Restrict service users

author: Mike Crute <mike@crute.us> 2021-11-24 08:41:25 -0800
committer: Mike Crute <mike@crute.us> 2021-11-24 08:41:25 -0800
commit: 7ba9e94bae1cbeba7fc7e390d09e2821ba46b996 (patch)
tree: c01348acc25806c7925fe270a5c3aee406b5e9d6
parent: fdeacfd45806e9a5773661381ed8b3d4dee9bc9c (diff)
download: cloud-identity-broker-7ba9e94bae1cbeba7fc7e390d09e2821ba46b996.tar.bz2
cloud-identity-broker-7ba9e94bae1cbeba7fc7e390d09e2821ba46b996.tar.xz
cloud-identity-broker-7ba9e94bae1cbeba7fc7e390d09e2821ba46b996.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/app/middleware/auth.go b/app/middleware/auth.go
index 58b10a7..7cef4d7 100644
--- a/app/middleware/auth.go
+++ b/app/middleware/auth.go
@@ -187,6 +187,13 @@ func (m *AuthenticationMiddleware) HandleCompleteLogin(c echo.Context) error {
                return echo.ErrUnauthorized
        }
+        // Service users should only be allowed to submit self-signed JWTs. A
+        // service user should never be able to use GitHub auth.
+        if dbUser.IsService {
+                c.Logger().Errorf("Service user %s attempted to use GitHub auth", user)
+                return echo.ErrUnauthorized
+        }
        jwt, sk, err := m.JWTManager.CreateForUser(dbUser)
        if err != nil {
                return echo.ErrInternalServerError
author	Mike Crute <mike@crute.us>	2021-11-24 08:41:25 -0800
committer	Mike Crute <mike@crute.us>	2021-11-24 08:41:25 -0800
commit	7ba9e94bae1cbeba7fc7e390d09e2821ba46b996 (patch)
tree	c01348acc25806c7925fe270a5c3aee406b5e9d6
parent	fdeacfd45806e9a5773661381ed8b3d4dee9bc9c (diff)
download	cloud-identity-broker-7ba9e94bae1cbeba7fc7e390d09e2821ba46b996.tar.bz2 cloud-identity-broker-7ba9e94bae1cbeba7fc7e390d09e2821ba46b996.tar.xz cloud-identity-broker-7ba9e94bae1cbeba7fc7e390d09e2821ba46b996.zip

diff --git a/app/middleware/auth.go b/app/middleware/auth.go index 58b10a7..7cef4d7 100644 --- a/app/middleware/auth.go +++ b/app/middleware/auth.go
@@ -187,6 +187,13 @@ func (m *AuthenticationMiddleware) HandleCompleteLogin(c echo.Context) error {
187	return echo.ErrUnauthorized	187	return echo.ErrUnauthorized
188	}	188	}
189		189
		190	// Service users should only be allowed to submit self-signed JWTs. A
		191	// service user should never be able to use GitHub auth.
		192	if dbUser.IsService {
		193	c.Logger().Errorf("Service user %s attempted to use GitHub auth", user)
		194	return echo.ErrUnauthorized
		195	}
		196
190	jwt, sk, err := m.JWTManager.CreateForUser(dbUser)	197	jwt, sk, err := m.JWTManager.CreateForUser(dbUser)
191	if err != nil {	198	if err != nil {
192	return echo.ErrInternalServerError	199	return echo.ErrInternalServerError