NotificationsYou must be signed in to change notification settings
Fork928
Star10.1k

Commitdb5a8aa

committed

feat: group allow list in OIDC settings

Users not in the group allowlist cannot authenticate with Coder.

1 parent726e7b1 commitdb5a8aaCopy full SHA for db5a8aa

File tree

3 files changed

+37

-0

lines changed

cli
- server.go
coderd
- userauth.go
codersdk
- deployment.go

3 files changed

+37

-0

lines changed

`‎cli/server.go`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -161,6 +161,7 @@ func createOIDCConfig(ctx context.Context, vals codersdk.DeploymentValues) (co`
`161`	`161`	`IgnoreUserInfo:vals.OIDC.IgnoreUserInfo.Value(),`
`162`	`162`	`GroupField:vals.OIDC.GroupField.String(),`
`163`	`163`	`GroupFilter:vals.OIDC.GroupRegexFilter.Value(),`
	`164`	`+GroupAllowList:vals.OIDC.GroupAllowList.Value(),`
`164`	`165`	`CreateMissingGroups:vals.OIDC.GroupAutoCreate.Value(),`
`165`	`166`	`GroupMapping:vals.OIDC.GroupMapping.Value,`
`166`	`167`	`UserRoleField:vals.OIDC.UserRoleField.String(),`

`‎coderd/userauth.go`

Lines changed: 25 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -701,6 +701,10 @@ type OIDCConfig struct {`
`701`	`701`	`// the OIDC provider. Any group not matched by this regex will be ignored.`
`702`	`702`	`// If the group filter is nil, then no group filtering will occur.`
`703`	`703`	`GroupFilter*regexp.Regexp`
	`704`	`+// GroupAllowList is a list of groups that are allowed to log in.`
	`705`	`+// If the list length is 0, then the allow list will not be applied and`
	`706`	`+// this feature is disabled.`
	`707`	`+GroupAllowList []string`
`704`	`708`	`// GroupMapping controls how groups returned by the OIDC provider get mapped`
`705`	`709`	`// to groups within Coder.`
`706`	`710`	`// map[oidcGroupName]coderGroupName`
`@@ -1014,6 +1018,15 @@ func (api *API) oidcGroups(ctx context.Context, mergedClaims map[string]interfac`
`1014`	`1018`	`// If the GroupField is the empty string, then groups from OIDC are not used.`
`1015`	`1019`	`// This is so we can support manual group assignment.`
`1016`	`1020`	`ifapi.OIDCConfig.GroupField!="" {`
	`1021`	`+// allow list is a map of groups that are allowed to log in.`
	`1022`	`+allowed:=make(map[string]bool)`
	`1023`	`+for_,group:=rangeapi.OIDCConfig.GroupAllowList {`
	`1024`	`+allowed[group]=true`
	`1025`	`+}`
	`1026`	`+// If the allow list is empty, then the user is allowed to log in.`
	`1027`	`+// Otherwise, they must belong to at least 1 group in the allow list.`
	`1028`	`+inAllowList:=len(allowed)==0`
	`1029`	`+`
`1017`	`1030`	`usingGroups=true`
`1018`	`1031`	`groupsRaw,ok:=mergedClaims[api.OIDCConfig.GroupField]`
`1019`	`1032`	`ifok {`
`@@ -1040,9 +1053,21 @@ func (api *API) oidcGroups(ctx context.Context, mergedClaims map[string]interfac`
`1040`	`1053`	`ifmappedGroup,ok:=api.OIDCConfig.GroupMapping[group];ok {`
`1041`	`1054`	`group=mappedGroup`
`1042`	`1055`	`}`
	`1056`	`+if_,ok:=allowed[group];ok {`
	`1057`	`+inAllowList=true`
	`1058`	`+}`
`1043`	`1059`	`groups=append(groups,group)`
`1044`	`1060`	`}`
`1045`	`1061`	`}`
	`1062`	`+`
	`1063`	`+if!inAllowList {`
	`1064`	`+returnusingGroups,groups,&httpError{`
	`1065`	`+code:http.StatusForbidden,`
	`1066`	`+msg:"You aren't a member of an authorized group!",`
	`1067`	`+detail:fmt.Sprintf("You must be a member of one of the following groups: %v",api.OIDCConfig.GroupAllowList),`
	`1068`	`+renderStaticPage:false,`
	`1069`	`+}`
	`1070`	`+}`
`1046`	`1071`	`}`
`1047`	`1072`
`1048`	`1073`	`// This conditional is purely to warn the user they might have misconfigured their OIDC`

`‎codersdk/deployment.go`

Lines changed: 11 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -291,6 +291,7 @@ type OIDCConfig struct {`
`291`	`291`	IgnoreUserInfo clibase.Bool`json:"ignore_user_info" typescript:",notnull"`
`292`	`292`	GroupAutoCreate clibase.Bool`json:"group_auto_create" typescript:",notnull"`
`293`	`293`	GroupRegexFilter clibase.Regexp`json:"group_regex_filter" typescript:",notnull"`
	`294`	+GroupAllowList clibase.StringArray`json:"group_allow_list" typescript:",notnull"`
`294`	`295`	GroupField clibase.String`json:"groups_field" typescript:",notnull"`
`295`	`296`	GroupMapping clibase.Struct[map[string]string]`json:"group_mapping" typescript:",notnull"`
`296`	`297`	UserRoleField clibase.String`json:"user_role_field" typescript:",notnull"`
@@ -1187,6 +1188,16 @@ when required by your organization's security policy.`,
`1187`	`1188`	`Group:&deploymentGroupOIDC,`
`1188`	`1189`	`YAML:"groupRegexFilter",`
`1189`	`1190`	`},`
	`1191`	`+{`
	`1192`	`+Name:"OIDC Allowed Groups",`
	`1193`	`+Description:"If provided any group name not in the list will not be allowed to authenticate. This allows for restricting access to a specific set of groups. This filter is applied after the group mapping and before the regex filter.",`
	`1194`	`+Flag:"oidc-allowed-groups",`
	`1195`	`+Env:"CODER_OIDC_ALLOWED_GROUPS",`
	`1196`	`+Default:"",`
	`1197`	`+Value:&c.OIDC.GroupAllowList,`
	`1198`	`+Group:&deploymentGroupOIDC,`
	`1199`	`+YAML:"groupAllowed",`
	`1200`	`+},`
`1190`	`1201`	`{`
`1191`	`1202`	`Name:"OIDC User Role Field",`
`1192`	`1203`	`Description:"This field must be set if using the user roles sync feature. Set this to the name of the claim used to store the user's role. The roles should be sent as an array of strings.",`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commitdb5a8aa

File tree

3 files changed

3 files changed

`‎cli/server.go`

`‎coderd/userauth.go`

`‎codersdk/deployment.go`

0 commit comments