Add Github organization restriction to authentication

2017-01-05 11:29:26 -06:00 · 2017-01-05 11:29:26 -06:00 · bc3a0e1b3d
parent 3da8375e77
commit bc3a0e1b3d
7 changed files with 127 additions and 41 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,8 @@

 ### Upcoming Bug Fixes
 ### Upcoming Features
+  1. [#660](https://github.com/influxdata/chronograf/issues/660): Add option to accept any certificate from InfluxDB.
+  1. [#733](https://github.com/influxdata/chronograf/pull/733): Add optional Github organization membership checks to authentication
 
 ## v1.1.0-beta5 [2017-01-05]

--- a/README.md
+++ b/README.md
@ -83,8 +83,6 @@ Please open [an issue](https://github.com/influxdata/chronograf/issues/new)!

 The Chronograf team has identified and is working on the following issues:

-* Chronograf's [OAuth 2.0 Style Authentication](https://github.com/influxdata/chronograf/blob/master/docs/auth.md) allows all users to authenticate with any GitHub account.
-It does not yet offer any additional security or allow administrators to whitelist users or organizations.
 * Currently, Chronograf requires users to run Telegraf's [CPU](https://github.com/influxdata/telegraf/blob/master/plugins/inputs/system/CPU_README.md) and [system](https://github.com/influxdata/telegraf/blob/master/plugins/inputs/system/SYSTEM_README.md) plugins to ensure that all Apps appear on the [HOST LIST](https://github.com/influxdata/chronograf/blob/master/docs/GETTING_STARTED.md#host-list) page.

