go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/server/auth/authdb/internal/oauthid/oauthid.go (about) 1 // Copyright 2019 The LUCI Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 // Package oauthid implements OAuth client ID allowlist check. 16 package oauthid 17 18 import ( 19 "go.chromium.org/luci/common/data/stringset" 20 ) 21 22 // Well-known OAuth client_id of https://apis-explorer.appspot.com/. 23 const GoogleAPIExplorerClientID = "292824132082.apps.googleusercontent.com" 24 25 // Allowlist is OAuth client ID allowlist. 26 type Allowlist struct { 27 stringset.Set 28 } 29 30 // NewAllowlist creates new populated client ID allowlist. 31 func NewAllowlist(primaryID string, additionalIDs []string) Allowlist { 32 l := stringset.New(2 + len(additionalIDs)) 33 l.Add(GoogleAPIExplorerClientID) 34 if primaryID != "" { 35 l.Add(primaryID) 36 } 37 for _, id := range additionalIDs { 38 if id != "" { 39 l.Add(id) 40 } 41 } 42 return Allowlist{l} 43 } 44 45 // IsAllowedOAuthClientID returns true if the given OAuth2 client ID can be used 46 // to authorize access from the given email. 47 func (l Allowlist) IsAllowedOAuthClientID(email, clientID string) bool { 48 return l.Has(clientID) 49 }