/
group_checks.go
103 lines (82 loc) · 2.38 KB
/
group_checks.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
package gincloudflareaccess
import "github.com/gin-gonic/gin"
// Check if the user authenticated for the current request
// belongs to a specific LDAP group
func PrincipalInGroup(c *gin.Context, group string) bool {
assertRequestProcessedByAuthenticator(c)
if len(group) < 1 {
return true
}
principal := GetPrincipal(c)
if principal == nil || principal.Identity == nil || principal.Identity.Groups == nil || len(principal.Identity.Groups) < 1 {
return false
}
for _, candidate := range principal.Identity.Groups {
if groupMatches(&candidate, group) {
return true
}
}
return false
}
// Check if the user authenticated for the current request
// belongs to every one of the specified LDAP groups
func PrincipalInAllGroups(c *gin.Context, groups []string) bool {
assertRequestProcessedByAuthenticator(c)
if len(groups) < 1 {
return true
}
principal := GetPrincipal(c)
return principalInAllGroups(principal, groups)
}
// Check if the user authenticated for the current request
// belongs to at least one of some LDAP groups
func PrincipalInAnyGroups(c *gin.Context, groups []string) bool {
assertRequestProcessedByAuthenticator(c)
if len(groups) < 1 {
return true
}
principal := GetPrincipal(c)
return principalInAnyGroups(principal, groups)
}
func principalInAllGroups(principal *CloudflareAccessPrincipal, groups []string) bool {
if len(groups) < 1 {
return true
}
if principal == nil || principal.Identity == nil || principal.Identity.Groups == nil || len(principal.Identity.Groups) < 1 {
return false
}
allFound := true
for _, groupToFind := range groups {
thisFound := false
for _, candidate := range principal.Identity.Groups {
if groupMatches(&candidate, groupToFind) {
thisFound = true
break
}
}
if !thisFound {
allFound = false
break
}
}
return allFound
}
func principalInAnyGroups(principal *CloudflareAccessPrincipal, groups []string) bool {
if len(groups) < 1 {
return true
}
if principal == nil || principal.Identity == nil || principal.Identity.Groups == nil || len(principal.Identity.Groups) < 1 {
return false
}
for _, groupToFind := range groups {
for _, candidate := range principal.Identity.Groups {
if groupMatches(&candidate, groupToFind) {
return true
}
}
}
return false
}
func groupMatches(group *CloudflareIdentityGroup, query string) bool {
return group.Email == query || group.Id == query
}