Wildcard support for all users at a given domain

[aaron-riact]

Add wildcard support

Adds email "wildcard" validation using the oidc-match-end:email: prefix. This allows administrators to match user emails by domain or other patterns at the end of the email string.

• This matching is case-sensitive.
• Use with care, as allowing a domain grants access to all users at that domain for a given principal.

In the system authorized identity file /etc/opk/auth_id you can now add an email suffix wildcard matching all emails ending in, for example, @example.com

bob oidc-match-end:email:@example.com https://accounts.google.com

Also adds a deny_emails field to the server config.
This field is a YAML array of strings, where each string is an email address you wish to deny access to.

---
deny_emails:
  - "user1@example.com"
  - "user2@example.com"

• When a user attempts to authenticate, OPKSSH checks if their email is present in the deny_emails list.
• If a match is found, authentication is denied, regardless of other authorization policies.

• NB auth plugin checking takes place first, before deny_emails is consulted. If one of these plugins succeeds, authentication will be successful regardless of the contents of deny_emails

Description before edit

picking up from #73

I'm a little uncertain about the tests, mostly because its my first time with go, and this repo.
If its going in the right direction, i'd add some comments explaining the intent of including those policies, and which tests they relate to., I think it'd be helpful for newcomers reading the codebase

While we are here, is there a way to deny some subset of emails first, before allowing the wildcard match?

edit: Changes name to use deny_emails instead of deny_users so I can add deny_users later

[EthanHeilman]

This is very cool, can you put exactly how this rule would work in the documentation and the PR description.

If its going in the right direction, i'd add some comments explaining the intent of including those policies,

This is going in the right direction. I can help you out with the tests when we get to that point

While we are here, is there a way to deny some subset of emails first, before allowing the wildcard match?

I want to avoid having an order in which auth_id and plugin_policy rules are applied. That said, a file which has a list of users which can never login via opkssh would be helpful.

Maybe a line in /etc/opk//etc/opk/config.yml

deny_users: user1 user2 user3

Borrowing the AllowUsers/DenyUsers configuration directive from OpenSSH sshd_config.

[EthanHeilman]

Can you provide a justification for this being case sensitive? Is it that linux usernames are case sensitive? It seems strange since email addresses and domains are case insensitive.

[aaron-riact]

yeah, it was more a statement about behaviour of the code, just to ensure its in the docs, more than about correctness. But I need now its wrong anyhow, its the deny users that are case sensitive.
Yeah, insensitive makes more sense. I'll update the code and the tests

[EthanHeilman]

This looks pretty close to mergeable. I might try to merge it tommorrow

[EthanHeilman]

Next week when I get some time, i'm going to fix this up, and PR some other features that work well with this

[EthanHeilman]

Congrats on getting your first PR merged in opkssh! Thanks for all the work on this PR, hope to see more PRs from you in the future.