Merge pull request #1 from netlify/roles

biilmann · web-flow · commit 7347ca3f1832 · 2017-09-05T16:13:40.000-07:00
add configuration for roles
diff --git a/README.md b/README.md
@@ -1 +1,22 @@
 # git-gateway - Gateway to hosted git APIs
+
+**Secure role based access to the APIs of common Git Hosting providers.**
+
+When building sites with a JAMstack approach, a common pattern is to store all content as structured data in a Git repository instead of relying on an external database.
+
+Netlify CMS is an open-source content management UI that allows content editors to work with your content in Git through a familiar content editing interface. This allows people to write and edit content without having to write code or know anything about Git, markdown, YAML, JSON, etc.
+
+However, for most use cases you won’t want to require all content editors to have a GitHub account with full access to the source code repository for your website.
+
+Netlify’s Git Gateway lets you setup a gateway to GitHub’s API (more providers coming) that lets tools like Netlify CMS work with content, branches and pull requests on your users’ behalf.
+
+The Git Gateway works with any identity service that can issue JWTs and only allows access when a JSON Web Token with sufficient permissions is present.
+
+To configure the gateway, see our example.env file
+
+The Gateway limits access to the following sub endpoints of the repository:
+
+    /repos/:owner/:name/git/
+    /repos/:owner/:name/contents/
+    /repos/:owner/:name/pulls/
+    /repos/:owner/:name/branches/
diff --git a/api/github.go b/api/github.go
@@ -101,6 +101,10 @@ func (gh *GitHubGateway) authenticate(w http.ResponseWriter, r *http.Request) er
 		return errors.New("Access to endpoint not allowed: this part of GitHub's API has been restricted")
 	}
 
+	if len(adminRoles) == 0 {
+		return nil
+	}
+
 	roles, ok := claims.AppMetaData["roles"]
 	if ok {
 		roleStrings, _ := roles.([]interface{})
diff --git a/conf/configuration.go b/conf/configuration.go
@@ -45,6 +45,7 @@ type GlobalConfiguration struct {
 type Configuration struct {
 	JWT    JWTConfiguration `json:"jwt"`
 	GitHub GitHubConfig     `envconfig:"GITHUB" json:"github"`
+	Roles  []string         `envconfig:"ROLES" json:"roles"`
 }
 
 func loadEnvironment(filename string) error {
diff --git a/example.env b/example.env
@@ -1,5 +1,12 @@
 GITGATEWAY_JWT_SECRET="CHANGE-THIS! VERY IMPORTANT!"
+
 GITGATEWAY_DB_DRIVER=sqlite3
 DATABASE_URL=gorm.db
+
 GITGATEWAY_API_HOST=localhost
 PORT=9999
+
+GITGATEWAY_GITHUB_ACCESS_TOKEN="personal-access-token"
+GITGATEWAY_GITHUB_REPO="owner/name"
+
+GITGATEWAY_ROLES="admin,cms" # leave blank to allow all roles

Original file line number	Diff line number	Diff line change
`@@ -45,6 +45,7 @@ type GlobalConfiguration struct {`
`45`	`45`	`type Configuration struct {`
`46`	`46`	JWT JWTConfiguration `json:"jwt"`
`47`	`47`	GitHub GitHubConfig `envconfig:"GITHUB" json:"github"`
	`48`	+ Roles []string `envconfig:"ROLES" json:"roles"`
`48`	`49`	`}`
`49`	`50`
`50`	`51`	`func loadEnvironment(filename string) error {`