Add a third principal on OIDC tokens with the raw local part of the email.
For the email first.last@example.com it will create the principals ["firstlast", "first.last", "first.last@example.com"] Fixes #253, #254
This commit is contained in:
parent
2bc69d3edd
commit
0b5fd156e8
2 changed files with 36 additions and 2 deletions
|
@ -336,11 +336,24 @@ type GetIdentityFunc func(ctx context.Context, p Interface, email string) (*Iden
|
|||
func DefaultIdentityFunc(ctx context.Context, p Interface, email string) (*Identity, error) {
|
||||
switch k := p.(type) {
|
||||
case *OIDC:
|
||||
// OIDC principals would be:
|
||||
// 1. Sanitized local.
|
||||
// 2. Raw local (if different).
|
||||
// 3. Email address.
|
||||
name := SanitizeSSHUserPrincipal(email)
|
||||
if !sshUserRegex.MatchString(name) {
|
||||
return nil, errors.Errorf("invalid principal '%s' from email '%s'", name, email)
|
||||
}
|
||||
return &Identity{Usernames: []string{name, email}}, nil
|
||||
usernames := []string{name}
|
||||
if i := strings.LastIndex(email, "@"); i >= 0 {
|
||||
if local := email[:i]; !strings.EqualFold(local, name) {
|
||||
usernames = append(usernames, local)
|
||||
}
|
||||
}
|
||||
usernames = append(usernames, email)
|
||||
return &Identity{
|
||||
Usernames: usernames,
|
||||
}, nil
|
||||
default:
|
||||
return nil, errors.Errorf("provisioner type '%T' not supported by identity function", k)
|
||||
}
|
||||
|
|
|
@ -85,7 +85,28 @@ func TestDefaultIdentityFunc(t *testing.T) {
|
|||
return test{
|
||||
p: &OIDC{},
|
||||
email: "max.furman@smallstep.com",
|
||||
identity: &Identity{Usernames: []string{"maxfurman", "max.furman@smallstep.com"}},
|
||||
identity: &Identity{Usernames: []string{"maxfurman", "max.furman", "max.furman@smallstep.com"}},
|
||||
}
|
||||
},
|
||||
"ok letter case": func(t *testing.T) test {
|
||||
return test{
|
||||
p: &OIDC{},
|
||||
email: "Max.Furman@smallstep.com",
|
||||
identity: &Identity{Usernames: []string{"maxfurman", "Max.Furman", "Max.Furman@smallstep.com"}},
|
||||
}
|
||||
},
|
||||
"ok simple": func(t *testing.T) test {
|
||||
return test{
|
||||
p: &OIDC{},
|
||||
email: "john@smallstep.com",
|
||||
identity: &Identity{Usernames: []string{"john", "john@smallstep.com"}},
|
||||
}
|
||||
},
|
||||
"ok simple letter case": func(t *testing.T) test {
|
||||
return test{
|
||||
p: &OIDC{},
|
||||
email: "John@smallstep.com",
|
||||
identity: &Identity{Usernames: []string{"john", "John@smallstep.com"}},
|
||||
}
|
||||
},
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue