NotificationsYou must be signed in to change notification settings
Fork1.1k
Star11.6k

Commit5b1e809

Rafael Rodriguez

authored

fix: support oidc group allowlist in oss (#19430)

## SummaryIn this pull request we're adding support for OIDC allowed groups in theOSS version as part of work for#17027.### Changes- Restored support for parsing group allow list in OSS code### Testing- Added tests for OSS code- Tested allowed/prohibited group OIDC flows in premium and OSS

1 parenta19dfa9 commit5b1e809Copy full SHA for 5b1e809

File tree

3 files changed

+80

-50

lines changed

coderd/idpsync
- group.go
- group_test.go
enterprise/coderd/enidpsync
- groups.go

3 files changed

+80

-50

lines changed

`‎coderd/idpsync/group.go‎`

Lines changed: 42 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -4,6 +4,7 @@ import (`
`4`	`4`	`"context"`
`5`	`5`	`"encoding/json"`
`6`	`6`	`"fmt"`
	`7`	`+"net/http"`
`7`	`8`
`8`	`9`	`"github.com/golang-jwt/jwt/v4"`
`9`	`10`	`"github.com/google/uuid"`
`@@ -71,9 +72,49 @@ func (s AGPLIDPSync) GroupSyncSettings(ctx context.Context, orgID uuid.UUID, db`
`71`	`72`	`returnsettings,nil`
`72`	`73`	`}`
`73`	`74`
`74`		`-func (sAGPLIDPSync)ParseGroupClaims(_ context.Context,_ jwt.MapClaims) (GroupParams,*HTTPError) {`
	`75`	`+func (sAGPLIDPSync)ParseGroupClaims(_ context.Context,mergedClaims jwt.MapClaims) (GroupParams,*HTTPError) {`
	`76`	`+ifs.GroupField!=""&&len(s.GroupAllowList)>0 {`
	`77`	`+groupsRaw,ok:=mergedClaims[s.GroupField]`
	`78`	`+if!ok {`
	`79`	`+returnGroupParams{},&HTTPError{`
	`80`	`+Code:http.StatusForbidden,`
	`81`	`+Msg:"Not a member of an allowed group",`
	`82`	`+Detail:"You have no groups in your claims!",`
	`83`	`+RenderStaticPage:true,`
	`84`	`+}`
	`85`	`+}`
	`86`	`+parsedGroups,err:=ParseStringSliceClaim(groupsRaw)`
	`87`	`+iferr!=nil {`
	`88`	`+returnGroupParams{},&HTTPError{`
	`89`	`+Code:http.StatusBadRequest,`
	`90`	`+Msg:"Failed read groups from claims for allow list check. Ask an administrator for help.",`
	`91`	`+Detail:err.Error(),`
	`92`	`+RenderStaticPage:true,`
	`93`	`+}`
	`94`	`+}`
	`95`	`+`
	`96`	`+inAllowList:=false`
	`97`	`+AllowListCheckLoop:`
	`98`	`+for_,group:=rangeparsedGroups {`
	`99`	`+if_,ok:=s.GroupAllowList[group];ok {`
	`100`	`+inAllowList=true`
	`101`	`+break AllowListCheckLoop`
	`102`	`+}`
	`103`	`+}`
	`104`	`+`
	`105`	`+if!inAllowList {`
	`106`	`+returnGroupParams{},&HTTPError{`
	`107`	`+Code:http.StatusForbidden,`
	`108`	`+Msg:"Not a member of an allowed group",`
	`109`	`+Detail:"Ask an administrator to add one of your groups to the allow list.",`
	`110`	`+RenderStaticPage:true,`
	`111`	`+}`
	`112`	`+}`
	`113`	`+}`
	`114`	`+`
`75`	`115`	`returnGroupParams{`
`76`	`116`	`SyncEntitled:s.GroupSyncEntitled(),`
	`117`	`+MergedClaims:mergedClaims,`
`77`	`118`	`},nil`
`78`	`119`	`}`
`79`	`120`

