Merge pull request #1349 from alexmt/1102-config-to-load-all-groups

Add config to explicitly enable loading all github groups

Follow-up for #1102.
This commit is contained in:
Stephan Renatus 2018-11-20 15:15:25 +01:00 committed by GitHub
commit 7c8a22443a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 23 additions and 5 deletions

View file

@ -45,8 +45,8 @@ connectors:
# If orgs are specified in the config then user MUST be a member of at least one of the specified orgs to
# authenticate with dex.
#
# If neither 'org' nor 'orgs' are specified in the config then user authenticate with ALL user's Github groups.
# Typical use case for this setup:
# If neither 'org' nor 'orgs' are specified in the config and 'loadAllGroups' setting set to true then user
# authenticate with ALL user's Github groups. Typical use case for this setup:
# provide read-only access to everyone and give full permissions if user has 'my-organization:admins-team' group claim.
orgs:
- name: my-organization
@ -56,6 +56,8 @@ connectors:
teams:
- red-team
- blue-team
# Flag which indicates that all user groups and teams should be loaded.
loadAllGroups: false
# Optional choice between 'name' (default) or 'slug'.
#

View file

@ -48,6 +48,7 @@ type Config struct {
HostName string `json:"hostName"`
RootCA string `json:"rootCA"`
TeamNameField string `json:"teamNameField"`
LoadAllGroups bool `json:"loadAllGroups"`
}
// Org holds org-team filters, in which teams are optional.
@ -107,6 +108,7 @@ func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector
}
}
g.loadAllGroups = c.LoadAllGroups
switch c.TeamNameField {
case "name", "slug", "":
@ -143,7 +145,10 @@ type githubConnector struct {
rootCA string
// HTTP Client that trusts the custom delcared rootCA cert.
httpClient *http.Client
// optional choice between 'name' (default) or 'slug'
teamNameField string
// if set to true and no orgs are configured then connector loads all user claims (all orgs and team)
loadAllGroups bool
}
// groupsRequired returns whether dex requires GitHub's 'read:org' scope. Dex
@ -325,7 +330,7 @@ func (c *githubConnector) getGroups(ctx context.Context, client *http.Client, gr
return c.groupsForOrgs(ctx, client, userLogin)
} else if c.org != "" {
return c.teamsForOrg(ctx, client, c.org)
} else if groupScope {
} else if groupScope && c.loadAllGroups {
return c.userGroups(ctx, client)
}
return nil, nil

View file

@ -115,6 +115,9 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9",
"expires_in": "30",
}},
"/user/orgs": {
data: []org{{Login: "org-1"}},
},
})
defer s.Close()
@ -125,10 +128,18 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
expectNil(t, err)
c := githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient()}
identity, err := c.HandleCallback(connector.Scopes{}, req)
identity, err := c.HandleCallback(connector.Scopes{Groups: true}, req)
expectNil(t, err)
expectEquals(t, identity.Username, "some-login")
expectEquals(t, 0, len(identity.Groups))
c = githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient(), loadAllGroups: true}
identity, err = c.HandleCallback(connector.Scopes{Groups: true}, req)
expectNil(t, err)
expectEquals(t, identity.Username, "some-login")
expectEquals(t, identity.Groups, []string{"org-1"})
}