-
Notifications
You must be signed in to change notification settings - Fork 3.2k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
* (docs) Added custom claim config for OIDC groups. Co-authored-by: Thomas Cocozzello<thomas.cocozzello@gmail.com> Signed-off-by: M Faizan Ali <mdfaizanali82@gmail.com> * (feature) WIP: Migrated claim from struct to map for dynamic config. Co-authored-by: Thomas Cocozzello<thomas.cocozzello@gmail.com> Signed-off-by: M Faizan Ali <mdfaizanali82@gmail.com> * Add partial support for bring your own custom claim name Currently with the sso implementation the custom claim has to be named "groups" which might not work with some Open ID systems. This change allows users to write the service account policies to match anything inside the jwt token instead of restricting it to an hardened interface. partial-fix: #5953 Co-authored-by: M Faizan Ali <mdfaizanali82@gmail.com> Signed-off-by: Thomas Cocozzello <thomas.cocozzello@gmail.com> * Add partial support for bring your own custom claim name Currently with the sso implementation the custom claim has to be named "groups" which might not work with some Open ID systems. This change allows users to write the service account policies to match anything inside the jwt token instead of restricting it to an hardened interface. partial-fix: #5953 Co-authored-by: M Faizan Ali <mdfaizanali82@gmail.com> Signed-off-by: Thomas Cocozzello <thomas.cocozzello@gmail.com> * (docs) added example for custom claim. Co-authored-by: Thomas Cocozzello <thomas.cocozzello@gmail.com> Signed-off-by: M Faizan Ali <mdfaizanali82@gmail.com> * Added alphabetical ordering for users.md Co-authored-by: Thomas Cocozzello <thomas.cocozzello@gmail.com> Signed-off-by: M Faizan Ali <mdfaizanali82@gmail.com> * Revert our changes to incorporate PR feedback Co-authored-by: Thomas Cocozzello <thomas.cocozzello@gmail.com> Signed-off-by: M Faizan Ali <mdfaizanali82@gmail.com> * PR updated to incorporate feedback. Minimal changes for custom group claim Co-authored-by: Thomas Cocozzello <thomas.cocozzello@gmail.com> Signed-off-by: M Faizan Ali <mdfaizanali82@gmail.com> * Added missing return statement Co-authored-by: Thomas Cocozzello <thomas.cocozzello@gmail.com> Signed-off-by: M Faizan Ali <mdfaizanali82@gmail.com> Co-authored-by: Thomas Cocozzello <thomas.cocozzello@gmail.com>
- Loading branch information
1 parent
3e9d837
commit 9034152
Showing
7 changed files
with
334 additions
and
25 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,11 +1,64 @@ | ||
package types | ||
|
||
import "gopkg.in/square/go-jose.v2/jwt" | ||
import ( | ||
"encoding/json" | ||
"fmt" | ||
|
||
"gopkg.in/square/go-jose.v2/jwt" | ||
) | ||
|
||
type Claims struct { | ||
jwt.Claims | ||
Groups []string `json:"groups,omitempty"` | ||
Email string `json:"email,omitempty"` | ||
EmailVerified bool `json:"email_verified,omitempty"` | ||
ServiceAccountName string `json:"service_account_name,omitempty"` | ||
Groups []string `json:"groups,omitempty"` | ||
Email string `json:"email,omitempty"` | ||
EmailVerified bool `json:"email_verified,omitempty"` | ||
ServiceAccountName string `json:"service_account_name,omitempty"` | ||
RawClaim map[string]interface{} `json:"-"` | ||
} | ||
|
||
// UnmarshalJSON is a custom Unmarshal that overwrites | ||
// json.Unmarshal to mash every claim into a custom map | ||
func (c *Claims) UnmarshalJSON(data []byte) error { | ||
type claimAlias Claims | ||
var localClaim claimAlias = claimAlias(*c) | ||
|
||
// Populate the claims struct as much as possible | ||
err := json.Unmarshal(data, &localClaim) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
// Populate the raw data struct | ||
err = json.Unmarshal(data, &localClaim.RawClaim) | ||
if err != nil { | ||
return err | ||
} | ||
|
||
*c = Claims(localClaim) | ||
return nil | ||
} | ||
|
||
// GetCustomGroup is responsible for extracting groups based on the | ||
// provided custom claim key | ||
func (c *Claims) GetCustomGroup(customKeyName string) ([]string, error) { | ||
groups, ok := c.RawClaim[customKeyName] | ||
if !ok { | ||
return nil, fmt.Errorf("No claim found for key: %v", customKeyName) | ||
} | ||
|
||
sliceInterface, ok := groups.([]interface{}) | ||
if !ok { | ||
return nil, fmt.Errorf("Expected an array, got %v", groups) | ||
} | ||
|
||
newSlice := []string{} | ||
for _, a := range sliceInterface { | ||
val, ok := a.(string) | ||
if !ok { | ||
return nil, fmt.Errorf("Group name %v was not a string", a) | ||
} | ||
newSlice = append(newSlice, val) | ||
} | ||
|
||
return newSlice, nil | ||
} |
Oops, something went wrong.