Teams ACLs

[raphink]

As mentioned in https://github.com/cesanta/docker_auth/pull/115#issuecomment-234074177, once #115 is merged, it would be great to be able to use teams in the ACLs, something along the lines of:

- match: {account: "/.+/", name: "${team}/*"}
  actions: ["push", "pull"]

where team would be matched against something like regexp.QuoteMeta(strings.Join(ai.Teams)).

As you mentioned in #115, it would be good if this was not specific to GitHub. Here's a suggestion. Currently, AuthServer#Authenticate() has the following signature:

func (as *AuthServer) Authenticate(ar *authRequest) (bool, error) {

Instead of returning a boolean, we could make it return a structure containing information about the authenticated user, so any authn provider could provider that information.

type AuthAccount struct {
  Name    string
  Email   string
  Teams   []string
}

func (as *AuthServer) Authenticate(ar *authRequest) (*AuthAccount, error) {
  ...
}

func (as *AuthServer) doAuth(rw http.ResponseWriter, req *http.Request) {
  ...
        ares, err = as.Authorize(ar, authnResult)
}

and authz.go could thus access this information from the authn provider, and filter on Email, Teams, etc.

@rojer What do you think of this architecture?

[rojer]

@raphink so, i found a bit of free time over the weekend and put together #139 with that, all you need is add some code to github_auth to assign gh_team labels. label is a string -> []string map, so multiple teams will be ok and matching will check all of them.