Corrected logic in group verification
This commit is contained in:
parent
296659cb50
commit
d31f6eabd4
2 changed files with 29 additions and 9 deletions
|
@ -165,10 +165,12 @@ func (c *openshiftConnector) HandleCallback(s connector.Scopes, r *http.Request)
|
||||||
return identity, fmt.Errorf("openshift: get user: %v", err)
|
return identity, fmt.Errorf("openshift: get user: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
validGroups := validateRequiredGroups(user.Groups, c.groups)
|
if len(c.groups) > 0 {
|
||||||
|
validGroups := validateAllowedGroups(user.Groups, c.groups)
|
||||||
|
|
||||||
if !validGroups {
|
if !validGroups {
|
||||||
return identity, fmt.Errorf("openshift: user %q is not in any of the required groups", user.Name)
|
return identity, fmt.Errorf("openshift: user %q is not in any of the required groups", user.Name)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
identity = connector.Identity{
|
identity = connector.Identity{
|
||||||
|
@ -211,10 +213,10 @@ func (c *openshiftConnector) user(ctx context.Context, client *http.Client) (u u
|
||||||
return u, err
|
return u, err
|
||||||
}
|
}
|
||||||
|
|
||||||
func validateRequiredGroups(userGroups, requiredGroups []string) bool {
|
func validateAllowedGroups(userGroups, allowedGroups []string) bool {
|
||||||
matchingGroups := groups.Filter(userGroups, requiredGroups)
|
matchingGroups := groups.Filter(userGroups, allowedGroups)
|
||||||
|
|
||||||
return len(requiredGroups) == len(matchingGroups)
|
return len(matchingGroups) != 0
|
||||||
}
|
}
|
||||||
|
|
||||||
// newHTTPClient returns a new HTTP client
|
// newHTTPClient returns a new HTTP client
|
||||||
|
|
|
@ -83,11 +83,29 @@ func TestGetUser(t *testing.T) {
|
||||||
expectEquals(t, len(u.Groups), 1)
|
expectEquals(t, len(u.Groups), 1)
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestVerifyGroupFn(t *testing.T) {
|
func TestVerifySingleGroupFn(t *testing.T) {
|
||||||
requiredGroups := []string{"users"}
|
allowedGroups := []string{"users"}
|
||||||
groupMembership := []string{"users", "org1"}
|
groupMembership := []string{"users", "org1"}
|
||||||
|
|
||||||
validGroupMembership := validateRequiredGroups(groupMembership, requiredGroups)
|
validGroupMembership := validateAllowedGroups(groupMembership, allowedGroups)
|
||||||
|
|
||||||
|
expectEquals(t, validGroupMembership, true)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestVerifySingleGroupFailureFn(t *testing.T) {
|
||||||
|
allowedGroups := []string{"admins"}
|
||||||
|
groupMembership := []string{"users"}
|
||||||
|
|
||||||
|
validGroupMembership := validateAllowedGroups(groupMembership, allowedGroups)
|
||||||
|
|
||||||
|
expectEquals(t, validGroupMembership, false)
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestVerifyMultipleGroupFn(t *testing.T) {
|
||||||
|
allowedGroups := []string{"users", "admins"}
|
||||||
|
groupMembership := []string{"users", "org1"}
|
||||||
|
|
||||||
|
validGroupMembership := validateAllowedGroups(groupMembership, allowedGroups)
|
||||||
|
|
||||||
expectEquals(t, validGroupMembership, true)
|
expectEquals(t, validGroupMembership, true)
|
||||||
}
|
}
|
||||||
|
|
Reference in a new issue