- Notifications
You must be signed in to change notification settings - Fork929
feat: add group allowlist for oidc#11070
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Merged
Uh oh!
There was an error while loading.Please reload this page.
Merged
Changes from1 commit
Commits
Show all changes
12 commits Select commitHold shift + click to select a range
726e7b1 chore: use httpError to allow better error elevation
Emyrkdb5a8aa feat: group allow list in OIDC settings
Emyrk524aced add unit test
Emyrk75d1202 revert test
Emyrk217aa54 Add unit test
Emyrk8a871d7 update golden files
Emyrka9a740a Make gen
Emyrk80208a7 make group allowlist a map in the outright
Emyrk58551ef Drop log line on failed login due to group allowlist
Emyrk17db1e3 Merge remote-tracking branch 'origin/main' into stevenmasley/oidc_all…
Emyrk586a67c Forgot to update and fix the unit test
Emyrk025b48d Update golden files
EmyrkFile filter
Filter by extension
Conversations
Failed to load comments.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Jump to
Jump to file
Failed to load files.
Loading
Uh oh!
There was an error while loading.Please reload this page.
Diff view
Diff view
feat: group allow list in OIDC settings
Users not in the group allowlist cannot authenticate with Coder.
- Loading branch information
Uh oh!
There was an error while loading.Please reload this page.
commitdb5a8aa78b43fc998adc9ec039ec70779b37f0f6
There are no files selected for viewing
1 change: 1 addition & 0 deletionscli/server.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
25 changes: 25 additions & 0 deletionscoderd/userauth.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -701,6 +701,10 @@ type OIDCConfig struct { | ||
| // the OIDC provider. Any group not matched by this regex will be ignored. | ||
| // If the group filter is nil, then no group filtering will occur. | ||
| GroupFilter *regexp.Regexp | ||
| // GroupAllowList is a list of groups that are allowed to log in. | ||
| // If the list length is 0, then the allow list will not be applied and | ||
| // this feature is disabled. | ||
| GroupAllowList []string | ||
Emyrk marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| // GroupMapping controls how groups returned by the OIDC provider get mapped | ||
| // to groups within Coder. | ||
| // map[oidcGroupName]coderGroupName | ||
| @@ -1014,6 +1018,15 @@ func (api *API) oidcGroups(ctx context.Context, mergedClaims map[string]interfac | ||
| // If the GroupField is the empty string, then groups from OIDC are not used. | ||
| // This is so we can support manual group assignment. | ||
| if api.OIDCConfig.GroupField != "" { | ||
| // allow list is a map of groups that are allowed to log in. | ||
| allowed := make(map[string]bool) | ||
| for _, group := range api.OIDCConfig.GroupAllowList { | ||
| allowed[group] = true | ||
| } | ||
| // If the allow list is empty, then the user is allowed to log in. | ||
| // Otherwise, they must belong to at least 1 group in the allow list. | ||
| inAllowList := len(allowed) == 0 | ||
Emyrk marked this conversation as resolved. Show resolvedHide resolvedUh oh!There was an error while loading.Please reload this page. | ||
| usingGroups = true | ||
| groupsRaw, ok := mergedClaims[api.OIDCConfig.GroupField] | ||
| if ok { | ||
| @@ -1040,9 +1053,21 @@ func (api *API) oidcGroups(ctx context.Context, mergedClaims map[string]interfac | ||
| if mappedGroup, ok := api.OIDCConfig.GroupMapping[group]; ok { | ||
| group = mappedGroup | ||
| } | ||
| if _, ok := allowed[group]; ok { | ||
| inAllowList = true | ||
| } | ||
| groups = append(groups, group) | ||
| } | ||
| } | ||
| if !inAllowList { | ||
| return usingGroups, groups, &httpError{ | ||
| code: http.StatusForbidden, | ||
| msg: "You aren't a member of an authorized group!", | ||
| detail: fmt.Sprintf("You must be a member of one of the following groups: %v", api.OIDCConfig.GroupAllowList), | ||
| renderStaticPage: false, | ||
| } | ||
| } | ||
| } | ||
| // This conditional is purely to warn the user they might have misconfigured their OIDC | ||
11 changes: 11 additions & 0 deletionscodersdk/deployment.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.