Add claimMapping enforcement

Signed-off-by: Happy2C0de <46957159+Happy2C0de@users.noreply.github.com>
2021-08-11 12:20:46 +02:00 · 2021-08-11 12:20:46 +02:00 · 45143c98b3
commit 45143c98b3
parent ba1bd65c10
2 changed files with 92 additions and 37 deletions
--- a/connector/oidc/oidc.go
+++ b/connector/oidc/oidc.go
@ -56,16 +56,23 @@ type Config struct {
 	// PromptType will be used fot the prompt parameter (when offline_access, by default prompt=consent)
 	PromptType string `json:"promptType"`
-	ClaimMapping struct {
+	ClaimMapping ClaimMapping `json:"claimMapping"`
-		// Configurable key which contains the preferred username claims
+}
 		PreferredUsernameKey string `json:"preferred_username"` // defaults to "preferred_username"
-		// Configurable key which contains the email claims
+type ClaimMapping struct {
-		EmailKey string `json:"email"` // defaults to "email"
+	// Enforce the ClaimMapping.
 	// i.e. an 'email' claim will always be taken if available,
 	// irrelevant of the settings in EmailKey. This option will enforce the ClaimMapping options independent of the existing claims.
 	Enforce bool `json:"enforce"` // defaults to false
-		// Configurable key which contains the groups claims
+	// Configurable key which contains the preferred username claims
-		GroupsKey string `json:"groups"` // defaults to "groups"
+	PreferredUsernameKey string `json:"preferred_username"` // defaults to "preferred_username"
-	} `json:"claimMapping"`
+
 	// Configurable key which contains the email claims
 	EmailKey string `json:"email"` // defaults to "email"
 	// Configurable key which contains the groups claims
 	GroupsKey string `json:"groups"` // defaults to "groups"
 }
 // Domains that don't support basic auth. golang.org/x/oauth2 has an internal
@ -153,9 +160,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 		promptType:                c.PromptType,
 		userIDKey:                 c.UserIDKey,
 		userNameKey:               c.UserNameKey,
-		preferredUsernameKey:      c.ClaimMapping.PreferredUsernameKey,
+		claimMapping:              c.ClaimMapping,
 		emailKey:                  c.ClaimMapping.EmailKey,
 		groupsKey:                 c.ClaimMapping.GroupsKey,
 	}, nil
 }
@ -178,9 +183,7 @@ type oidcConnector struct {
 	promptType                string
 	userIDKey                 string
 	userNameKey               string
-	preferredUsernameKey      string
+	claimMapping              ClaimMapping
 	emailKey                  string
 	groupsKey                 string
 }
 func (c *oidcConnector) Close() error {
@ -288,9 +291,14 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
 		return identity, fmt.Errorf("missing \"%s\" claim", userNameKey)
 	}
-	preferredUsername, found := claims["preferred_username"].(string)
+	prefUsername := "preferred_username"
-	if !found {
+	preferredUsername, found := claims[prefUsername].(string)
-		preferredUsername, _ = claims[c.preferredUsernameKey].(string)
+	if (!found || c.claimMapping.Enforce) && c.claimMapping.PreferredUsernameKey != "" {
 		prefUsername = c.claimMapping.PreferredUsernameKey
 		preferredUsername, found = claims[prefUsername].(string)
 		if !found {
 			return identity, fmt.Errorf("missing \"%s\" claim", prefUsername)
 		}
 	}
 	hasEmailScope := false
@ -304,9 +312,12 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
 	var email string
 	emailKey := "email"
 	email, found = claims[emailKey].(string)
-	if !found && c.emailKey != "" {
+	if (!found || c.claimMapping.Enforce) && c.claimMapping.EmailKey != "" {
-		emailKey = c.emailKey
+		emailKey = c.claimMapping.EmailKey
 		email, found = claims[emailKey].(string)
 		if !found {
 			return identity, fmt.Errorf("missing \"%s\" claim", emailKey)
 		}
 	}
 	if !found && hasEmailScope {
@ -326,8 +337,8 @@ func (c *oidcConnector) createIdentity(ctx context.Context, identity connector.I
 	if c.insecureEnableGroups {
 		groupsKey := "groups"
 		vs, found := claims[groupsKey].([]interface{})
-		if !found {
+		if (!found || c.claimMapping.Enforce) && c.claimMapping.GroupsKey != "" {
-			groupsKey = c.groupsKey
+			groupsKey = c.claimMapping.GroupsKey
 			vs, found = claims[groupsKey].([]interface{})
 		}
--- a/connector/oidc/oidc_test.go
+++ b/connector/oidc/oidc_test.go
@ -49,9 +49,7 @@ func TestHandleCallback(t *testing.T) {
