From 55fbcfb3be6c24836911864303c3151b4c7a7a14 Mon Sep 17 00:00:00 2001
From: Cristian Le <git@lecris.me>
Date: Thu, 29 Apr 2021 15:44:21 +0900
Subject: [PATCH] Implement #550

- Read `preferred_username` from token
- Add `preferred_username` to the default Usernames
- Check the `admin` array for admin groups that the user might belong to
---
 authority/provisioner/oidc.go | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/authority/provisioner/oidc.go b/authority/provisioner/oidc.go
index fa3ca762..4141171c 100644
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@@ -44,6 +44,7 @@ type openIDPayload struct {
 	AuthorizedParty string   `json:"azp"`
 	Email           string   `json:"email"`
 	EmailVerified   bool     `json:"email_verified"`
+	Username        string   `json:"preferred_username"`
 	Hd              string   `json:"hd"`
 	Nonce           string   `json:"nonce"`
 	Groups          []string `json:"groups"`
@@ -86,6 +87,21 @@ func (o *OIDC) IsAdmin(email string) bool {
 	return false
 }
 
+// IsAdmin returns true if the given groups is in the Admins allowlist, false
+// otherwise.
+func (o *OIDC) IsAdminGroup(groups []string) bool {
+	for _,g := range groups {
+		// The groups and emails can be in the same array for now, but consider
+		// making a specialized option later.
+		for _,gadmin := range o.Admins {
+			if g == gadmin {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func sanitizeEmail(email string) string {
 	if i := strings.LastIndex(email, "@"); i >= 0 {
 		email = email[:i] + strings.ToLower(email[i:])
@@ -377,6 +393,11 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHSign")
 	}
+	// Reuse the contains function provided for simplicity
+	if !containsAllMembers(iden.Usernames, []string{claims.Username}){
+		// Add preferred_username to the identity's Username
+		iden.Usernames = append(iden.Usernames, claims.Username)
+	}
 
 	// Certificate templates.
 	data := sshutil.CreateTemplateData(sshutil.UserCert, claims.Email, iden.Usernames)
@@ -395,6 +416,9 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
 	// Use the default template unless no-templates are configured and email is
 	// an admin, in that case we will use the parameters in the request.
 	isAdmin := o.IsAdmin(claims.Email)
+	if !isAdmin && len(claims.Groups)>0 {
+		isAdmin = o.IsAdminGroup(claims.Groups)
+	}
 	defaultTemplate := sshutil.DefaultTemplate
 	if isAdmin && !o.Options.GetSSHOptions().HasTemplate() {
 		defaultTemplate = sshutil.DefaultAdminTemplate