veyron/services/identity: Correctly handle domain restrictions.
(1) Fix bug (missing "!"!) in blesser/oauth.go
(2) Apply domain restriction when using the auth code as well
(i.e., the web UI)
Change-Id: I50583854327dc45dd020eded1da86b1859ad6f7a
diff --git a/services/identity/blesser/oauth.go b/services/identity/blesser/oauth.go
index bf4e6d9..c11c0e5 100644
--- a/services/identity/blesser/oauth.go
+++ b/services/identity/blesser/oauth.go
@@ -69,7 +69,7 @@
func (b *oauthBlesser) bless(ctx ipc.ServerContext, email, clientName string) (security.WireBlessings, string, error) {
var noblessings security.WireBlessings
- if len(b.domain) > 0 && strings.HasSuffix(email, "@"+b.domain) {
+ if len(b.domain) > 0 && !strings.HasSuffix(email, "@"+b.domain) {
return noblessings, "", fmt.Errorf("domain restrictions preclude blessings for %q", email)
}
// Append clientName (e.g., "android", "chrome") to the email and then bless under that.
diff --git a/services/identity/identityd/main.go b/services/identity/identityd/main.go
index 63a25ca..e747f34 100644
--- a/services/identity/identityd/main.go
+++ b/services/identity/identityd/main.go
@@ -57,7 +57,7 @@
}
}
- googleoauth, err := oauth.NewGoogleOAuth(*googleConfigWeb)
+ googleoauth, err := oauth.NewGoogleOAuth(*googleConfigWeb, *googleDomain)
if err != nil {
vlog.Fatalf("Failed to setup GoogleOAuth: %v", err)
}
diff --git a/services/identity/oauth/googleoauth.go b/services/identity/oauth/googleoauth.go
index 541120e..64baa4e 100644
--- a/services/identity/oauth/googleoauth.go
+++ b/services/identity/oauth/googleoauth.go
@@ -6,6 +6,7 @@
"fmt"
"net/http"
"os"
+ "strings"
"v.io/core/veyron2/vlog"
)
@@ -14,17 +15,16 @@
type googleOAuth struct {
// client_id and client_secret registered with the Google Developer
// Console for API access.
- clientID, clientSecret string
-
+ clientID, clientSecret string
scope, authURL, tokenURL string
-
+ domain string
// URL used to verify google tokens.
// (From https://developers.google.com/accounts/docs/OAuth2Login#validatinganidtoken
// and https://developers.google.com/accounts/docs/OAuth2UserAgent#validatetoken)
verifyURL string
}
-func NewGoogleOAuth(configFile string) (OAuthProvider, error) {
+func NewGoogleOAuth(configFile, domainRestriction string) (OAuthProvider, error) {
clientID, clientSecret, err := getOAuthClientIDAndSecret(configFile)
if err != nil {
return nil, err
@@ -36,6 +36,7 @@
authURL: "https://accounts.google.com/o/oauth2/auth",
tokenURL: "https://accounts.google.com/o/oauth2/token",
verifyURL: "https://www.googleapis.com/oauth2/v1/tokeninfo?",
+ domain: domainRestriction,
}, nil
}
@@ -85,6 +86,10 @@
if gtoken.Audience != config.ClientId {
return "", fmt.Errorf("unexpected audience(%v) in GoogleIDToken", gtoken.Audience)
}
+ if len(g.domain) > 0 && !strings.HasSuffix(gtoken.Email, "@"+g.domain) {
+ return "", fmt.Errorf("domain restrictions preclude %q from using this service", gtoken.Email)
+ }
+
return gtoken.Email, nil
}