 		name                      string
 		userIDKey                 string
 		userNameKey               string
-		preferredUsernameKey      string
+		claimMapping              ClaimMapping
 		emailKey                  string
 		groupsKey                 string
 		insecureSkipEmailVerified bool
 		scopes                    []string
 		expectUserID              string
@ -78,10 +76,12 @@ func TestHandleCallback(t *testing.T) {
 			},
 		},
 		{
-			name:               "customEmailClaim",
+			name:        "customEmailClaim",
-			userIDKey:          "", // not configured
+			userIDKey:   "", // not configured
-			userNameKey:        "", // not configured
+			userNameKey: "", // not configured
-			emailKey:           "mail",
+			claimMapping: ClaimMapping{
 				EmailKey: "mail",
 			},
 			expectUserID:       "subvalue",
 			expectUserName:     "namevalue",
 			expectedEmailField: "emailvalue",
@ -92,6 +92,25 @@ func TestHandleCallback(t *testing.T) {
 				"email_verified": true,
 			},
 		},
 		{
 			name:        "enforceCustomEmailClaim",
 			userIDKey:   "", // not configured
 			userNameKey: "", // not configured
 			claimMapping: ClaimMapping{
 				Enforce:  true,
 				EmailKey: "custommail",
 			},
 			expectUserID:       "subvalue",
 			expectUserName:     "namevalue",
 			expectedEmailField: "customemailvalue",
 			token: map[string]interface{}{
 				"sub":            "subvalue",
 				"name":           "namevalue",
 				"mail":           "emailvalue",
 				"custommail":     "customemailvalue",
 				"email_verified": true,
 			},
 		},
 		{
 			name:                      "email_verified not in claims, configured to be skipped",
 			insecureSkipEmailVerified: true,
@ -131,8 +150,10 @@ func TestHandleCallback(t *testing.T) {
 			},
 		},
 		{
-			name:                    "withPreferredUsernameKey",
+			name: "withPreferredUsernameKey",
-			preferredUsernameKey:    "username_key",
+			claimMapping: ClaimMapping{
 				PreferredUsernameKey: "username_key",
 			},
 			expectUserID:            "subvalue",
 			expectUserName:          "namevalue",
 			expectPreferredUsername: "username_value",
@ -200,8 +221,10 @@ func TestHandleCallback(t *testing.T) {
 			},
 		},
 		{
-			name:                      "customGroupsKey",
+			name: "customGroupsKey",
-			groupsKey:                 "cognito:groups",
+			claimMapping: ClaimMapping{
 				GroupsKey: "cognito:groups",
 			},
 			expectUserID:              "subvalue",
 			expectUserName:            "namevalue",
 			expectedEmailField:        "emailvalue",
@ -217,8 +240,10 @@ func TestHandleCallback(t *testing.T) {
 			},
 		},
 		{
-			name:                      "customGroupsKeyButGroupsProvided",
+			name: "customGroupsKeyButGroupsProvided",
-			groupsKey:                 "cognito:groups",
+			claimMapping: ClaimMapping{
 				GroupsKey: "cognito:groups",
 			},
 			expectUserID:              "subvalue",
 			expectUserName:            "namevalue",
 			expectedEmailField:        "emailvalue",
@ -234,6 +259,27 @@ func TestHandleCallback(t *testing.T) {
 				"cognito:groups": []string{"group3", "group4"},
 			},
 		},
 		{
 			name: "customGroupsKeyButGroupsProvidedButEnforced",
 			claimMapping: ClaimMapping{
 				Enforce:   true,
 				GroupsKey: "cognito:groups",
 			},
 			expectUserID:              "subvalue",
 			expectUserName:            "namevalue",
 			expectedEmailField:        "emailvalue",
 			expectGroups:              []string{"group3", "group4"},
 			scopes:                    []string{"groups"},
 			insecureSkipEmailVerified: true,
 			token: map[string]interface{}{
 				"sub":            "subvalue",
 				"name":           "namevalue",
 				"user_name":      "username",
 				"email":          "emailvalue",
 				"groups":         []string{"group1", "group2"},
 				"cognito:groups": []string{"group3", "group4"},
 			},
 		},
 	}
 	for _, tc := range tests {
@ -264,9 +310,7 @@ func TestHandleCallback(t *testing.T) {
 				InsecureEnableGroups:      true,
 				BasicAuthUnsupported:      &basicAuth,
 			}
-			config.ClaimMapping.PreferredUsernameKey = tc.preferredUsernameKey
+			config.ClaimMapping = tc.claimMapping
 			config.ClaimMapping.EmailKey = tc.emailKey
 			config.ClaimMapping.GroupsKey = tc.groupsKey
 			conn, err := newConnector(config)
 			if err != nil {