Merge pull request #274 from smallstep/oidc-raw-locals

Allow dots and other symbols in principals for OIDC
This commit is contained in:
Mariano Cano 2020-05-26 11:28:30 -07:00 committed by GitHub
commit 4ac51dd508
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 43 additions and 2 deletions

View file

@ -336,11 +336,24 @@ type GetIdentityFunc func(ctx context.Context, p Interface, email string) (*Iden
func DefaultIdentityFunc(ctx context.Context, p Interface, email string) (*Identity, error) {
switch k := p.(type) {
case *OIDC:
// OIDC principals would be:
// 1. Sanitized local.
// 2. Raw local (if different).
// 3. Email address.
name := SanitizeSSHUserPrincipal(email)
if !sshUserRegex.MatchString(name) {
return nil, errors.Errorf("invalid principal '%s' from email '%s'", name, email)
}
return &Identity{Usernames: []string{name, email}}, nil
usernames := []string{name}
if i := strings.LastIndex(email, "@"); i >= 0 {
if local := email[:i]; !strings.EqualFold(local, name) {
usernames = append(usernames, local)
}
}
usernames = append(usernames, email)
return &Identity{
Usernames: usernames,
}, nil
default:
return nil, errors.Errorf("provisioner type '%T' not supported by identity function", k)
}

View file

@ -85,7 +85,35 @@ func TestDefaultIdentityFunc(t *testing.T) {
return test{
p: &OIDC{},
email: "max.furman@smallstep.com",
identity: &Identity{Usernames: []string{"maxfurman", "max.furman@smallstep.com"}},
identity: &Identity{Usernames: []string{"maxfurman", "max.furman", "max.furman@smallstep.com"}},
}
},
"ok letter case": func(t *testing.T) test {
return test{
p: &OIDC{},
email: "Max.Furman@smallstep.com",
identity: &Identity{Usernames: []string{"maxfurman", "Max.Furman", "Max.Furman@smallstep.com"}},
}
},
"ok simple": func(t *testing.T) test {
return test{
p: &OIDC{},
email: "john@smallstep.com",
identity: &Identity{Usernames: []string{"john", "john@smallstep.com"}},
}
},
"ok simple letter case": func(t *testing.T) test {
return test{
p: &OIDC{},
email: "John@smallstep.com",
identity: &Identity{Usernames: []string{"john", "John@smallstep.com"}},
}
},
"ok symbol": func(t *testing.T) test {
return test{
p: &OIDC{},
email: "John+Doe@smallstep.com",
identity: &Identity{Usernames: []string{"john_doe", "John+Doe", "John+Doe@smallstep.com"}},
}
},
}