 ## Installation
--- a/docs/auth.md
+++ b/docs/auth.md
@ -41,6 +41,21 @@ user authorization. If you are running multiple chronograf servers in an HA conf
 export TOKEN_SECRET=supersupersecret
 ```

+#### Optional Github Organizations
+
+To require an organization membership for a user, set the `GH_ORGS` environment variables
+```sh
+export GH_ORGS=biffs-gang
+```
+
+If the user is not a member, then the user will not be allowed access.
+
+To support multiple organizations use a comma delimted list like so:
+
+```sh
+export GH_ORGS=hill-valley-preservation-sociey,the-pinheads
+```
+
 ### Design

 The Chronograf authentication scheme is a standard [web application](https://developer.github.com/v3/oauth/#web-application-flow) OAuth flow.
--- a/server/dashboards.go
+++ b/server/dashboards.go
@ -131,7 +131,7 @@ func (s *Service) UpdateDashboard(w http.ResponseWriter, r *http.Request) {

 	_, err = s.DashboardsStore.Get(ctx, id)
 	if err != nil {
-		Error(w, http.StatusNotFound, fmt.Sprintf("ID %s not found", id), s.Logger)
+		Error(w, http.StatusNotFound, fmt.Sprintf("ID %d not found", id), s.Logger)
 		return
 	}

@ -148,7 +148,7 @@ func (s *Service) UpdateDashboard(w http.ResponseWriter, r *http.Request) {
 	}

 	if err := s.DashboardsStore.Update(ctx, req); err != nil {
-		msg := fmt.Sprintf("Error updating dashboard ID %s: %v", id, err)
+		msg := fmt.Sprintf("Error updating dashboard ID %d: %v", id, err)
 		Error(w, http.StatusInternalServerError, msg, s.Logger)
 		return
 	}
--- a/server/github.go
+++ b/server/github.go
@ -46,17 +46,23 @@ type Github struct {
 	Scopes        []string
 	SuccessURL    string   // SuccessURL is redirect location after successful authorization
 	FailureURL    string   // FailureURL is redirect location after authorization failure
+	Orgs          []string // Optional github organization checking
 	Now           func() time.Time
 	Logger        chronograf.Logger
 }

 // NewGithub constructs a Github with default cookie behavior and scopes.
-func NewGithub(clientID, clientSecret, successURL, failureURL string, auth chronograf.Authenticator, log chronograf.Logger) Github {
+func NewGithub(clientID, clientSecret, successURL, failureURL string, orgs []string, auth chronograf.Authenticator, log chronograf.Logger) Github {
+	scopes := []string{"user:email"}
+	if len(orgs) > 0 {
+		scopes = append(scopes, "read:org")
+	}
 	return Github{
 		ClientID:      clientID,
 		ClientSecret:  clientSecret,
 		Cookie:        NewCookie(),
-		Scopes:        []string{"user:email"},
+		Scopes:        scopes,
+		Orgs:          orgs,
 		SuccessURL:    successURL,
 		FailureURL:    failureURL,
 		Authenticator: auth,
@ -151,24 +157,26 @@ func (g *Github) Callback() http.HandlerFunc {

 		oauthClient := conf.Client(r.Context(), token)
 		client := github.NewClient(oauthClient)
-
-		emails, resp, err := client.Users.ListEmails(nil)
+		// If we need to restrict to a set of organizations, we first get the org
+		// and filter.
+		if len(g.Orgs) > 0 {
+			orgs, err := getOrganizations(client, log)
 			if err != nil {
-			switch resp.StatusCode {
-			case http.StatusUnauthorized, http.StatusForbidden:
-				log.Error("OAuth access to email address forbidden ", err.Error())
-			default:
-				log.Error("Unable to retrieve Github email ", err.Error())
-			}
-
 				http.Redirect(w, r, g.FailureURL, http.StatusTemporaryRedirect)
 				return
 			}
-
-		email, err := primaryEmail(emails)
-		if err != nil {
-			log.Error("Unable to retrieve primary Github email ", err.Error())
+			// Not a member, so, deny permission
+			if ok := isMember(g.Orgs, orgs); !ok {
+				log.Error("Not a member of required github organization")
 				http.Redirect(w, r, g.FailureURL, http.StatusTemporaryRedirect)
+				return
+			}
+		}
+
+		email, err := getPrimaryEmail(client, log)
+		if err != nil {
+			http.Redirect(w, r, g.FailureURL, http.StatusTemporaryRedirect)
+			return
 		}

 		// We create an auth token that will be used by all other endpoints to validate the principal has a claim
@ -176,6 +184,7 @@ func (g *Github) Callback() http.HandlerFunc {
 		if err != nil {
 			log.Error("Unable to create cookie auth token ", err.Error())
 			http.Redirect(w, r, g.FailureURL, http.StatusTemporaryRedirect)
+			return
 		}

 		expireCookie := time.Now().UTC().Add(g.Cookie.Duration)
@ -200,6 +209,66 @@ func randomString(length int) string {
 	return base64.StdEncoding.EncodeToString(k)
 }

+func logResponseError(log chronograf.Logger, resp *github.Response, err error) {
+	switch resp.StatusCode {
+	case http.StatusUnauthorized, http.StatusForbidden:
+		log.Error("OAuth access to email address forbidden ", err.Error())
+	default:
+		log.Error("Unable to retrieve Github email ", err.Error())
+	}
+}
+
+// isMember makes sure that the user is in one of the required organizations
+func isMember(requiredOrgs []string, userOrgs []*github.Organization) bool {
+	for _, requiredOrg := range requiredOrgs {
+		for _, userOrg := range userOrgs {
+			if userOrg.Login != nil && *userOrg.Login == requiredOrg {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// getOrganizations gets all organization for the currently authenticated user
+func getOrganizations(client *github.Client, log chronograf.Logger) ([]*github.Organization, error) {
+	// Get all pages of results
+	var allOrgs []*github.Organization
+	for {
+		opt := &github.ListOptions{
+			PerPage: 10,
+		}
+		// Get the organizations for the current authenticated user.
+		orgs, resp, err := client.Organizations.List("", opt)
+		if err != nil {
+			logResponseError(log, resp, err)
+			return nil, err
+		}
+		allOrgs = append(allOrgs, orgs...)
+		if resp.NextPage == 0 {
+			break
+		}
+		opt.Page = resp.NextPage
+	}
+	return allOrgs, nil
+}
+
+// getPrimaryEmail gets the primary email account for the authenticated user.
+func getPrimaryEmail(client *github.Client, log chronograf.Logger) (string, error) {
+	emails, resp, err := client.Users.ListEmails(nil)
+	if err != nil {
+		logResponseError(log, resp, err)
+		return "", err
+	}
+
+	email, err := primaryEmail(emails)
+	if err != nil {
+		log.Error("Unable to retrieve primary Github email ", err.Error())
+		return "", err
+	}
+	return email, nil
+}
+
 func primaryEmail(emails []*github.UserEmail) (string, error) {
 	for _, m := range emails {
 		if m != nil && m.Primary != nil && m.Verified != nil && m.Email != nil {
--- a/server/mux.go
+++ b/server/mux.go
@ -25,6 +25,7 @@ type MuxOpts struct {
 	TokenSecret        string   // TokenSecret is the JWT secret
 	GithubClientID     string   // GithubClientID is the GH OAuth id
 	GithubClientSecret string   // GithubClientSecret is the GH OAuth secret
+	GithubOrgs         []string // GithubOrgs is the list of organizations a user my be a member of
 }

 // NewMux attaches all the route handlers; handler returned servers chronograf.
@ -136,6 +137,7 @@ func AuthAPI(opts MuxOpts, router *httprouter.Router) http.Handler {
 		opts.GithubClientSecret,
 		successURL,
 		failureURL,
+		opts.GithubOrgs,
 		&auth,
 		opts.Logger,
 	)
--- a/server/server.go
+++ b/server/server.go
@ -43,12 +43,11 @@ type Server struct {
 	TokenSecret        string   `short:"t" long:"token-secret" description:"Secret to sign tokens" env:"TOKEN_SECRET"`
 	GithubClientID     string   `short:"i" long:"github-client-id" description:"Github Client ID for OAuth 2 support" env:"GH_CLIENT_ID"`
 	GithubClientSecret string   `short:"s" long:"github-client-secret" description:"Github Client Secret for OAuth 2 support" env:"GH_CLIENT_SECRET"`
+	GithubOrgs         []string `short:"o" long:"github-organization" description:"Github organization user is required to have active membership" env:"GH_ORGS" env-delim:","`
 	ReportingDisabled  bool     `short:"r" long:"reporting-disabled" description:"Disable reporting of usage stats (os,arch,version,cluster_id,uptime) once every 24hr" env:"REPORTING_DISABLED"`
 	LogLevel           string   `short:"l" long:"log-level" value-name:"choice" choice:"debug" choice:"info" choice:"warn" choice:"error" choice:"fatal" choice:"panic" default:"info" description:"Set the logging level" env:"LOG_LEVEL"`
-
 	ShowVersion        bool     `short:"v" long:"version" description:"Show Chronograf version info"`
 	BuildInfo          BuildInfo
-
 	Listener           net.Listener
 	handler            http.Handler
 }
@ -72,6 +71,7 @@ func (s *Server) Serve() error {
 		TokenSecret:        s.TokenSecret,
 		GithubClientID:     s.GithubClientID,
 		GithubClientSecret: s.GithubClientSecret,
+		GithubOrgs:         s.GithubOrgs,
 		Logger:             logger,
 		UseAuth:            s.useAuth(),
 	}, service)