sso_*: allow simultaneous use of Validators #253
Conversation
Codecov Report
@@ Coverage Diff @@
## master #253 +/- ##
=========================================
+ Coverage 62.04% 62.14% +0.1%
=========================================
Files 50 53 +3
Lines 4105 4169 +64
=========================================
+ Hits 2547 2591 +44
- Misses 1370 1391 +21
+ Partials 188 187 -1
|
|
Some additional test files are also needed, i.e: |
Jusshersmith
force-pushed
the
jusshersmith-OR-statement-allowed-email-settings
branch
from
791404c to
d47f52b
Compare
| } | ||
| errorMsg := fmt.Sprintf("We ran into some issues while validating your account: \"%s\"", | ||
| strings.Join(formattedErrors, ", ")) | ||
| p.ErrorPage(rw, req, http.StatusForbidden, "Permission Denied", errorMsg) |
There was a problem hiding this comment.
TODO: Not a huge issue, but if any of the errors are duplicated (which is currently possible) then they'll also be duplicated on the error page -- which we could easily avoid if we wanted to.
There was a problem hiding this comment.
Example error page with all three current validators failing due to invalid email/group membership:
There are four situations in which these validators are ran (two in Proxy, two in Authenticator). This is currently applied to the two situations (one in each component) where an error page is explicitly created rather than a predefined error (ErrUserNotAuthorized for example) is returned and created into an error page up the call chain.
The expectation is for the errors returned by the validators to be appropriate for display to end users: https://github.com/buzzfeed/sso/pull/253/files#diff-dca459fc7951884cb7d06d6213cd5710R14-R16
cc @jphines
There was a problem hiding this comment.
SGTM. We could clean up the visual a little bit but let's do that in a follow up.
Jusshersmith
force-pushed
the
jusshersmith-OR-statement-allowed-email-settings
branch
from
d4d9f86 to
3adf005
Compare
working with list, not struct struct testing - think it works? general kind of working with returning Result struct new validator structure adding "<validator_name>:err msg" log line some unfinished auth changes add validators file adding more sso_auth changes fixing up some errors fix some formatting and bugs fix validators in structs, and simplify logging tests for email address and domain validtors just return errors fix func name and capitalization sso_auth: validator tests func name sso_proxy: return correct error sso_proxy: validator tests mock validator misc adding some docstrings this test was pulled in from a different branch and is unrelated add some more context to fail states extra comments authenticator tests
Jusshersmith
force-pushed
the
jusshersmith-OR-statement-allowed-email-settings
branch
from
3adf005 to
9019d4f
Compare
Jusshersmith
deleted the
jusshersmith-OR-statement-allowed-email-settings
branch
Problem
The connection between
AllowedEmailDomains,AllowedEmailAddresses, andAllowedGroupsis unclear. If all specified, they don't work together well which causes awkward workarounds to be put into place.Solution
Introduce a more structured 'Validator' type within SSO, allowing us to create better and clearer dynamics between these settings (and any other validators that may be added in the future).
There are currently three separate validators:
SSO will now allow the request through providing at least one of these validators pass.
Notes
This also changes the use of the
*wildcard withinAllowedEmailDomainsandAllowedEmailAddresses. The wildcard will be ignored if other domains/email addresses are also passed with it, choosing to follow the most restrictive path.On second thoughts..I think it may have been clearer to recreate the validator files from scratch!