[authproxy] Allow configuration of returned groups

Via HTTP Header if present and with manually configured staticGroups in authproxy connector

Signed-off-by: seuf <seuf76@gmail.com>
This commit is contained in:
seuf 2022-01-14 15:01:16 +01:00
parent 8519219dae
commit 4ee9658dfe
2 changed files with 24 additions and 9 deletions

View file

@ -75,7 +75,7 @@ Dex implements the following connectors:
| [Google](https://dexidp.io/docs/connectors/google/) | yes | yes | yes | alpha | | | [Google](https://dexidp.io/docs/connectors/google/) | yes | yes | yes | alpha | |
| [LinkedIn](https://dexidp.io/docs/connectors/linkedin/) | yes | no | no | beta | | | [LinkedIn](https://dexidp.io/docs/connectors/linkedin/) | yes | no | no | beta | |
| [Microsoft](https://dexidp.io/docs/connectors/microsoft/) | yes | yes | no | beta | | | [Microsoft](https://dexidp.io/docs/connectors/microsoft/) | yes | yes | no | beta | |
| [AuthProxy](https://dexidp.io/docs/connectors/authproxy/) | no | no | no | alpha | Authentication proxies such as Apache2 mod_auth, etc. | | [AuthProxy](https://dexidp.io/docs/connectors/authproxy/) | no | yes | no | alpha | Authentication proxies such as Apache2 mod_auth, etc. |
| [Bitbucket Cloud](https://dexidp.io/docs/connectors/bitbucketcloud/) | yes | yes | no | alpha | | | [Bitbucket Cloud](https://dexidp.io/docs/connectors/bitbucketcloud/) | yes | yes | no | alpha | |
| [OpenShift](https://dexidp.io/docs/connectors/openshift/) | no | yes | no | alpha | | | [OpenShift](https://dexidp.io/docs/connectors/openshift/) | no | yes | no | alpha | |
| [Atlassian Crowd](https://dexidp.io/docs/connectors/atlassiancrowd/) | yes | yes | yes * | beta | preferred_username claim must be configured through config | | [Atlassian Crowd](https://dexidp.io/docs/connectors/atlassiancrowd/) | yes | yes | yes * | beta | preferred_username claim must be configured through config |

View file

@ -13,9 +13,14 @@ import (
) )
// Config holds the configuration parameters for a connector which returns an // Config holds the configuration parameters for a connector which returns an
// identity with the HTTP header X-Remote-User as verified email. // identity with the HTTP header X-Remote-User as verified email,
// X-Remote-Group and configured staticGroups as user's group.
// Headers retrieved to fetch user's email and group can be configured
// with userHeader and groupHeader.
type Config struct { type Config struct {
UserHeader string `json:"userHeader"` UserHeader string `json:"userHeader"`
GroupHeader string `json:"groupHeader"`
Groups []string `json:"staticGroups"`
} }
// Open returns an authentication strategy which requires no user interaction. // Open returns an authentication strategy which requires no user interaction.
@ -24,14 +29,20 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
if userHeader == "" { if userHeader == "" {
userHeader = "X-Remote-User" userHeader = "X-Remote-User"
} }
groupHeader := c.GroupHeader
if groupHeader == "" {
groupHeader = "X-Remote-Group"
}
return &callback{userHeader: userHeader, logger: logger, pathSuffix: "/" + id}, nil return &callback{userHeader: userHeader, groupHeader: groupHeader, logger: logger, pathSuffix: "/" + id, groups: c.Groups}, nil
} }
// Callback is a connector which returns an identity with the HTTP header // Callback is a connector which returns an identity with the HTTP header
// X-Remote-User as verified email. // X-Remote-User as verified email.
type callback struct { type callback struct {
userHeader string userHeader string
groupHeader string
groups []string
logger log.Logger logger log.Logger
pathSuffix string pathSuffix string
} }
@ -55,11 +66,15 @@ func (m *callback) HandleCallback(s connector.Scopes, r *http.Request) (connecto
if remoteUser == "" { if remoteUser == "" {
return connector.Identity{}, fmt.Errorf("required HTTP header %s is not set", m.userHeader) return connector.Identity{}, fmt.Errorf("required HTTP header %s is not set", m.userHeader)
} }
// TODO: add support for X-Remote-Group, see groups := m.groups
// https://kubernetes.io/docs/admin/authentication/#authenticating-proxy headerGroup := r.Header.Get(m.groupHeader)
if headerGroup != "" {
groups = append(groups, headerGroup)
}
return connector.Identity{ return connector.Identity{
UserID: remoteUser, // TODO: figure out if this is a bad ID value. UserID: remoteUser, // TODO: figure out if this is a bad ID value.
Email: remoteUser, Email: remoteUser,
EmailVerified: true, EmailVerified: true,
Groups: groups,
}, nil }, nil
} }