Merge pull request #24 from ThYpHo0n/oAuthDomain-list

oAuthDomains can be a list of domains, separated by comma
InfoSec812 · Jul 17, 2019 · 93426f4 · 93426f4
2 parents 7008be9 + d131bc3
commit 93426f4
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -50,10 +50,4 @@ sonar.auth.googleoauth.clientId.secured    |Consumer Key provided by Google when
 sonar.auth.googleoauth.clientSecret.secured|Consumer password provided by Google when registering the consumer|None
 sonar.auth.googleoauth.enabled             |Enable Google users to login. Value is ignored if consumer Key and Secret are not defined|false
 sonar.auth.googleoauth.loginStrategy       |When the login strategy is set to 'Unique', the user's login will be auto-generated the first time so that it is unique. When the login strategy is set to 'Same as Google login', the user's login will be the Google login. This last strategy allows, when changing the authentication provider, to keep existing users (if logins from new provider are the same than Google)|Unique
-sonar.auth.googleoauth.limitOauthDomain    |When set with a GApps domain, only allow users from that domain to authenticate|None
-
-
-
-
-
-
+sonar.auth.googleoauth.limitOauthDomain    |When set with a GApps domain, only allow users from that domain to authenticate. Can be a list by separating domains with ","|None
diff --git a/pom.xml b/pom.xml
@@ -3,7 +3,7 @@
 
   <groupId>org.sonarqube.auth.google</groupId>
   <artifactId>sonar-auth-googleoauth-plugin</artifactId>
-  <version>1.6.3-SNAPSHOT</version>
+  <version>1.6.4-SNAPSHOT</version>
   <packaging>sonar-plugin</packaging>
   <name>Google Authentication for SonarQube</name>
   <inceptionYear>2016</inceptionYear>

diff --git a/src/main/java/org/sonarqube/auth/googleoauth/GoogleIdentityProvider.java b/src/main/java/org/sonarqube/auth/googleoauth/GoogleIdentityProvider.java
@@ -124,9 +124,9 @@ public void callback(CallbackContext context) {
 
     GsonUser gsonUser = requestUser(scribe, accessToken);
     String redirectTo;
-    if (settings.oauthDomain()==null || (settings.oauthDomain()!=null && gsonUser.getEmail().endsWith("@"+settings.oauthDomain()))) {
+    if (settings.oauthDomain()==null || (checkValidDomain(settings.oauthDomain(), gsonUser.getEmail()))) {
         redirectTo = settings.getSonarBaseURL();
-		String referer_url = request.getHeader("referer");
+        String referer_url = request.getHeader("referer");
         try {
             URL urlObj = new URL(referer_url);
             String returnToValue = null;
@@ -156,6 +156,15 @@ public void callback(CallbackContext context) {
     }
   }
 
+  private Boolean checkValidDomain(String oAuthDomains, String userEmail) {
+    for (String domain : oAuthDomains.split(",")) {
+      if (userEmail.trim().endsWith("@" + domain.trim())) {
+        return true;
+      }
+    }
+    return false;
+  }
+
   private GsonUser requestUser(OAuthService scribe, Token accessToken) {
     OAuthRequest userRequest = new OAuthRequest(Verb.GET, settings.apiURL() + "oauth2/v1/userinfo", scribe);
     scribe.signRequest(accessToken, userRequest);

diff --git a/src/main/java/org/sonarqube/auth/googleoauth/GoogleScribeApi.java b/src/main/java/org/sonarqube/auth/googleoauth/GoogleScribeApi.java
@@ -75,7 +75,7 @@ public String getAuthorizationUrl(OAuthConfig config) {
     if(state != null) {
       sb.append('&').append("state").append('=').append(OAuthEncoder.encode(state));
     }
-    if (settings.oauthDomain() != null) {
+    if (settings.oauthDomain() != null && !settings.oauthDomain().contains(",")) {
       sb.append('&').append("hd=").append(settings.oauthDomain());
     }