Merge pull request #21 from luizfonseca/feat/add-support-for-github-teams

feat: add support for Github Teams in the whitelist

Author: luizfonseca

.golangci.yml

@@ -1,6 +1,6 @@
 run:
   modules-download-mode: vendor
-  go: '1.21.4'
+  go: '1.22.1'
 
 linters:
   enable:

.traefik.yml

@@ -19,3 +19,5 @@ testData:
       - 996
     logins:
       - luizfonseca
+    teams:
+      - 876255

Dockerfile.local

@@ -1,4 +1,4 @@
-FROM golang:1.21.4-alpine3.17 AS builder
+FROM golang:1.22.2-alpine3.19 AS builder
 
 RUN apk add --no-cache ca-certificates && update-ca-certificates
 
@@ -17,4 +17,4 @@ WORKDIR /app
 
 EXPOSE 80
 
-ENTRYPOINT ["/app/server"]
+ENTRYPOINT ["/app/server"]

README.md

@@ -13,12 +13,12 @@ providing a more secure way for users to access protected routes.
 ## Quick Start (Docker)
 
 1. Create a GitHub OAuth App
-   
+
    - See: https://docs.github.com/en/developers/apps/building-oauth-apps/creating-an-oauth-app
    - Set the Authorization callback URL to `http://<traefik-github-oauth-server-host>/oauth/redirect`
 
 2. Run the Traefik GitHub OAuth server
-   
+
    ```sh
    docker run -d --name traefik-github-oauth-server \
      --network <traefik-proxy-network> \
@@ -31,9 +31,9 @@ providing a more secure way for users to access protected routes.
    ```
 
 3. Install the Traefik GitHub OAuth plugin
-   
+
     Add this snippet in the Traefik Static configuration
-   
+
    ```yaml
    experimental:
      plugins:
@@ -43,12 +43,13 @@ providing a more secure way for users to access protected routes.
    ```
 
 4. Run your App
-   
+
    ```sh
    docker run -d --whoami test \
      --network <traefik-proxy-network> \
      --label 'traefik.http.middlewares.whoami-github-oauth.plugin.github-oauth.apiBaseUrl=http://traefik-github-oauth-server' \
      --label 'traefik.http.middlewares.whoami-github-oauth.plugin.github-oauth.whitelist.logins[0]=luizfonseca' \
+     --label 'traefik.http.middlewares.whoami-github-oauth.plugin.github-oauth.whitelist.teams[0]=827726' \
      --label 'traefik.http.routers.whoami.rule=Host(`whoami.example.com`)' \
      --label 'traefik.http.routers.whoami.middlewares=whoami-github-oauth' \
     traefik/whoami
@@ -85,12 +86,16 @@ jwtSecretKey: optional_secret_key
 logLevel: info
 # whitelist
 whitelist:
-  # The list of GitHub user ids that in the whitelist
+  # The list of GitHub user ids that are whitelisted to access the resources
   ids:
     - 996
-  # The list of GitHub user logins that in the whitelist
+  # The list of GitHub user logins that are whitelisted to access the resources
   logins:
     - luizfonseca
+
+  # The list of Github Teams that are whitelisted to access the resources
+  teams:
+    - 988772
 ```
 
 ## License

go.mod

@@ -1,6 +1,6 @@
 module github.com/luizfonseca/traefik-github-oauth-plugin
 
-go 1.21.4
+go 1.22.1
 
 require (
 	github.com/go-chi/render v1.0.3

internal/app/traefik-github-oauth-server/model/model.go

@@ -19,18 +19,20 @@ type ResponseGenerateOAuthPageURL struct {
 }
 
 type ResponseGetAuthResult struct {
-	RedirectURI     string `json:"redirect_uri"`
-	GitHubUserID    string `json:"github_user_id"`
-	GitHubUserLogin string `json:"github_user_login"`
+	RedirectURI     string   `json:"redirect_uri"`
+	GitHubUserID    string   `json:"github_user_id"`
+	GitHubUserLogin string   `json:"github_user_login"`
+	GithubTeamIDs   []string `json:"github_team_ids"`
 }
 
 type ResponseError struct {
 	Message string `json:"msg"`
 }
 
 type AuthRequest struct {
-	RedirectURI     string `json:"redirect_uri"`
-	AuthURL         string `json:"auth_url"`
-	GitHubUserID    string `json:"github_user_id"`
-	GitHubUserLogin string `json:"github_user_login"`
+	RedirectURI     string   `json:"redirect_uri"`
+	AuthURL         string   `json:"auth_url"`
+	GitHubUserID    string   `json:"github_user_id"`
+	GitHubUserLogin string   `json:"github_user_login"`
+	GithubTeamIDs   []string `json:"github_team_ids"`
 }

internal/app/traefik-github-oauth-server/router/oauth.go

@@ -92,7 +92,7 @@ func OauthRedirectHandler(app *server.App) http.HandlerFunc {
 			return
 		}
 
