docker_auth
docker_auth copied to clipboard
cesanta
Teams ACLs
As mentioned in https://github.com/cesanta/docker_auth/pull/115#issuecomment-234074177, once #115 is merged, it would be great to be able to use teams in the ACLs, something along the lines of:
- match: {account: "/.+/", name: "${team}/*"}
actions: ["push", "pull"]
where team would be matched against something like regexp.QuoteMeta(strings.Join(ai.Teams)).
As you mentioned in #115, it would be good if this was not specific to GitHub. Here's a suggestion. Currently, AuthServer#Authenticate() has the following signature:
func (as *AuthServer) Authenticate(ar *authRequest) (bool, error) {
Instead of returning a boolean, we could make it return a structure containing information about the authenticated user, so any authn provider could provider that information.
type AuthAccount struct {
Name string
Email string
Teams []string
}
func (as *AuthServer) Authenticate(ar *authRequest) (*AuthAccount, error) {
...
}
func (as *AuthServer) doAuth(rw http.ResponseWriter, req *http.Request) {
...
ares, err = as.Authorize(ar, authnResult)
}
and authz.go could thus access this information from the authn provider, and filter on Email, Teams, etc.
@rojer What do you think of this architecture?
@raphink so, i found a bit of free time over the weekend and put together #139 with that, all you need is add some code to github_auth to assign gh_team labels. label is a string -> []string map, so multiple teams will be ok and matching will check all of them.
