openfaas · Waterdrips · Mar 4, 2020
diff --git a/docs/README.md b/docs/README.md
@@ -142,7 +142,8 @@ private_key_filename: my-private-key
 
 Edit `customers_url` in gateway_config.yml.
 
-Enter a list of GitHub usernames for your customers, these are case-sensitive.
+Enter a list of GitHub usernames for your customers, these are case-sensitive. You can use Organisations in place of 
+usernames, anyone that is a public member of the organisation can then login.
 
 ### Customize for Kubernetes or Swarm
 

diff --git a/edge-auth/Makefile b/edge-auth/Makefile
@@ -1,7 +1,7 @@
 TAG?=latest
-
+NAMESPACE?=openfaas
 build:
-	docker build --build-arg http_proxy="${http_proxy}" --build-arg https_proxy="${https_proxy}" -t openfaas/edge-auth:$(TAG) .
+	docker build --build-arg http_proxy="${http_proxy}" --build-arg https_proxy="${https_proxy}" -t $(NAMESPACE)/edge-auth:$(TAG) .
 
 push:
-	docker push openfaas/edge-auth:$(TAG)
+	docker push $(NAMESPACE)/edge-auth:$(TAG)
diff --git a/edge-auth/handlers/common.go b/edge-auth/handlers/common.go
@@ -24,6 +24,10 @@ type OpenFaaSCloudClaims struct {
 	jwt.StandardClaims
 }
 
+func (c OpenFaaSCloudClaims) GetOrganizations() []string {
+	return strings.Split(c.Organizations, ",")
+}
+
 // ProviderAccessToken as issued by GitHub or GitLab
 type ProviderAccessToken struct {
 	AccessToken string `json:"access_token"`

diff --git a/edge-auth/handlers/query.go b/edge-auth/handlers/query.go
@@ -124,8 +124,10 @@ func validCookie(r *http.Request, cookieName string, publicKey crypto.PublicKey,
 				log.Printf("Validated JWT for (%s) %s", claims.Subject, claims.Name)
 			}
 			if found, _ := customers.Get(claims.Subject); found == false {
-				log.Printf("user [%s] was not a valid customer", claims.Subject)
-				return http.StatusUnauthorized
+				if !isInOrganisations(claims, customers) {
+					log.Printf("user [%s] was not a valid customer", claims.Subject)
+					return http.StatusUnauthorized
+				}
 			}
 
 			if debug {
@@ -139,3 +141,12 @@ func validCookie(r *http.Request, cookieName string, publicKey crypto.PublicKey,
 
 	return http.StatusUnauthorized
 }
+
+func isInOrganisations(claims OpenFaaSCloudClaims, customers *sdk.Customers) bool {
+	for _, org := range claims.GetOrganizations() {
+		if found, _ := customers.Get(org); found == true {
+			return true
+		}
+	}
+	return false
+}
diff --git a/edge-auth/handlers/query_test.go b/edge-auth/handlers/query_test.go
@@ -0,0 +1,87 @@
+package handlers
+
+import (
+	"github.com/dgrijalva/jwt-go"
+	"github.com/openfaas/openfaas-cloud/sdk"
+	"sync"
+	"testing"
+	"time"
+)
+
+func Test_isInOrganisations_NoOrgs(t *testing.T) {
+	want := false
+	claims := OpenFaaSCloudClaims{
+		Name:           "claim",
+		AccessToken:    "token",
+		Organizations:  "",
+		StandardClaims: jwt.StandardClaims{},
+	}
+
+	usernames := make(map[string]string)
+	usernames["user"] = "user"
+	customers := sdk.Customers{
+		Usernames:     &usernames,
+		Sync:          &sync.Mutex{},
+		Expires:       time.Now().Add(100 * time.Second),
+		CustomersURL:  "",
+		CustomersPath: "",
+	}
+	got := isInOrganisations(claims, &customers)
+
+	if want != got {
+		t.Error("didn't expect to find user's org in Customers but did")
+		t.Fail()
+	}
+}
+
+func Test_isInOrganisations_OrgsNotMember(t *testing.T) {
+	want := false
+	claims := OpenFaaSCloudClaims{
+		Name:           "claim",
+		AccessToken:    "token",
+		Organizations:  "this,that",
+		StandardClaims: jwt.StandardClaims{},
+	}
+
+	usernames := make(map[string]string)
+	usernames["user"] = "user"
+	customers := sdk.Customers{
+		Usernames:     &usernames,
+		Sync:          &sync.Mutex{},
+		Expires:       time.Now().Add(100 * time.Second),
+		CustomersURL:  "",
+		CustomersPath: "",
+	}
+	got := isInOrganisations(claims, &customers)
+
+	if want != got {
+		t.Error("didn't expect to find user's org in Customers but did")
+		t.Fail()
+	}
+}
+
+func Test_isInOrganisations_IsInOrgs(t *testing.T) {
+	want := true
+	claims := OpenFaaSCloudClaims{
+		Name:           "claim",
+		AccessToken:    "token",
+		Organizations:  "this,that",
+		StandardClaims: jwt.StandardClaims{},
+	}
+
+	usernames := make(map[string]string)
+	usernames["this"] = "this"
+	customers := sdk.Customers{
+		Usernames:     &usernames,
+		Sync:          &sync.Mutex{},
+		Expires:       time.Now().Add(100 * time.Second),
+		CustomersURL:  "",
+		CustomersPath: "",
+	}
+	got := isInOrganisations(claims, &customers)
+
+	if want != got {
+		t.Error("wanted to find user's org in Customers but didn't")
+		t.Fail()
+	}
+}