-
Notifications
You must be signed in to change notification settings - Fork 158
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GitHub team auth #745
GitHub team auth #745
Conversation
This makes way for IsTeamMember
This allows empire to be configured to only allow access to members of a specific team within an organization.
Other messages are appended to these if an error occurs.
@@ -108,5 +108,16 @@ func newAuthenticator(c *cli.Context, e *empire.Empire) auth.Authenticator { | |||
) | |||
} | |||
|
|||
// After the user is authenticated, check their GitHub Team membership. | |||
if teamId := c.String(FlagGithubTeam); teamId != "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor, but can we change the casing from Id
to ID
. There's some doc from google about how it's not idiomatic to use camel casing for things like ID
and we try to follow that.
Looks great 👍 |
log.Println("Adding GitHub Team authorizer with the following configuration:") | ||
log.Println(fmt.Sprintf(" Team ID: %v ", teamId)) | ||
|
||
return auth.WithAuthorization(authenticator, authorizer) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we cache this authorization, like we do with the org auth? Without caching, every empire API hit incurs a full 1-2 round trips to GitHub, which makes everything slow. An in memory ~30 minute cache has worked pretty well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah, i didn't realize this was on every API call, I thought it just happened once when the user logged in.
definitely makes sense to cache.
815e061
to
7f06c32
Compare
It now handles fetching the authenticated user and passing the GitHub login to the teams endpoint. This way we don't rely on User.Name always being the GitHub login.
thanks for the review @ejholmes! |
This allows users to limit empire access to members of a specific team within a github organization.
Github doesn't support fetching teams by name without a non trivial amount of work, so you have to use the team id.
To get the team id:
curl -i -u <username>:<password> https://api.github.com/orgs/<organization>/teams
testing: