Check API ACL for GitHub OIDC auth

oursky · Jul 18, 2023 · 15634fa · 15634fa
1 parent b4da2fb
commit 15634fa
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 17 deletions.
diff --git a/internal/handler/controller/auth_github_oidc.go b/internal/handler/controller/auth_github_oidc.go
@@ -57,6 +57,11 @@ func (c *Controller) handleAuthGithubOIDC(w http.ResponseWriter, r *http.Request
 		credentials = append(credentials, models.CredentialGitHubRepositoryActions(oidcClaims.Repository))
 	}
 
+	if err := c.checkACL(r, credentials); err != nil {
+		writeResponse(w, nil, models.ErrInvalidCredentials)
+		return
+	}
+
 	log(r).Info("github actions authenticated",
 		zap.String("subject", oidcClaims.Subject),
 		zap.String("token_id", oidcClaims.ID),

diff --git a/internal/handler/controller/auth_github_ssh.go b/internal/handler/controller/auth_github_ssh.go
@@ -55,23 +55,9 @@ func (c *Controller) handleAuthGithubSSHConn(conn *websocket.Conn) {
 				return nil, fmt.Errorf("unknown public key for %q", meta.User())
 			}
 
-			if c.Config.ACL != nil {
-				acl, err := c.Config.ACL.Get(conn.Request().Context())
-				if err != nil {
-					return nil, fmt.Errorf("access denied")
-				}
-
-				creds := []models.CredentialID{models.CredentialGitHubUser(meta.User())}
-				creds = appendRequestCredentials(conn.Request(), creds)
-				if _, err := models.CheckACLAuthz(acl, creds); err != nil {
-					log(conn.Request()).Info(
-						"user rejected",
-						zap.String("github_user", meta.User()),
-						zap.String("ssh_fingerprint", fingerprint),
-					)
-
-					return nil, fmt.Errorf("access denied")
-				}
+			creds := []models.CredentialID{models.CredentialGitHubUser(meta.User())}
+			if err := c.checkACL(conn.Request(), creds); err != nil {
+				return nil, fmt.Errorf("access denied")
 			}
 
 			log(conn.Request()).Info(

diff --git a/internal/handler/controller/authz.go b/internal/handler/controller/authz.go
@@ -71,3 +71,22 @@ func requireAuth(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+func (c *Controller) checkACL(r *http.Request, incoming []models.CredentialID) error {
+	if c.Config.ACL != nil {
+		acl, err := c.Config.ACL.Get(r.Context())
+		if err != nil {
+			return err
+		}
+
+		creds := make([]models.CredentialID, len(incoming))
+		copy(creds, incoming)
+		creds = appendRequestCredentials(r, creds)
+
+		if _, err := models.CheckACLAuthz(acl, creds); err != nil {
+			log(r).Info("user rejected", zap.Any("credentials", creds))
+			return err
+		}
+	}
+	return nil
+}