth.Info.ClientId,
+			ClientSecret: conf.Auth.Info.ClientSecret,
+			RedirectURL:  conf.Auth.Info.RedirectURL,
+			Scopes:       []string{"email"},
+		})
+		authenticator = &GoogleAuth{&BaseAuth{handler}}
+	} else if conf.Auth.Info.Service == "github" {
+		handler := oauth2.Github(&gooauth2.Options{
+			ClientID:     conf.Auth.Info.ClientId,
+			ClientSecret: conf.Auth.Info.ClientSecret,
+			RedirectURL:  conf.Auth.Info.RedirectURL,
+			Scopes:       []string{"read:org"},
+		})
+		authenticator = &GitHubAuth{&BaseAuth{handler}}
+	} else {
+		panic("unsupported authentication method")
+	}
+
+	return authenticator
+}
+
+type BaseAuth struct {
+	handler martini.Handler
+}
+
+func (b *BaseAuth) Handler() martini.Handler {
+	return b.handler
+}
+
+type GoogleAuth struct {
+	*BaseAuth
+}
+
+func (a *GoogleAuth) Authenticate(domain []string, c martini.Context, tokens oauth2.Tokens, w http.ResponseWriter, r *http.Request) {
+	extra := tokens.ExtraData()
+	if _, ok := extra["id_token"]; ok == false {
+		log.Printf("id_token not found")
+		forbidden(w)
+		return
+	}
+
+	keys := strings.Split(extra["id_token"], ".")
+	if len(keys) < 2 {
+		log.Printf("invalid id_token")
+		forbidden(w)
+		return
+	}
+
+	data, err := base64Decode(keys[1])
+	if err != nil {
+		log.Printf("failed to decode base64: %s", err.Error())
+		forbidden(w)
+		return
+	}
+
+	var info map[string]interface{}
+	if err := json.Unmarshal(data, &info); err != nil {
+		log.Printf("failed to decode json: %s", err.Error())
+		forbidden(w)
+		return
+	}
+
+	if email, ok := info["email"].(string); ok {
+		var user *User
+		if len(domain) > 0 {
+			for _, d := range domain {
+				if strings.Contains(d, "@") {
+					if d == email {
+						user = &User{email}
+					}
+				} else {
+					if strings.HasSuffix(email, "@"+d) {
+						user = &User{email}
+						break
+					}
+				}
+			}
+		} else {
+			user = &User{email}
+		}
+
+		if user != nil {
+			log.Printf("user %s logged in", email)
+			c.Map(user)
+		} else {
+			log.Printf("email doesn't allow: %s", email)
+			forbidden(w)
+			return
+		}
+	} else {
+		log.Printf("email not found")
+		forbidden(w)
+		return
+	}
+}
+
+type GitHubAuth struct {
+	*BaseAuth
+}
+
+func (a *GitHubAuth) Authenticate(organizations []string, c martini.Context, tokens oauth2.Tokens, w http.ResponseWriter, r *http.Request) {
+	if len(organizations) > 0 {
+		req, err := http.NewRequest("GET", "https://api.github.com/user/orgs", nil)
+		if err != nil {
+			log.Printf("failed to create a request to retrieve organizations: %s", err)
+			forbidden(w)
+			return
+		}
+
+		req.SetBasicAuth(tokens.Access(), "x-oauth-basic")
+
+		client := http.Client{}
+		res, err := client.Do(req)
+		if err != nil {
+			log.Printf("failed to retrieve organizations: %s", err)
+			forbidden(w)
+			return
+		}
+
+		data, err := ioutil.ReadAll(res.Body)
+		res.Body.Close()
+
+		if err != nil {
+			log.Printf("failed to read body of GitHub response: %s", err)
+			forbidden(w)
+			return
+		}
+
+		var info []map[string]interface{}
+		if err := json.Unmarshal(data, &info); err != nil {
+			log.Printf("failed to decode json: %s", err.Error())
+			forbidden(w)
+			return
+		}
+
+		for _, userOrg := range info {
+			for _, org := range organizations {
+				if userOrg["login"] == org {
+					return
+				}
+			}
+		}
+
+		log.Print("not a member of designated organizations")
+		forbidden(w)
+		return
+	}
+}
+
+func forbidden(w http.ResponseWriter) {
+	w.WriteHeader(403)
+	w.Write([]byte("Access denied"))
+}

