search

n4bb12 / verdaccio-github-oauth-ui

📦🔐 GitHub OAuth plugin for Verdaccio
https://verdaccio.org
MIT License
73 stars 45 forks source link

add ability to filter by organization team #120

Closed bertrandmartel closed 3 years ago

bertrandmartel commented 3 years ago

This PR makes it possible to filter by organization team using the following config 

auth:
  github-oauth-ui:
    org: GITHUB_ORG
    client-id: GITHUB_CLIENT_ID
    client-secret: GITHUB_CLIENT_SECRET
    enterprise-origin: GITHUB_ENTERPRISE_ORIGIN # optional, if you are using github enterprise
    team: GITHUB_TEAM # optional, to filter by team name

The authentication function has a new teams argument here

The teams are provided using this getTeams function which calls this one

It uses the following GraphQL query in order to get all the teams for the specfied organization for which the specified username is a member :

{
  organization(login: "BboxLab") {
    teams(first: 100, userLogins: ["bertrandmartel"]) {
      edges {
        node {
          name
        }
      }
    }
  }
}

related

The team parameter is optional, it still works with only the organization filter

n4bb12 commented 3 years ago

Please format the code running yarn format once you're done 👍

melkosoft commented 3 years ago

Hey, guys. Why do not use Teams as groups in verdaccio authentication like in verdaccio-github-team? In this case we still may use Team as filter in config: 

"**":
    access: team_name
    publish: user_name

but also group people permissions by team membership. Unfortunately plugin mentioned above does not apply to github enterprize

n4bb12 commented 3 years ago

Hey, guys. Why do not use Teams as groups in verdaccio authentication like in [verdaccio-github-team]

If I understand you correctly, this PR is about adding that feature 😉

melkosoft commented 3 years ago 
  createAuthenticatedUser(username: string): User {
    // See https://verdaccio.org/docs/en/packages
    return {
      name: username,
      groups: ["$all", "@all", "$authenticated", "@authenticated"],
      real_groups: [username, this.requiredOrgName, this.requiredTeamName],
    }
  }

If I understand correctly only "Team Filter" is added to real_groups not whole list of user's teams - PR is about filterring by Organization and Team

n4bb12 commented 3 years ago

Ah, you're right this PR only adds 1 team, but you would like all teams in order to be able to use them for granular permissions. Is that correct?

n4bb12 commented 3 years ago

@bertrandmartel do you still plan on finishing this feature?

bertrandmartel commented 3 years ago

@n4bb12 I'm still uncertain about this function

  authenticate(username: string, groups: string[]): boolean {
    const success = groups.includes(this.requiredOrgName)

    if (!success) {
      logger.error(this.getDeniedMessage(username))
    }

    return success
  }

In the previous discussion, you want the arguments to be unchanged, currently it's:

  authenticate(username: string, groups: string[], teams: string[]): boolean {
    let success = groups.includes(this.requiredOrgName)
    if (success && this.requiredTeamName){
      success = teams.includes(this.requiredTeamName)
    }
    if (!success) {
      logger.error(this.getDeniedMessage(username))
    }

    return success
  }

So you would want to have groups.includes(this.requiredOrgName) and groups.includes(this.requiredTeamName), groups being the concatenation of the team and the org list is that right ?

n4bb12 commented 3 years ago

The term "groups" is a Verdaccio term and relates to anything the user is part of. In our context this includes both GH orgs and GH teams.

I'm not sure how I can help understand, but I can offer finishing the PR.

bertrandmartel commented 3 years ago

@n4bb12 yes please do

n4bb12 commented 3 years ago

Released in https://github.com/n4bb12/verdaccio-github-oauth-ui/releases/tag/2.4.0

n4bb12 commented 3 years ago

@melkosoft I updated the docs with examples on how you can use team names: https://github.com/n4bb12/verdaccio-github-oauth-ui#verdaccio-config

bertrandmartel commented 3 years ago

@n4bb12 from the config parameters does this mean than there is no team parameter for the authentication ?

n4bb12 commented 3 years ago

You can limit access to a team by using it in the packages section. See https://github.com/n4bb12/verdaccio-github-oauth-ui/pull/120#issuecomment-810693336

melkosoft commented 3 years ago

The whole purpose of team filter was to authenticate only members of particular team(s). Without it owners of organization become authenticated too even though they may be restricted on package level they still have group $autheticated in their hands. and in case of config like:

"@*/*":
   access: $authenticated
   publish: $groups

they can publish packages in your registry

n4bb12 commented 3 years ago

That's how it should work. If you want different behaviour, you need to configure your packages differently.