feat(controlplane): domain based allow-listing (#563)

Signed-off-by: Miguel Martinez Trivino <[email protected]>

Author: migmartri

app/controlplane/configs/samples/config.yaml

@@ -17,6 +17,7 @@ auth:
   # Optional allow list
   # allow_list:
   #   - [email protected]
+  #   - @my-domain.com # This will allow any email from this domain
 
 # CAS server where the controlplane will push artifacts to
 cas_server:

app/controlplane/internal/conf/conf.pb.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2024 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -15,11 +15,11 @@
 
 syntax = "proto3";
 
-option go_package = "github.com/chainloop-dev/chainloop/app/controlplane/internal/conf;conf";
-
+import "credentials/v1/config.proto";
 import "google/protobuf/duration.proto";
 import "validate/validate.proto";
-import "credentials/v1/config.proto";
+
+option go_package = "github.com/chainloop-dev/chainloop/app/controlplane/internal/conf;conf";
 
 message Bootstrap {
   Server server = 1;
@@ -62,7 +62,7 @@ message ReferrerSharedIndex {
   // If the shared, public index feature is enabled
   bool enabled = 1;
   // list of organizations uuids that are allowed to appear in the shared referrer index
-  // think of it as a list of trusted publishers 
+  // think of it as a list of trusted publishers
   repeated string allowed_orgs = 2;
 }
 
@@ -105,6 +105,8 @@ message Data {
 message Auth {
   // Authentication creates a JWT that uses this secret for signing
   string generated_jws_hmac_secret = 2;
+  // allow_list is a list of allowed email addresses or domains
+  // for example ["@chainloop.dev", "[email protected]"]
   repeated string allow_list = 3;
   string cas_robot_account_private_key_path = 4;
   OIDC oidc = 6;

app/controlplane/internal/conf/conf.proto

@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2024 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -17,6 +17,8 @@ package usercontext
 
 import (
 	"context"
+	"fmt"
+	"strings"
 
 	v1 "github.com/chainloop-dev/chainloop/app/controlplane/api/controlplane/v1"
 	"github.com/go-kratos/kratos/v2/middleware"
@@ -37,12 +39,9 @@ func CheckUserInAllowList(allowList []string) middleware.Middleware {
 			}
 
 			// If there are not items in the allowList we allow all users
-			var allow bool
-			for _, e := range allowList {
-				if e == user.Email {
-					allow = true
-					break
-				}
+			allow, err := inAllowList(allowList, user.Email)
+			if err != nil {
+				return nil, v1.ErrorAllowListErrorNotInList("error checking user in allowList: %v", err)
 			}
 
 			if !allow {
@@ -53,3 +52,38 @@ func CheckUserInAllowList(allowList []string) middleware.Middleware {
 		}
 	}
 }
+
+func inAllowList(allowList []string, email string) (bool, error) {
+	for _, allowListEntry := range allowList {
+		// it's a direct email match
+		if allowListEntry == email {
+			return true, nil
+		}
+
+		// Check if the entry is a domain and the email is part of it
+		// extract the domain from the allowList entry
+		// i.e if the entry is @cyberdyne.io, we get cyberdyne.io
+		domainComponent := strings.Split(allowListEntry, "@")
+		if len(domainComponent) != 2 {
+			return false, fmt.Errorf("invalid domain entry: %q", allowListEntry)
+		}
+
+		// it's not a domain since it contains an username, then continue
+		if domainComponent[0] != "" {
+			continue
+		}
+
+		// Compare the domains
+		emailComponents := strings.Split(email, "@")
+		if len(emailComponents) != 2 {
+			return false, fmt.Errorf("invalid email: %q", email)
+		}
+
+		// check if against a potential domain entry in the allowList
+		if emailComponents[1] == domainComponent[1] {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}

app/controlplane/internal/usercontext/allowlist_middleware.go

@@ -1,5 +1,5 @@
 //
-// Copyright 2023 The Chainloop Authors.
+// Copyright 2024 The Chainloop Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -24,42 +24,84 @@ import (
 )
 
 func TestCheckUserInAllowList(t *testing.T) {
-	u := &User{Email: "[email protected]", ID: "124"}
+	const email = "[email protected]"
+	allowList := []string{
+		"[email protected]",
+		"[email protected]",
+		// it can also contain domains
+		"@cyberdyne.io",
+		"@dyson-industries.io",
+	}
+
 	testCases := []struct {
 		name      string
 		allowList []string
-		user      *User
+		email     string
 		wantErr   bool
 	}{
 		{
 			name:      "empty allow list",
-			user:      u,
+			email:     email,
 			allowList: []string{},
 		},
 		{
 			name:      "user not in allow list",
-			user:      u,
-			allowList: []string{"[email protected]"},
+			email:     email,
+			allowList: []string{"[email protected]"},
 			wantErr:   true,
 		},
 		{
 			name:      "context missing, no user loaded",
-			allowList: []string{"[email protected]"},
+			allowList: allowList,
 			wantErr:   true,
 		},
 		{
 			name:      "user in allow list",
-			user:      u,
-			allowList: []string{"[email protected]"},
+			email:     email,
+			allowList: allowList,
+		},
+		{
+			name:      "user in one of the valid domains",
+			email:     "[email protected]",
+			allowList: allowList,
+		},
+		{
+			name:      "user in one of the valid domains",
+			email:     "[email protected]",
+			allowList: allowList,
+		},
+		{
+			name:      "and can use modifiers",
+			email:     "[email protected]",
+			allowList: allowList,
+		},
+		{
+			name:      "it needs to be an email",
+			email:     "dyson-industries.io",
+			allowList: allowList,
+			wantErr:   true,
+		},
+		{
+			name:      "domain position is important",
+			email:     "dyson-industries.io@john",
+			allowList: allowList,
+			wantErr:   true,
+		},
+		{
+			name:      "and can't be typosquated",
+			email:     "[email protected]",
+			allowList: allowList,
+			wantErr:   true,
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
 			m := CheckUserInAllowList(tc.allowList)
 			ctx := context.Background()
-			if tc.user != nil {
-				ctx = WithCurrentUser(ctx, tc.user)
+			if tc.email != "" {
+				u := &User{Email: tc.email, ID: "124"}
+				ctx = WithCurrentUser(ctx, u)
 			}
 
 			_, err := m(emptyHandler)(ctx, nil)