forked from TrueCloudLab/certificates
Implement #550
- Read `preferred_username` from token - Add `preferred_username` to the default Usernames - Check the `admin` array for admin groups that the user might belong to
This commit is contained in:
parent
582d6b161d
commit
55fbcfb3be
1 changed files with 24 additions and 0 deletions
|
@ -44,6 +44,7 @@ type openIDPayload struct {
|
||||||
AuthorizedParty string `json:"azp"`
|
AuthorizedParty string `json:"azp"`
|
||||||
Email string `json:"email"`
|
Email string `json:"email"`
|
||||||
EmailVerified bool `json:"email_verified"`
|
EmailVerified bool `json:"email_verified"`
|
||||||
|
Username string `json:"preferred_username"`
|
||||||
Hd string `json:"hd"`
|
Hd string `json:"hd"`
|
||||||
Nonce string `json:"nonce"`
|
Nonce string `json:"nonce"`
|
||||||
Groups []string `json:"groups"`
|
Groups []string `json:"groups"`
|
||||||
|
@ -86,6 +87,21 @@ func (o *OIDC) IsAdmin(email string) bool {
|
||||||
return false
|
return false
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// IsAdmin returns true if the given groups is in the Admins allowlist, false
|
||||||
|
// otherwise.
|
||||||
|
func (o *OIDC) IsAdminGroup(groups []string) bool {
|
||||||
|
for _,g := range groups {
|
||||||
|
// The groups and emails can be in the same array for now, but consider
|
||||||
|
// making a specialized option later.
|
||||||
|
for _,gadmin := range o.Admins {
|
||||||
|
if g == gadmin {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
|
||||||
func sanitizeEmail(email string) string {
|
func sanitizeEmail(email string) string {
|
||||||
if i := strings.LastIndex(email, "@"); i >= 0 {
|
if i := strings.LastIndex(email, "@"); i >= 0 {
|
||||||
email = email[:i] + strings.ToLower(email[i:])
|
email = email[:i] + strings.ToLower(email[i:])
|
||||||
|
@ -377,6 +393,11 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHSign")
|
return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHSign")
|
||||||
}
|
}
|
||||||
|
// Reuse the contains function provided for simplicity
|
||||||
|
if !containsAllMembers(iden.Usernames, []string{claims.Username}){
|
||||||
|
// Add preferred_username to the identity's Username
|
||||||
|
iden.Usernames = append(iden.Usernames, claims.Username)
|
||||||
|
}
|
||||||
|
|
||||||
// Certificate templates.
|
// Certificate templates.
|
||||||
data := sshutil.CreateTemplateData(sshutil.UserCert, claims.Email, iden.Usernames)
|
data := sshutil.CreateTemplateData(sshutil.UserCert, claims.Email, iden.Usernames)
|
||||||
|
@ -395,6 +416,9 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
|
||||||
// Use the default template unless no-templates are configured and email is
|
// Use the default template unless no-templates are configured and email is
|
||||||
// an admin, in that case we will use the parameters in the request.
|
// an admin, in that case we will use the parameters in the request.
|
||||||
isAdmin := o.IsAdmin(claims.Email)
|
isAdmin := o.IsAdmin(claims.Email)
|
||||||
|
if !isAdmin && len(claims.Groups)>0 {
|
||||||
|
isAdmin = o.IsAdminGroup(claims.Groups)
|
||||||
|
}
|
||||||
defaultTemplate := sshutil.DefaultTemplate
|
defaultTemplate := sshutil.DefaultTemplate
|
||||||
if isAdmin && !o.Options.GetSSHOptions().HasTemplate() {
|
if isAdmin && !o.Options.GetSSHOptions().HasTemplate() {
|
||||||
defaultTemplate = sshutil.DefaultAdminTemplate
|
defaultTemplate = sshutil.DefaultAdminTemplate
|
||||||
|
|
Loading…
Reference in a new issue