Rename and reformat to PreferredUsername

This commit is contained in:
Cristian Le 2021-04-30 08:44:41 +09:00
parent 09a21fef26
commit 79eec83f3e

View file

@ -40,14 +40,14 @@ func (c openIDConfiguration) Validate() error {
// openIDPayload represents the fields on the id_token JWT payload. // openIDPayload represents the fields on the id_token JWT payload.
type openIDPayload struct { type openIDPayload struct {
jose.Claims jose.Claims
AtHash string `json:"at_hash"` AtHash string `json:"at_hash"`
AuthorizedParty string `json:"azp"` AuthorizedParty string `json:"azp"`
Email string `json:"email"` Email string `json:"email"`
EmailVerified bool `json:"email_verified"` EmailVerified bool `json:"email_verified"`
Username string `json:"preferred_username"` PreferredUsername string `json:"preferred_username"`
Hd string `json:"hd"` Hd string `json:"hd"`
Nonce string `json:"nonce"` Nonce string `json:"nonce"`
Groups []string `json:"groups"` Groups []string `json:"groups"`
} }
// OIDC represents an OAuth 2.0 OpenID Connect provider. // OIDC represents an OAuth 2.0 OpenID Connect provider.
@ -90,10 +90,10 @@ func (o *OIDC) IsAdmin(email string) bool {
// IsAdmin returns true if the given groups is in the Admins allowlist, false // IsAdmin returns true if the given groups is in the Admins allowlist, false
// otherwise. // otherwise.
func (o *OIDC) IsAdminGroup(groups []string) bool { func (o *OIDC) IsAdminGroup(groups []string) bool {
for _,g := range groups { for _, g := range groups {
// The groups and emails can be in the same array for now, but consider // The groups and emails can be in the same array for now, but consider
// making a specialized option later. // making a specialized option later.
for _,gadmin := range o.Admins { for _, gadmin := range o.Admins {
if g == gadmin { if g == gadmin {
return true return true
} }
@ -394,9 +394,9 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHSign") return nil, errs.Wrap(http.StatusInternalServerError, err, "oidc.AuthorizeSSHSign")
} }
// Reuse the contains function provided for simplicity // Reuse the contains function provided for simplicity
if !containsAllMembers(iden.Usernames, []string{claims.Username}){ if !containsAllMembers(iden.Usernames, []string{claims.PreferredUsername}) {
// Add preferred_username to the identity's Username // Add preferred_username to the identity's Username
iden.Usernames = append(iden.Usernames, claims.Username) iden.Usernames = append(iden.Usernames, claims.PreferredUsername)
} }
// Certificate templates. // Certificate templates.
@ -416,7 +416,7 @@ func (o *OIDC) AuthorizeSSHSign(ctx context.Context, token string) ([]SignOption
// Use the default template unless no-templates are configured and email is // Use the default template unless no-templates are configured and email is
// an admin, in that case we will use the parameters in the request. // an admin, in that case we will use the parameters in the request.
isAdmin := o.IsAdmin(claims.Email) isAdmin := o.IsAdmin(claims.Email)
if !isAdmin && len(claims.Groups)>0 { if !isAdmin && len(claims.Groups) > 0 {
isAdmin = o.IsAdminGroup(claims.Groups) isAdmin = o.IsAdminGroup(claims.Groups)
} }
defaultTemplate := sshutil.DefaultTemplate defaultTemplate := sshutil.DefaultTemplate