`‎coderd/idpsync/group_test.go‎`

Lines changed: 33 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -44,8 +44,7 @@ func TestParseGroupClaims(t *testing.T) {`
`44`	`44`	`require.False(t,params.SyncEntitled)`
`45`	`45`	`})`
`46`	`46`
`47`		`-// AllowList has no effect in AGPL`
`48`		`-t.Run("AllowList",func(t*testing.T) {`
	`47`	`+t.Run("NotInAllowList",func(t*testing.T) {`
`49`	`48`	`t.Parallel()`
`50`	`49`
`51`	`50`	`s:=idpsync.NewAGPLSync(slogtest.Make(t,&slogtest.Options{}),`
`@@ -59,9 +58,39 @@ func TestParseGroupClaims(t *testing.T) {`
`59`	`58`
`60`	`59`	`ctx:=testutil.Context(t,testutil.WaitMedium)`
`61`	`60`
`62`		`-params,err:=s.ParseGroupClaims(ctx, jwt.MapClaims{})`
	`61`	`+// Invalid group`
	`62`	`+_,err:=s.ParseGroupClaims(ctx, jwt.MapClaims{`
	`63`	`+"groups": []string{"bar"},`
	`64`	`+})`
	`65`	`+require.NotNil(t,err)`
	`66`	`+require.Equal(t,403,err.Code)`
	`67`	`+`
	`68`	`+// No groups`
	`69`	`+_,err=s.ParseGroupClaims(ctx, jwt.MapClaims{})`
	`70`	`+require.NotNil(t,err)`
	`71`	`+require.Equal(t,403,err.Code)`
	`72`	`+})`
	`73`	`+`
	`74`	`+t.Run("InAllowList",func(t*testing.T) {`
	`75`	`+t.Parallel()`
	`76`	`+`
	`77`	`+s:=idpsync.NewAGPLSync(slogtest.Make(t,&slogtest.Options{}),`
	`78`	`+runtimeconfig.NewManager(),`
	`79`	`+idpsync.DeploymentSyncSettings{`
	`80`	`+GroupField:"groups",`
	`81`	`+GroupAllowList:map[string]struct{}{`
	`82`	`+"foo": {},`
	`83`	`+},`
	`84`	`+})`
	`85`	`+`
	`86`	`+ctx:=testutil.Context(t,testutil.WaitMedium)`
	`87`	`+`
	`88`	`+claims:= jwt.MapClaims{`
	`89`	`+"groups": []string{"foo","bar"},`
	`90`	`+}`
	`91`	`+params,err:=s.ParseGroupClaims(ctx,claims)`
`63`	`92`	`require.Nil(t,err)`
`64`		`-require.False(t,params.SyncEntitled)`
	`93`	`+require.Equal(t,claims,params.MergedClaims)`
`65`	`94`	`})`
`66`	`95`	`}`
`67`	`96`

`‎enterprise/coderd/enidpsync/groups.go‎`

Lines changed: 5 additions & 45 deletions

Original file line number	Diff line number	Diff line change
`@@ -2,7 +2,6 @@ package enidpsync`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"context"`
`5`		`-"net/http"`
`6`	`5`
`7`	`6`	`"github.com/golang-jwt/jwt/v4"`
`8`	`7`
`@@ -20,51 +19,12 @@ func (e EnterpriseIDPSync) GroupSyncEntitled() bool {`
`20`	`19`	`// GroupAllowList is implemented here to prevent login by unauthorized users.`
`21`	`20`	`// TODO: GroupAllowList overlaps with the default organization group sync settings.`
`22`	`21`	`func (eEnterpriseIDPSync)ParseGroupClaims(ctx context.Context,mergedClaims jwt.MapClaims) (idpsync.GroupParams,*idpsync.HTTPError) {`
`23`		`-if!e.GroupSyncEntitled() {`
`24`		`-returne.AGPLIDPSync.ParseGroupClaims(ctx,mergedClaims)`
	`22`	`+resp,err:=e.AGPLIDPSync.ParseGroupClaims(ctx,mergedClaims)`
	`23`	`+iferr!=nil {`
	`24`	`+return idpsync.GroupParams{},err`
`25`	`25`	`}`
`26`		`-`
`27`		`-ife.GroupField!=""&&len(e.GroupAllowList)>0 {`
`28`		`-groupsRaw,ok:=mergedClaims[e.GroupField]`
`29`		`-if!ok {`
`30`		`-return idpsync.GroupParams{},&idpsync.HTTPError{`
`31`		`-Code:http.StatusForbidden,`
`32`		`-Msg:"Not a member of an allowed group",`
`33`		`-Detail:"You have no groups in your claims!",`
`34`		`-RenderStaticPage:true,`
`35`		`-}`
`36`		`-}`
`37`		`-parsedGroups,err:=idpsync.ParseStringSliceClaim(groupsRaw)`
`38`		`-iferr!=nil {`
`39`		`-return idpsync.GroupParams{},&idpsync.HTTPError{`
`40`		`-Code:http.StatusBadRequest,`
`41`		`-Msg:"Failed read groups from claims for allow list check. Ask an administrator for help.",`
`42`		`-Detail:err.Error(),`
`43`		`-RenderStaticPage:true,`
`44`		`-}`
`45`		`-}`
`46`		`-`
`47`		`-inAllowList:=false`
`48`		`-AllowListCheckLoop:`
`49`		`-for_,group:=rangeparsedGroups {`
`50`		`-if_,ok:=e.GroupAllowList[group];ok {`
`51`		`-inAllowList=true`
`52`		`-break AllowListCheckLoop`
`53`		`-}`
`54`		`-}`
`55`		`-`
`56`		`-if!inAllowList {`
`57`		`-return idpsync.GroupParams{},&idpsync.HTTPError{`
`58`		`-Code:http.StatusForbidden,`
`59`		`-Msg:"Not a member of an allowed group",`
`60`		`-Detail:"Ask an administrator to add one of your groups to the allow list.",`
`61`		`-RenderStaticPage:true,`
`62`		`-}`
`63`		`-}`
`64`		`-}`
`65`		`-`
`66`	`26`	`return idpsync.GroupParams{`
`67`		`-SyncEntitled:true,`
`68`		`-MergedClaims:mergedClaims,`
	`27`	`+SyncEntitled:e.GroupSyncEntitled(),`
	`28`	`+MergedClaims:resp.MergedClaims,`
`69`	`29`	`},nil`
`70`	`30`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit5b1e809

File tree

3 files changed

3 files changed

`‎coderd/idpsync/group.go‎`

`‎coderd/idpsync/group_test.go‎`

`‎enterprise/coderd/enidpsync/groups.go‎`

0 commit comments