Skip to content

Commit

Permalink
feat: filter sso groups based on regex (#11774)
Browse files Browse the repository at this point in the history
Signed-off-by: bjenuhb <Basanth_JenuHB@intuit.com>
Co-authored-by: bjenuhb <Basanth_JenuHB@intuit.com>
  • Loading branch information
2 people authored and terrytangyuan committed Oct 19, 2023
1 parent b23647a commit f87aba3
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 28 deletions.
7 changes: 4 additions & 3 deletions config/sso.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,10 @@ type SSOConfig struct {
Scopes []string `json:"scopes,omitempty"`
SessionExpiry metav1.Duration `json:"sessionExpiry,omitempty"`
// customGroupClaimName will override the groups claim name
CustomGroupClaimName string `json:"customGroupClaimName,omitempty"`
UserInfoPath string `json:"userInfoPath,omitempty"`
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
CustomGroupClaimName string `json:"customGroupClaimName,omitempty"`
UserInfoPath string `json:"userInfoPath,omitempty"`
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
FilterGroupsRegex []string `json:"filterGroupsRegex,omitempty"`
}

func (c SSOConfig) GetSessionExpiry() time.Duration {
Expand Down
79 changes: 54 additions & 25 deletions server/auth/sso/sso.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"crypto/x509"
"fmt"
"net/http"
"regexp"
"strings"
"time"

Expand Down Expand Up @@ -49,18 +50,19 @@ var _ Interface = &sso{}
type Config = config.SSOConfig

type sso struct {
config *oauth2.Config
issuer string
idTokenVerifier *oidc.IDTokenVerifier
httpClient *http.Client
baseHRef string
secure bool
privateKey crypto.PrivateKey
encrypter jose.Encrypter
rbacConfig *config.RBACConfig
expiry time.Duration
customClaimName string
userInfoPath string
config *oauth2.Config
issuer string
idTokenVerifier *oidc.IDTokenVerifier
httpClient *http.Client
baseHRef string
secure bool
privateKey crypto.PrivateKey
encrypter jose.Encrypter
rbacConfig *config.RBACConfig
expiry time.Duration
customClaimName string
userInfoPath string
filterGroupsRegex []*regexp.Regexp
}

func (s *sso) IsRBACEnabled() bool {
Expand Down Expand Up @@ -181,25 +183,38 @@ func newSso(
if err != nil {
return nil, fmt.Errorf("failed to create JWT encrpytor: %w", err)
}
lf := log.Fields{"redirectUrl": config.RedirectURL, "issuer": c.Issuer, "issuerAlias": "DISABLED", "clientId": c.ClientID, "scopes": config.Scopes, "insecureSkipVerify": c.InsecureSkipVerify}

var filterGroupsRegex []*regexp.Regexp
if c.FilterGroupsRegex != nil && len(c.FilterGroupsRegex) > 0 {
for _, regex := range c.FilterGroupsRegex {
compiledRegex, err := regexp.Compile(regex)
if err != nil {
return nil, fmt.Errorf("failed to compile sso.filterGroupRegex: %s %w", regex, err)
}
filterGroupsRegex = append(filterGroupsRegex, compiledRegex)
}
}

lf := log.Fields{"redirectUrl": config.RedirectURL, "issuer": c.Issuer, "issuerAlias": "DISABLED", "clientId": c.ClientID, "scopes": config.Scopes, "insecureSkipVerify": c.InsecureSkipVerify, "filterGroupsRegex": c.FilterGroupsRegex}
if c.IssuerAlias != "" {
lf["issuerAlias"] = c.IssuerAlias
}
log.WithFields(lf).Info("SSO configuration")

return &sso{
config: config,
idTokenVerifier: idTokenVerifier,
baseHRef: baseHRef,
httpClient: httpClient,
secure: secure,
privateKey: privateKey,
encrypter: encrypter,
rbacConfig: c.RBAC,
expiry: c.GetSessionExpiry(),
customClaimName: c.CustomGroupClaimName,
userInfoPath: c.UserInfoPath,
issuer: c.Issuer,
config: config,
idTokenVerifier: idTokenVerifier,
baseHRef: baseHRef,
httpClient: httpClient,
secure: secure,
privateKey: privateKey,
encrypter: encrypter,
rbacConfig: c.RBAC,
expiry: c.GetSessionExpiry(),
customClaimName: c.CustomGroupClaimName,
userInfoPath: c.UserInfoPath,
issuer: c.Issuer,
filterGroupsRegex: filterGroupsRegex,
}, nil
}

Expand Down Expand Up @@ -277,6 +292,20 @@ func (s *sso) HandleCallback(w http.ResponseWriter, r *http.Request) {
}
}

// only return groups that match at least one of the regexes
if s.filterGroupsRegex != nil && len(s.filterGroupsRegex) > 0 {
var filteredGroups []string
for _, group := range groups {
for _, regex := range s.filterGroupsRegex {
if regex.MatchString(group) {
filteredGroups = append(filteredGroups, group)
break
}
}
}
groups = filteredGroups
}

argoClaims := &types.Claims{
Claims: jwt.Claims{
Issuer: issuer,
Expand Down

0 comments on commit f87aba3

Please sign in to comment.