Skip to content

Commit

Permalink
chore: skip domain restrictions to service accounts (#12473)
Browse files Browse the repository at this point in the history
  • Loading branch information
@d-bytebase
d-bytebase committed Jun 21, 2024
1 parent 4f15158 commit b22ffe4
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 7 deletions.
16 changes: 10 additions & 6 deletions backend/api/v1/auth_service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ func (s *AuthService) CreateUser(ctx context.Context, request *v1pb.CreateUserRe
if setting.EnforceIdentityDomain {
allowedDomains = setting.Domains
}
if err := validateEmail(request.User.Email, allowedDomains); err != nil {
if err := validateEmail(request.User.Email, allowedDomains, principalType == api.ServiceAccount); err != nil {
return nil, status.Errorf(codes.InvalidArgument, "invalid email %q, error: %v", request.User.Email, err)
}
existingUser, err := s.store.GetUserByEmail(ctx, request.User.Email)
Expand Down Expand Up @@ -294,7 +294,7 @@ func (s *AuthService) UpdateUser(ctx context.Context, request *v1pb.UpdateUserRe
if setting.EnforceIdentityDomain {
allowedDomains = setting.Domains
}
if err := validateEmail(request.User.Email, allowedDomains); err != nil {
if err := validateEmail(request.User.Email, allowedDomains, user.Type == api.ServiceAccount); err != nil {
return nil, status.Errorf(codes.InvalidArgument, "invalid email %q, error: %v", request.User.Email, err)
}
user, err := s.store.GetUserByEmail(ctx, request.User.Email)
Expand Down Expand Up @@ -660,7 +660,7 @@ func (s *AuthService) Login(ctx context.Context, request *v1pb.LoginRequest) (*v
if setting.EnforceIdentityDomain {
allowedDomains = setting.Domains
}
if err := validateEmail(loginUser.Email, allowedDomains); err != nil {
if err := validateEmail(loginUser.Email, allowedDomains, loginUser.Type == api.ServiceAccount); err != nil {
return nil, status.Errorf(codes.InvalidArgument, "invalid email %q, error: %v", loginUser.Email, err)
}

Expand Down Expand Up @@ -839,7 +839,7 @@ func (s *AuthService) getOrCreateUserWithIDP(ctx context.Context, request *v1pb.
if setting.EnforceIdentityDomain {
allowedDomains = setting.Domains
}
if err := validateEmail(email, allowedDomains); err != nil {
if err := validateEmail(email, allowedDomains, false /* isServiceAccount */); err != nil {
// If the email is invalid, we will try to use the domain and identifier to construct the email.
if idp.Domain != "" {
domain := extractDomain(idp.Domain)
Expand All @@ -848,7 +848,7 @@ func (s *AuthService) getOrCreateUserWithIDP(ctx context.Context, request *v1pb.
}

// If the email is still invalid, we will return an error.
if err := validateEmail(email, allowedDomains); err != nil {
if err := validateEmail(email, allowedDomains, false /* isServiceAccount */); err != nil {
return nil, status.Errorf(codes.InvalidArgument, "invalid email %q, error: %v", email, err)
}
user, err := s.store.GetUserByEmail(ctx, email)
Expand Down Expand Up @@ -911,14 +911,18 @@ func (s *AuthService) challengeRecoveryCode(ctx context.Context, user *store.Use
return status.Errorf(codes.Unauthenticated, "invalid recovery code")
}

func validateEmail(email string, allowedDomains []string) error {
func validateEmail(email string, allowedDomains []string, isServiceAccount bool) error {
formattedEmail := strings.ToLower(email)
if email != formattedEmail {
return errors.New("email should be lowercase")
}
if _, err := mail.ParseAddress(email); err != nil {
return err
}
// Domain restrictions are not applied to service account.
if isServiceAccount {
return nil
}
// Enforce domain restrictions.
if len(allowedDomains) > 0 {
ok := false
Expand Down
2 changes: 1 addition & 1 deletion backend/api/v1/user_group_service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ func (s *UserGroupService) CreateUserGroup(ctx context.Context, request *v1pb.Cr
if len(setting.Domains) == 0 {
return nil, status.Errorf(codes.FailedPrecondition, "workspace domain is required for creating user groups")
}
if err := validateEmail(groupMessage.Email, setting.Domains); err != nil {
if err := validateEmail(groupMessage.Email, setting.Domains, false /* isServiceAccount */); err != nil {
return nil, status.Errorf(codes.InvalidArgument, "invalid email %q, error: %v", groupMessage.Email, err)
}

Expand Down

0 comments on commit b22ffe4

Please sign in to comment.