- Read `preferred_username` from token
- Add `preferred_username` to the default Usernames
- Check the `admin` array for admin groups that the user might belong to
This commit is contained in:
Cristian Le 2021-04-29 15:44:21 +09:00
parent 582d6b161d
commit 55fbcfb3be

View file

@ -44,6 +44,7 @@ type openIDPayload struct {
AuthorizedParty string `json:"azp"` AuthorizedParty string `json:"azp"`
Email string `json:"email"` Email string `json:"email"`
EmailVerified bool `json:"email_verified"` EmailVerified bool `json:"email_verified"`
Username string `json:"preferred_username"`
Hd string `json:"hd"` Hd string `json:"hd"`
Nonce string `json:"nonce"` Nonce string `json:"nonce"`
Groups []string `json:"groups"` Groups []string `json:"groups"`
@ -86,6 +87,21 @@ func (o *OIDC) IsAdmin(email string) bool {
return false return false
} }
// IsAdmin returns true if the given groups is in the Admins allowlist, false
// otherwise.
func (o *OIDC) IsAdminGroup(groups []string) bool {
for _,g := range groups {
// The groups and emails can be in the same array for now, but consider
// making a specialized option later.
for _,gadmin := range o.Admins {
if g == gadmin {
return true
}
}
}
return false
}
func sanitizeEmail(email string) string { func sanitizeEmail(email string) string {
if i := strings.LastIndex(email, "@"); i >= 0 { if i := strings.LastIndex(email, "@"); i >= 0 {
email = email[:i] + strings.ToLower(email[i:]) email = email[:i] + strings.ToLower(email[i:])
@ -377,6 +393,11 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
if err != nil { if err != nil {
return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHSign") return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHSign")
} }
// Reuse the contains function provided for simplicity
if !containsAllMembers(iden.Usernames, []string{claims.Username}){
// Add preferred_username to the identity's Username
iden.Usernames = append(iden.Usernames, claims.Username)
}
// Certificate templates. // Certificate templates.
data := sshutil.CreateTemplateData(sshutil.UserCert, claims.Email, iden.Usernames) data := sshutil.CreateTemplateData(sshutil.UserCert, claims.Email, iden.Usernames)
@ -395,6 +416,9 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
// Use the default template unless no-templates are configured and email is // Use the default template unless no-templates are configured and email is
// an admin, in that case we will use the parameters in the request. // an admin, in that case we will use the parameters in the request.
isAdmin := o.IsAdmin(claims.Email) isAdmin := o.IsAdmin(claims.Email)
if !isAdmin && len(claims.Groups)>0 {
isAdmin = o.IsAdminGroup(claims.Groups)
}
defaultTemplate := sshutil.DefaultTemplate defaultTemplate := sshutil.DefaultTemplate
if isAdmin && !o.Options.GetSSHOptions().HasTemplate() { if isAdmin && !o.Options.GetSSHOptions().HasTemplate() {
defaultTemplate = sshutil.DefaultAdminTemplate defaultTemplate = sshutil.DefaultAdminTemplate