Extend email-domain validation with sub-domain capability (#1233)

* Extend email-domain validation with sub-domain capability * Adding the CHANGELOG entry * Fixing lint erros * Fixing lint erros * Renamed the emailDomains to allowedDomains, plus tests * Bringing together all basic test-cases * Fixing unit tests * Add unit tests to validate additional vulnerability concerns
oauth2-proxy · Jun 29, 2021 · 7a83d18 · 7a83d18
1 parent d359ab7
commit 7a83d18
Show file tree

Hide file tree

Showing 3 changed files with 323 additions and 132 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -12,7 +12,7 @@
 ## Breaking Changes
 
 ## Changes since v7.1.3
-
+- [#1233](https://github.com/oauth2-proxy/oauth2-proxy/pull/1233) Extend email-domain validation with sub-domain capability (@morarucostel)
 - [#1060](https://github.com/oauth2-proxy/oauth2-proxy/pull/1060) Implement RewriteTarget to allow requests to be rewritten before proxying to upstream servers (@JoelSpeed)
 - [#1086](https://github.com/oauth2-proxy/oauth2-proxy/pull/1086) Refresh sessions before token expiration if configured (@NickMeves)
 - [#1226](https://github.com/oauth2-proxy/oauth2-proxy/pull/1226) Move app redirection logic to its own package (@JoelSpeed)

diff --git a/validator.go b/validator.go
@@ -2,7 +2,6 @@ package main
 
 import (
 	"encoding/csv"
-	"fmt"
 	"io"
 	"os"
 	"strings"
@@ -83,17 +82,15 @@ func newValidatorImpl(domains []string, usersFile string,
 			allowAll = true
 			continue
 		}
-		domains[i] = fmt.Sprintf("@%s", strings.ToLower(domain))
+		domains[i] = strings.ToLower(domain)
 	}
 
 	validator := func(email string) (valid bool) {
 		if email == "" {
 			return
 		}
 		email = strings.ToLower(email)
-		for _, domain := range domains {
-			valid = valid || strings.HasSuffix(email, domain)
-		}
+		valid = isEmailValidWithDomains(email, domains)
 		if !valid {
 			valid = validUsers.IsValid(email)
 		}
@@ -109,3 +106,21 @@ func newValidatorImpl(domains []string, usersFile string,
 func NewValidator(domains []string, usersFile string) func(string) bool {
 	return newValidatorImpl(domains, usersFile, nil, func() {})
 }
+
+// isEmailValidWithDomains checks if the authenticated email is validated against the provided domain
+func isEmailValidWithDomains(email string, allowedDomains []string) bool {
+	for _, domain := range allowedDomains {
+		// allow if the domain is perfect suffix match with the email
+		if strings.HasSuffix(email, "@"+domain) {
+			return true
+		}
+
+		// allow if the domain is prefixed with . and
+		// the last element (split on @) has the suffix as the domain
+		atoms := strings.Split(email, "@")
+		if strings.HasPrefix(domain, ".") && strings.HasSuffix(atoms[len(atoms)-1], domain) {
+			return true
+		}
+	}
+	return false
+}