-		user, err := oAuthCodeToUser(r.Context(), app.GitHubOAuthConfig, query.Code)
+		githubData, err := oAuthCodeToUser(r.Context(), app.GitHubOAuthConfig, query.Code)
 		if err != nil {
 			app.Logger.Error().
 				Caller().
@@ -107,8 +107,17 @@ func OauthRedirectHandler(app *server.App) http.HandlerFunc {
 			return
 		}
 
-		authRequest.GitHubUserID = cast.ToString(user.GetID())
-		authRequest.GitHubUserLogin = user.GetLogin()
+		authRequest.GitHubUserID = cast.ToString(githubData.User.GetID())
+		authRequest.GitHubUserLogin = githubData.User.GetLogin()
+
+		if authRequest.GithubTeamIDs != nil {
+			var teamIDs []string
+			for _, team := range githubData.Teams {
+				teamIDs = append(teamIDs, cast.ToString(team.GetID()))
+			}
+
+			authRequest.GithubTeamIDs = teamIDs
+		}
 
 		authURL, err := url.Parse(authRequest.AuthURL)
 		if err != nil {
@@ -163,12 +172,18 @@ func OauthAuthResultHandler(app *server.App) http.HandlerFunc {
 				RedirectURI:     authRequest.RedirectURI,
 				GitHubUserID:    authRequest.GitHubUserID,
 				GitHubUserLogin: authRequest.GitHubUserLogin,
+				GithubTeamIDs:   authRequest.GithubTeamIDs,
 			},
 		)
 	}
 }
 
-func oAuthCodeToUser(ctx context.Context, oAuthConfig *oauth2.Config, code string) (*github.User, error) {
+type oauthCodeToUserResponse struct {
+	User  *github.User
+	Teams []*github.Team
+}
+
+func oAuthCodeToUser(ctx context.Context, oAuthConfig *oauth2.Config, code string) (*oauthCodeToUserResponse, error) {
 	ctxExchange, cancelExchange := context.WithCancel(ctx)
 	defer cancelExchange()
 	token, err := oAuthConfig.Exchange(ctxExchange, code)
@@ -181,14 +196,29 @@ func oAuthCodeToUser(ctx context.Context, oAuthConfig *oauth2.Config, code strin
 	gitHubApiHttpClient := oAuthConfig.Client(ctxClient, token)
 	gitHubApiClient := github.NewClient(gitHubApiHttpClient)
 
+	// Get user information, login and ID
 	ctxGetUser, cancelGetUser := context.WithCancel(ctx)
 	defer cancelGetUser()
-
 	user, _, err := gitHubApiClient.Users.Get(ctxGetUser, "")
 	if err != nil {
 		return nil, err
 	}
-	return user, nil
+
+	// Optionally, check if the user is a member of any teams and retrieve them
+	// This won't cancel the main request
+	ctxTeams, cancelListTeams := context.WithCancel(ctx)
+	teams, _, err := gitHubApiClient.Teams.ListUserTeams(ctxTeams, &github.ListOptions{PerPage: 100})
+	defer cancelListTeams()
+	if err != nil {
+		// If the user is not a member of any teams, the API will return a 404
+		// We can ignore this error since this is not a mandatory request
+		teams = nil
+	}
+
+	return &oauthCodeToUserResponse{
+		User:  user,
+		Teams: teams,
+	}, nil
 }
 
 func buildRedirectURI(apiBaseUrl, rid string) (string, error) {

internal/pkg/jwt/jwt.go

@@ -7,14 +7,16 @@ import (
 )
 
 type PayloadUser struct {
-	Id    string `json:"id"`
-	Login string `json:"login"`
+	Id    string   `json:"id"`
+	Login string   `json:"login"`
+	Teams []string `json:"teams"`
 }
 
-func GenerateJwtTokenString(id, login, key string) (string, error) {
+func GenerateJwtTokenString(id string, login string, teamIds []string, key string) (string, error) {
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
 		"id":    id,
 		"login": login,
+		"teams": teamIds,
 	})
 	return token.SignedString([]byte(key))
 }
@@ -30,9 +32,17 @@ func ParseTokenString(tokenString, key string) (*PayloadUser, error) {
 		return nil, err
 	}
 	if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
+		teamFromClaims := claims["teams"].([]interface{})
+		teams := make([]string, len(teamFromClaims))
+
+		for i, v := range teamFromClaims {
+			teams[i] = v.(string)
+		}
+
 		return &PayloadUser{
 			Id:    claims["id"].(string),
 			Login: claims["login"].(string),
+			Teams: teams,
 		}, nil
 	} else {
 		return nil, fmt.Errorf("invalid token")

internal/pkg/jwt/jwt_test.go

@@ -6,6 +6,8 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+var testTeams = []string{"team1", "team2"}
+
 const (
 	id    = "12345"
 	login = "testuser"
@@ -14,7 +16,7 @@ const (
 
 func TestGenerateJwtTokenString(t *testing.T) {
 	// execution
-	tokenString, err := GenerateJwtTokenString(id, login, key)
+	tokenString, err := GenerateJwtTokenString(id, login, testTeams, key)
 
