Issue #1102 - Add config to explicitly enable loading all github groups
This commit is contained in:
parent
2425c6ea63
commit
7bd084bc07
3 changed files with 23 additions and 5 deletions
|
@ -45,8 +45,8 @@ connectors:
|
||||||
# If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
|
# If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
|
||||||
# authenticate with dex.
|
# authenticate with dex.
|
||||||
#
|
#
|
||||||
# If neither 'org' nor 'orgs' are specified in the config then user authenticate with ALL user's Github groups.
|
# If neither 'org' nor 'orgs' are specified in the config and 'loadAllGroups' setting set to true then user
|
||||||
# Typical use case for this setup:
|
# authenticate with ALL user's Github groups. Typical use case for this setup:
|
||||||
# provide read-only access to everyone and give full permissions if user has 'my-organization:admins-team' group claim.
|
# provide read-only access to everyone and give full permissions if user has 'my-organization:admins-team' group claim.
|
||||||
orgs:
|
orgs:
|
||||||
- name: my-organization
|
- name: my-organization
|
||||||
|
@ -56,6 +56,8 @@ connectors:
|
||||||
teams:
|
teams:
|
||||||
- red-team
|
- red-team
|
||||||
- blue-team
|
- blue-team
|
||||||
|
# Flag which indicates that all user groups and teams should be loaded.
|
||||||
|
loadAllGroups: false
|
||||||
|
|
||||||
# Optional choice between 'name' (default) or 'slug'.
|
# Optional choice between 'name' (default) or 'slug'.
|
||||||
#
|
#
|
||||||
|
|
|
@ -48,6 +48,7 @@ type Config struct {
|
||||||
HostName string `json:"hostName"`
|
HostName string `json:"hostName"`
|
||||||
RootCA string `json:"rootCA"`
|
RootCA string `json:"rootCA"`
|
||||||
TeamNameField string `json:"teamNameField"`
|
TeamNameField string `json:"teamNameField"`
|
||||||
|
LoadAllGroups bool `json:"loadAllGroups"`
|
||||||
}
|
}
|
||||||
|
|
||||||
// Org holds org-team filters, in which teams are optional.
|
// Org holds org-team filters, in which teams are optional.
|
||||||
|
@ -107,6 +108,7 @@ func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
g.loadAllGroups = c.LoadAllGroups
|
||||||
|
|
||||||
switch c.TeamNameField {
|
switch c.TeamNameField {
|
||||||
case "name", "slug", "":
|
case "name", "slug", "":
|
||||||
|
@ -142,8 +144,11 @@ type githubConnector struct {
|
||||||
// Used to support untrusted/self-signed CA certs.
|
// Used to support untrusted/self-signed CA certs.
|
||||||
rootCA string
|
rootCA string
|
||||||
// HTTP Client that trusts the custom delcared rootCA cert.
|
// HTTP Client that trusts the custom delcared rootCA cert.
|
||||||
httpClient *http.Client
|
httpClient *http.Client
|
||||||
|
// optional choice between 'name' (default) or 'slug'
|
||||||
teamNameField string
|
teamNameField string
|
||||||
|
// if set to true and no orgs are configured then connector loads all user claims (all orgs and team)
|
||||||
|
loadAllGroups bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// groupsRequired returns whether dex requires GitHub's 'read:org' scope. Dex
|
// groupsRequired returns whether dex requires GitHub's 'read:org' scope. Dex
|
||||||
|
@ -325,7 +330,7 @@ func (c *githubConnector) getGroups(ctx context.Context, client *http.Client, gr
|
||||||
return c.groupsForOrgs(ctx, client, userLogin)
|
return c.groupsForOrgs(ctx, client, userLogin)
|
||||||
} else if c.org != "" {
|
} else if c.org != "" {
|
||||||
return c.teamsForOrg(ctx, client, c.org)
|
return c.teamsForOrg(ctx, client, c.org)
|
||||||
} else if groupScope {
|
} else if groupScope && c.loadAllGroups {
|
||||||
return c.userGroups(ctx, client)
|
return c.userGroups(ctx, client)
|
||||||
}
|
}
|
||||||
return nil, nil
|
return nil, nil
|
||||||
|
|
|
@ -115,6 +115,9 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
|
||||||
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9",
|
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9",
|
||||||
"expires_in": "30",
|
"expires_in": "30",
|
||||||
}},
|
}},
|
||||||
|
"/user/orgs": {
|
||||||
|
data: []org{{Login: "org-1"}},
|
||||||
|
},
|
||||||
})
|
})
|
||||||
defer s.Close()
|
defer s.Close()
|
||||||
|
|
||||||
|
@ -125,10 +128,18 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
|
||||||
expectNil(t, err)
|
expectNil(t, err)
|
||||||
|
|
||||||
c := githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient()}
|
c := githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient()}
|
||||||
identity, err := c.HandleCallback(connector.Scopes{}, req)
|
identity, err := c.HandleCallback(connector.Scopes{Groups: true}, req)
|
||||||
|
|
||||||
expectNil(t, err)
|
expectNil(t, err)
|
||||||
expectEquals(t, identity.Username, "some-login")
|
expectEquals(t, identity.Username, "some-login")
|
||||||
|
expectEquals(t, 0, len(identity.Groups))
|
||||||
|
|
||||||
|
c = githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient(), loadAllGroups: true}
|
||||||
|
identity, err = c.HandleCallback(connector.Scopes{Groups: true}, req)
|
||||||
|
|
||||||
|
expectNil(t, err)
|
||||||
|
expectEquals(t, identity.Username, "some-login")
|
||||||
|
expectEquals(t, identity.Groups, []string{"org-1"})
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Reference in a new issue