conf.go

@@ -7,12 +7,12 @@ import (
 )
 
 type Conf struct {
-	Addr    string      `yaml:"address"`
-	SSL     SSLConf     `yaml:"ssl"`
-	Auth    AuthConf    `yaml:"auth"`
-	Domain  []string    `yaml:"domain"`
-	Proxies []ProxyConf `yaml:"proxy"`
-	Htdocs  string      `yaml:"htdocs"`
+	Addr         string      `yaml:"address"`
+	SSL          SSLConf     `yaml:"ssl"`
+	Auth         AuthConf    `yaml:"auth"`
+	Restrictions []string    `yaml:"restrictions"`
+	Proxies      []ProxyConf `yaml:"proxy"`
+	Htdocs       string      `yaml:"htdocs"`
 }
 
 type SSLConf struct {
@@ -22,14 +22,15 @@ type SSLConf struct {
 
 type AuthConf struct {
 	Session AuthSessionConf `yaml:"session"`
-	Google  AuthGoogleConf  `yaml:"google"`
+	Info    AuthInfoConf    `yaml:"info"`
 }
 
 type AuthSessionConf struct {
 	Key string `yaml:"key"`
 }
 
-type AuthGoogleConf struct {
+type AuthInfoConf struct {
+	Service      string `yaml:"service"`
 	ClientId     string `yaml:"client_id"`
 	ClientSecret string `yaml:"client_secret"`
 	RedirectURL  string `yaml:"redirect_url"`
@@ -59,14 +60,17 @@ func ParseConf(path string) (*Conf, error) {
 	if c.Auth.Session.Key == "" {
 		return nil, errors.New("auth.session.key config is required")
 	}
-	if c.Auth.Google.ClientId == "" {
-		return nil, errors.New("auth.google.client_id config is required")
+	if c.Auth.Info.Service == "" {
+		return nil, errors.New("auth.info.service config is required")
 	}
-	if c.Auth.Google.ClientSecret == "" {
-		return nil, errors.New("auth.google.client_secret config is required")
+	if c.Auth.Info.ClientId == "" {
+		return nil, errors.New("auth.info.client_id config is required")
 	}
-	if c.Auth.Google.RedirectURL == "" {
-		return nil, errors.New("auth.google.redirect_url config is required")
+	if c.Auth.Info.ClientSecret == "" {
+		return nil, errors.New("auth.info.client_secret config is required")
+	}
+	if c.Auth.Info.RedirectURL == "" {
+		return nil, errors.New("auth.info.redirect_url config is required")
 	}
 
 	if c.Htdocs == "" {

config_sample.yml

@@ -11,17 +11,20 @@ auth:
     # authentication key for cookie store
     key: secret123
 
-  google:
-    # your google app keys
+  info:
+    # oauth2 provider name (`google` or `github`)
+    service: google
+    # your app keys for the service
     client_id: your client id
     client_secret: your client secret
-    # your google app redirect_url: path is always "/oauth2callback"
+    # your app redirect_url for the service: if the service is Google, path is always "/oauth2callback"
     redirect_url: https://yourapp.example.com/oauth2callback
 
-# # restrict domain. (optional)
-# domain:
-#   - yourdomain.com    # restrict by domain
-#   - [email protected] # or specific address
+# # restrict user request. (optional)
+# restrictions:
+#   - yourdomain.com    # domain of your Google App (Google)
+#   - [email protected] # specific email address (same as above)
+#   - your_company_org  # organization name (GitHub)
 
 # document root for static files
 htdocs: ./