Add ability to specify ipWhitelist for connector

cmd/dex/config.go

@@ -257,9 +257,10 @@ func (s *Storage) UnmarshalJSON(b []byte) error {
 // Connector is a magical type that can unmarshal YAML dynamically. The
 // Type field determines the connector type, which is then customized for Config.
 type Connector struct {
-	Type string `json:"type"`
-	Name string `json:"name"`
-	ID   string `json:"id"`
+	Type        string   `json:"type"`
+	Name        string   `json:"name"`
+	ID          string   `json:"id"`
+	IPWhitelist []string `json:"ipWhitelist"`
 
 	Config server.ConnectorConfig `json:"config"`
 }
@@ -268,9 +269,10 @@ type Connector struct {
 // dynamically determine the type of the connector config.
 func (c *Connector) UnmarshalJSON(b []byte) error {
 	var conn struct {
-		Type string `json:"type"`
-		Name string `json:"name"`
-		ID   string `json:"id"`
+		Type        string   `json:"type"`
+		Name        string   `json:"name"`
+		ID          string   `json:"id"`
+		IPWhitelist []string `json:"ipWhitelist"`
 
 		Config json.RawMessage `json:"config"`
 	}
@@ -294,10 +296,11 @@ func (c *Connector) UnmarshalJSON(b []byte) error {
 		}
 	}
 	*c = Connector{
-		Type:   conn.Type,
-		Name:   conn.Name,
-		ID:     conn.ID,
-		Config: connConfig,
+		Type:        conn.Type,
+		Name:        conn.Name,
+		ID:          conn.ID,
+		IPWhitelist: conn.IPWhitelist,
+		Config:      connConfig,
 	}
 	return nil
 }
@@ -310,10 +313,11 @@ func ToStorageConnector(c Connector) (storage.Connector, error) {
 	}
 
 	return storage.Connector{
-		ID:     c.ID,
-		Type:   c.Type,
-		Name:   c.Name,
-		Config: data,
+		ID:          c.ID,
+		Type:        c.Type,
+		Name:        c.Name,
+		IPWhitelist: c.IPWhitelist,
+		Config:      data,
 	}, nil
 }
 

config.yaml.dist

@@ -124,6 +124,19 @@ web:
 #
 # See the documentation (https://dexidp.io/docs/connectors/) for further information.
 # connectors: []
+#  - type: oidc
+#    id: aaenhunze
+#    ipWhitelist:
+#      - 192.168.1.1
+#    name: "OIDC"
+#    config:
+#      issuer: https://login.microsoftonline.com/uuid/v2.0
+#      clientID: id
+#      clientSecret: secret
+#      redirectURI: http://localhost:5556/dex/callback
+#      scopes:
+#        - profile
+#        - email
 
 # Enable the password database.
 #

server/handlers.go

@@ -138,13 +138,30 @@ func (s *Server) handleAuthorization(w http.ResponseWriter, r *http.Request) {
 
 	connectorID := r.Form.Get("connector_id")
 
-	connectors, err := s.storage.ListConnectors()
+	connectorsFromStorage, err := s.storage.ListConnectors()
 	if err != nil {
 		s.logger.Errorf("Failed to get list of connectors: %v", err)
 		s.renderError(r, w, http.StatusInternalServerError, "Failed to retrieve connector list.")
 		return
 	}
 
+	connectors := []storage.Connector{}
+	for _, c := range connectorsFromStorage {
+		if len(c.IPWhitelist) == 0 {
+			connectors = append(connectors, c)
+			continue
+		}
+
+		userIp := readUserIP(r)
+		for _, i := range c.IPWhitelist {
+			if i == userIp {
+				connectors = append(connectors, c)
+				break
+			}
+		}
+
+	}
+
 	// We don't need connector_id any more
 	r.Form.Del("connector_id")
 

server/utils.go

@@ -0,0 +1,22 @@
+package server
+
+import (
+	"net"
+	"net/http"
+	"strings"
+)
+
+func readUserIP(r *http.Request) string {
+	IPAddress := r.Header.Get("X-Real-Ip")
+	if IPAddress == "" {
+		IPAddress = r.Header.Get("X-Forwarded-For")
+	}
+	if IPAddress == "" {
+		if strings.ContainsRune(r.RemoteAddr, ':') {
+			IPAddress, _, _ = net.SplitHostPort(r.RemoteAddr)
+		} else {
+			IPAddress = r.RemoteAddr
+		}
+	}
+	return IPAddress
+}

storage/storage.go

@@ -363,7 +363,8 @@ type Connector struct {
 	// The Type of the connector. E.g. 'oidc' or 'ldap'
 	Type string `json:"type"`
 	// The Name of the connector that is used when displaying it to the end user.
-	Name string `json:"name"`
+	Name        string   `json:"name"`
+	IPWhitelist []string `json:"ipWhitelist"`
 	// ResourceVersion is the static versioning used to keep track of dynamic configuration
 	// changes to the connector object made by the API calls.
 	ResourceVersion string `json:"resourceVersion"`