 	// assertion
 	assert.NoError(t, err)
@@ -23,7 +25,7 @@ func TestGenerateJwtTokenString(t *testing.T) {
 
 func TestParseTokenString(t *testing.T) {
 	// setup
-	tokenString, _ := GenerateJwtTokenString(id, login, key)
+	tokenString, _ := GenerateJwtTokenString(id, login, testTeams, key)
 
 	// execution
 	payload, err := ParseTokenString(tokenString, key)
@@ -32,6 +34,7 @@ func TestParseTokenString(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, id, payload.Id)
 	assert.Equal(t, login, payload.Login)
+	assert.Equal(t, testTeams, payload.Teams)
 }
 
 func TestParseTokenString_InvalidToken(t *testing.T) {
@@ -48,7 +51,7 @@ func TestParseTokenString_InvalidToken(t *testing.T) {
 
 func TestParseTokenString_InvalidKey(t *testing.T) {
 	// setup
-	tokenString, _ := GenerateJwtTokenString(id, login, key)
+	tokenString, _ := GenerateJwtTokenString(id, login, testTeams, key)
 	invalidKey := "invalidkey"
 
 	// execution

middleware_plugin.go

@@ -40,6 +40,9 @@ type ConfigWhitelist struct {
 	Ids []string `json:"ids,omitempty"`
 	// Logins the GitHub user login list.
 	Logins []string `json:"logins,omitempty"`
+
+	// Team IDs that the user must be a member of
+	Teams []string `json:"teams,omitempty"`
 }
 
 // CreateConfig creates the default middleware configuration.
@@ -52,6 +55,7 @@ func CreateConfig() *Config {
 		Whitelist: ConfigWhitelist{
 			Ids:    []string{},
 			Logins: []string{},
+			Teams:  []string{},
 		},
 	}
 }
@@ -68,6 +72,7 @@ type TraefikGithubOauthMiddleware struct {
 	jwtSecretKey      string
 	whitelistIdSet    *strset.Set
 	whitelistLoginSet *strset.Set
+	whitelistTeamSet  *strset.Set
 
 	logger *log.Logger
 }
@@ -97,6 +102,7 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		jwtSecretKey:      config.JwtSecretKey,
 		whitelistIdSet:    strset.New(config.Whitelist.Ids...),
 		whitelistLoginSet: strset.New(config.Whitelist.Logins...),
+		whitelistTeamSet:  strset.New(config.Whitelist.Teams...),
 
 		logger: logger,
 	}, nil
@@ -110,7 +116,7 @@ func (tg *TraefikGithubOauthMiddleware) ServeHTTP(rw http.ResponseWriter, req *h
 		return
 	}
 
-	// Otherwise, handle it as oauth-start request
+	// Otherwise, handle it as a request that has already been handled through oauth
 	tg.handleRequest(rw, req)
 }
 
@@ -128,7 +134,11 @@ func (middleware *TraefikGithubOauthMiddleware) handleRequest(rw http.ResponseWr
 	}
 
 	// If cookie is present, check if user is whitelisted
-	if !middleware.whitelistIdSet.Has(user.Id) && !middleware.whitelistLoginSet.Has(user.Login) {
+	// If nothing can be found, returns 404 as we don't want to leak information
+	// But we log the error internally
+	// We are also checking for the user's teams IDs
+	if !middleware.whitelistIdSet.Has(user.Id) &&
+		!middleware.whitelistLoginSet.Has(user.Login) && !middleware.whitelistTeamSet.HasAny(user.Teams...) {
 		setNoCacheHeaders(rw)
 		http.Error(rw, "", http.StatusNotFound)
 		return
@@ -150,7 +160,7 @@ func (p TraefikGithubOauthMiddleware) handleAuthRequest(rw http.ResponseWriter,
 	}
 
 	// Generate JWTs
-	tokenString, err := jwt.GenerateJwtTokenString(result.GitHubUserID, result.GitHubUserLogin, p.jwtSecretKey)
+	tokenString, err := jwt.GenerateJwtTokenString(result.GitHubUserID, result.GitHubUserLogin, result.GithubTeamIDs, p.jwtSecretKey)
 	if err != nil {
 		p.logger.Printf("Failed to generate JWT: %s", err.Error())
 		http.Error(rw, "", http.StatusInternalServerError)