[liboauth] Limit oauth login to specific list of domains

updated configuration files coerce_csv instead of list updated second conf file
xiaorong919 · Mar 14, 2014 · 76064c6 · 76064c6
1 parent 7307bf6
commit 76064c6
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 1 deletion.
diff --git a/desktop/conf.dist/hue.ini b/desktop/conf.dist/hue.ini
@@ -415,6 +415,8 @@
   ## authenticate_url_facebook=https://graph.facebook.com/me?access_token=
   ## authenticate_url_linkedin=https://api.linkedin.com/v1/people/~:(email-address)?format=json&oauth2_access_token=
 
+  # Whitelisted domains (only applies to Google OAuth). CSV format.
+  ## whitelisted_domains_google=
 
 ###########################################################################
 # Settings for the RDBMS application

diff --git a/desktop/conf/pseudo-distributed.ini.tmpl b/desktop/conf/pseudo-distributed.ini.tmpl
@@ -420,6 +420,8 @@
   ## authenticate_url_facebook=https://graph.facebook.com/me?access_token=
   ## authenticate_url_linkedin=https://api.linkedin.com/v1/people/~:(email-address)?format=json&oauth2_access_token=
 
+  # Whitelisted domains (only applies to Google OAuth). CSV format.
+  ## whitelisted_domains_google=
 
 ###########################################################################
 # Settings for the RDBMS application

diff --git a/desktop/libs/liboauth/src/liboauth/backend.py b/desktop/libs/liboauth/src/liboauth/backend.py
@@ -158,6 +158,10 @@ def handleAuthenticationRequest(self, request):
                 raise Exception(_("Invalid response from OAuth provider: %s") % resp)
             username=(json.loads(content))["email"]
             access_token = dict(screen_name=''.join([x for x in username if x.isalnum()]), oauth_token_secret=access_tok)
+            whitelisted_domains = liboauth.conf.WHITELISTED_DOMAINS_GOOGLE.get()
+            if whitelisted_domains:
+                if username.split('@')[1] not in whitelisted_domains:
+                    access_token = ""
         #facebook
         elif social == 'facebook':
             access_tok = (dict(cgi.parse_qsl(cont)))['access_token']

diff --git a/desktop/libs/liboauth/src/liboauth/conf.py b/desktop/libs/liboauth/src/liboauth/conf.py
@@ -19,7 +19,8 @@
 
 from django.utils.translation import ugettext_lazy as _t, ugettext as _
 
-from desktop.lib.conf import Config, coerce_bool
+from desktop.lib.conf import Config, coerce_bool, coerce_csv
+
 
 CONSUMER_KEY_TWITTER = Config(
       key="consumer_key_twitter",
@@ -147,3 +148,10 @@
       type=str,
       default="https://api.linkedin.com/v1/people/~"
     )
+
+WHITELISTED_DOMAINS_GOOGLE = Config(
+    key="whitelisted_domains_google",
+    help=_t("Comma-separated list of whitelisted domains."),
+    type=coerce_csv,
+    default=''
+)