Rebase on Master

config/config.yml_example

@@ -43,6 +43,19 @@ vouch:
   - [email protected]
   - [email protected]
 
+  # regexWhiteList - (optional) allows only the listed usernames
+  # Note: whiteList always takes precidence and disables regexWhiteList
+  #
+  # Single-quotes(') are to prevent the yaml parser from misinterpreting the line)
+  # usernames are usually email addresses (google, most oidc providers) or login/username for github and github enterprise
+  #
+  # regexWhiteList:
+  # - '^bob[4-9][email protected]$'
+  # - '^alice@.+\.com$'
+  # - '^alice@your(other)?domain\.com$'
+  # - '^joe@yourdomain\.com$'
+  # - '^j[aneo]{1,3}@yourdomain\.(org|net|com)$'
+
   jwt:
     # secret - a random string used to cryptographically sign the jwt
     # Vouch Proxy complains if the string is less than 44 characters (256 bits as 32 base64 bytes)

config/testing/handler_regexwhitelist.yml

@@ -0,0 +1,16 @@
+vouch:
+  logLevel: debug
+  domains:
+    - example.com
+
+  regexWhiteList:
+    - 'test1?\@(domain|example)\.com'
+
+  jwt:
+    secret: testingsecret
+
+oauth:
+  provider: indieauth
+  client_id: http://vouch.github.io
+  auth_url: https://indielogin.com/auth
+  callback_url: http://vouch.github.io:9090/auth

handlers/auth.go

@@ -117,6 +117,17 @@ func verifyUser(u interface{}) (bool, error) {
 		}
 		return false, fmt.Errorf("verifyUser: user.Username not found in WhiteList: %s", user.Username)
 
+	// regexWhiteList
+	case len(cfg.CompiledRegexWhiteList) != 0:
+		for _, wl := range cfg.CompiledRegexWhiteList {
+			log.Debugf("Checking claim: '%v' against regex: '%v'", user.Username, wl)
+			if wl.MatchString(user.Username) {
+				log.Debugf("VerifyUser: Success! found user.Username in regexWhiteList: %s", user.Username)
+				return true, nil
+			}
+		}
+		return false, fmt.Errorf("VerifyUser: user.Username not found in regexWhiteList: %s", user.Username)
+
 	// TeamWhiteList
 	case len(cfg.Cfg.TeamWhiteList) != 0:
 		for _, team := range user.TeamMemberships {

handlers/handlers_test.go

@@ -143,6 +143,14 @@ func TestVerifyUserPositiveUserInWhiteList(t *testing.T) {
 	assert.Nil(t, err)
 }
 
+func TestVerifyUserPositiveUserInRegexWhiteList(t *testing.T) {
+	setUp("/config/testing/handler_regexwhitelist.yml")
+	user := &structs.User{Username: "[email protected]", Email: "[email protected]", Name: "Test Name"}
+	ok, err := VerifyUser(*user)
+	assert.True(t, ok)
+	assert.Nil(t, err)
+}
+
 func TestVerifyUserPositiveAllowAllUsers(t *testing.T) {
 	setUp("/config/testing/handler_allowallusers.yml")
 

pkg/cfg/cfg.go

@@ -18,6 +18,7 @@ import (
 	"os"
 	"path/filepath"
 	"strings"
+	"regexp"
 
 	"github.com/mitchellh/mapstructure"
 
@@ -36,6 +37,7 @@ type Config struct {
 	Port          int      `mapstructure:"port"`
 	Domains       []string `mapstructure:"domains"`
 	WhiteList     []string `mapstructure:"whitelist"`
+	RegexWhiteList []string `mapstructure:"regexWhiteList"`
 	TeamWhiteList []string `mapstructure:"teamWhitelist"`
 	AllowAllUsers bool     `mapstructure:"allowAllUsers"`
 	PublicAccess  bool     `mapstructure:"publicAccess"`
@@ -162,6 +164,8 @@ var (
 	Cfg = &Config{}
 	// IsHealthCheck see main.go
 	IsHealthCheck = false
+	// CompiledRegexWhiteList see auth.go
+	CompiledRegexWhiteList []*regexp.Regexp
 )
 
 type cmdLineFlags struct {
@@ -392,6 +396,19 @@ func basicTest() error {
 	if Cfg.Cookie.MaxAge > Cfg.JWT.MaxAge {
 		return fmt.Errorf("configuration error: Cookie maxAge (%d) cannot be larger than the JWT maxAge (%d)", Cfg.Cookie.MaxAge, Cfg.JWT.MaxAge)
 	}
+	// if using regexWhiteList, compile regex statements, and store them in cfg.CompiledRegexWhiteList
+	if len(Cfg.RegexWhiteList) != 0 {
+		for i, wl := range Cfg.RegexWhiteList {
+			//generate regex array
+			reWhiteList, reWhiteListErr := regexp.Compile(wl)
+			if reWhiteListErr != nil {
+				return fmt.Fatalf("Uncompilable regex parameter: '%v'", wl)
+			}
+			CompiledRegexWhiteList = append(CompiledRegexWhiteList, reWhiteList)
+			log.Debugf("Compiled regex parameter '%v'", CompiledRegexWhiteList[i])
+		}
+		log.Debugf("compiled regex array %v", CompiledRegexWhiteList)
+	}
 	return nil
 }