improvements to public proxy glob implementation (#413)

2024-12-22 06:40:50 +01:00 · 2024-02-16 11:54:06 -05:00 · 2024-02-16 11:54:06 -05:00 · 0c38ab0f43
commit 0c38ab0f43
parent fdc6b72c23
1 changed files with 19 additions and 13 deletions
--- a/endpoints/publicProxy/http.go
+++ b/endpoints/publicProxy/http.go
@ -267,27 +267,33 @@ func authHandler(handler http.Handler, pcfg *Config, key []byte, ctx ziti.Contex
 										return
 									}

-									if validDomains, found := oauthCfg.(map[string]interface{})["email_domains"]; found {
-										if castedDomains, ok := validDomains.([]interface{}); !ok {
-											logrus.Error("invalid email domain format")
+									if validEmailAddressPatterns, found := oauthCfg.(map[string]interface{})["email_domains"]; found {
+										if castedPatterns, ok := validEmailAddressPatterns.([]interface{}); !ok {
+											logrus.Error("invalid email pattern array format")
 											return
 										} else {
-											if len(castedDomains) > 0 {
+											if len(castedPatterns) > 0 {
 												found := false
-												for _, domain := range castedDomains {
-													match, err := glob.Compile(domain.(string))
-													if err != nil {
-														logrus.Errorf("invalid glob pattern: '%v'", err)
+												for _, pattern := range castedPatterns {
+													if castedPattern, ok := pattern.(string); ok {
+														match, err := glob.Compile(castedPattern)
+														if err != nil {
+															logrus.Errorf("invalid email address pattern glob '%v': %v", pattern.(string), err)
+															unauthorizedUi.WriteUnauthorized(w)
+															return
+														}
+														if match.Match(claims.Email) {
+															found = true
+															break
+														}
+													} else {
+														logrus.Errorf("invalid email address pattern '%v'", pattern)
 														unauthorizedUi.WriteUnauthorized(w)
 														return
 													}
-													if match.Match(claims.Email) {
-														found = true
-														break
-													}
 												}
 												if !found {
-													logrus.Warnf("invalid email domain")
+													logrus.Warnf("unauthorized email '%v' for '%v'", claims.Email, shrToken)
 													unauthorizedUi.WriteUnauthorized(w)
 													return
 												}