Implement #550

- Read `preferred_username` from token - Add `preferred_username` to the default Usernames - Check the `admin` array for admin groups that the user might belong to
2021-04-29 15:44:21 +09:00 · 2021-04-29 15:44:21 +09:00 · 55fbcfb3be
commit 55fbcfb3be
parent 582d6b161d
1 changed files with 24 additions and 0 deletions
--- a/authority/provisioner/oidc.go
+++ b/authority/provisioner/oidc.go
@ -44,6 +44,7 @@ type openIDPayload struct {
 	AuthorizedParty string   `json:"azp"`
 	Email           string   `json:"email"`
 	EmailVerified   bool     `json:"email_verified"`
+	Username        string   `json:"preferred_username"`
 	Hd              string   `json:"hd"`
 	Nonce           string   `json:"nonce"`
 	Groups          []string `json:"groups"`
@ -86,6 +87,21 @@ func (o *OIDC) IsAdmin(email string) bool {
 	return false
 }

+// IsAdmin returns true if the given groups is in the Admins allowlist, false
+// otherwise.
+func (o *OIDC) IsAdminGroup(groups []string) bool {
+	for _,g := range groups {
+		// The groups and emails can be in the same array for now, but consider
+		// making a specialized option later.
+		for _,gadmin := range o.Admins {
+			if g == gadmin {
+				return true
+			}
+		}
+	}
+	return false
+}
+
 func sanitizeEmail(email string) string {
 	if i := strings.LastIndex(email, "@"); i >= 0 {
 		email = email[:i] + strings.ToLower(email[i:])
@ -377,6 +393,11 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
 	if err != nil {
 		return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHSign")
 	}
+	// Reuse the contains function provided for simplicity
+	if !containsAllMembers(iden.Usernames, []string{claims.Username}){
+		// Add preferred_username to the identity's Username
+		iden.Usernames = append(iden.Usernames, claims.Username)
+	}

 	// Certificate templates.
 	data := sshutil.CreateTemplateData(sshutil.UserCert, claims.Email, iden.Usernames)
@ -395,6 +416,9 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
 	// Use the default template unless no-templates are configured and email is
 	// an admin, in that case we will use the parameters in the request.
 	isAdmin := o.IsAdmin(claims.Email)
+	if !isAdmin && len(claims.Groups)>0 {
+		isAdmin = o.IsAdminGroup(claims.Groups)
+	}
 	defaultTemplate := sshutil.DefaultTemplate
 	if isAdmin && !o.Options.GetSSHOptions().HasTemplate() {
 		defaultTemplate = sshutil.DefaultAdminTemplate