Simplify groups claim parsing

This commit is contained in:
Lukasz Leszczuk 2019-09-12 14:28:51 +02:00
parent 7b80d0869a
commit 284d384c3f
3 changed files with 13 additions and 5 deletions

View File

@ -26,6 +26,7 @@ func main() {
jwtIssuers := StringArray{} jwtIssuers := StringArray{}
googleGroups := StringArray{} googleGroups := StringArray{}
permittedGroups := StringArray{} permittedGroups := StringArray{}
permittedUsers := StringArray{}
redisSentinelConnectionURLs := StringArray{} redisSentinelConnectionURLs := StringArray{}
config := flagSet.String("config", "", "path to config file") config := flagSet.String("config", "", "path to config file")
@ -43,6 +44,7 @@ func main() {
flagSet.Bool("pass-groups", false, "pass user group information in the X-Forwarded-Groups header to upstream (Azure only)") flagSet.Bool("pass-groups", false, "pass user group information in the X-Forwarded-Groups header to upstream (Azure only)")
flagSet.String("filter-groups", "", "exclude groups that do not contain this value in its 'displayName' (Azure only)") flagSet.String("filter-groups", "", "exclude groups that do not contain this value in its 'displayName' (Azure only)")
flagSet.Var(&permittedGroups, "permit-groups", "restrict logins to members of this group (may be given multiple times; Azure).") flagSet.Var(&permittedGroups, "permit-groups", "restrict logins to members of this group (may be given multiple times; Azure).")
flagSet.Var(&permittedUsers, "permit-users", "let users in unconditionally")
flagSet.String("groups-delimiter", "|", "delimiter between group names if more than one found. By default it is '|' symbol") flagSet.String("groups-delimiter", "|", "delimiter between group names if more than one found. By default it is '|' symbol")
flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header") flagSet.String("basic-auth-password", "", "the password to set when passing the HTTP Basic Auth header")
flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header") flagSet.Bool("pass-access-token", false, "pass OAuth access_token to upstream via X-Forwarded-Access-Token header")

View File

@ -168,6 +168,7 @@ func NewOptions() *Options {
FilterGroups: "", FilterGroups: "",
GroupsDelimiter: "|", GroupsDelimiter: "|",
PermitGroups: []string{}, PermitGroups: []string{},
PermitUsers: []string{},
PassAccessToken: false, PassAccessToken: false,
PassHostHeader: true, PassHostHeader: true,
SetAuthorization: false, SetAuthorization: false,

View File

@ -1,6 +1,7 @@
package providers package providers
import ( import (
"encoding/json"
"errors" "errors"
"fmt" "fmt"
"net/http" "net/http"
@ -157,17 +158,21 @@ func (p *AzureProvider) GetGroups(s *sessions.SessionState, f string) (map[strin
if s.IDToken == "" { if s.IDToken == "" {
return map[string]string{}, nil return map[string]string{}, nil
} }
parts := strings.Split(s.IDToken, ".")
if len(parts) != 3 {
return map[string]string{}, nil
}
rawJSON, err := jwt.DecodeSegment(parts[1])
if err != nil {
return map[string]string{}, err
}
type GroupClaims struct { type GroupClaims struct {
Groups []string `json:"groups"` Groups []string `json:"groups"`
jwt.StandardClaims
} }
claims := &GroupClaims{} claims := &GroupClaims{}
jwt.ParseWithClaims(s.IDToken, claims, func(token *jwt.Token) (interface{}, error) {
return []byte("empty"), nil
})
json.Unmarshal(rawJSON, &claims)
groupsMap := make(map[string]string) groupsMap := make(map[string]string)
for _, s := range claims.Groups { for _, s := range claims.Groups {
groupsMap[s] = s groupsMap[s] = s