From fcc32f72a8b64377381ccaf1285ec9d6bde4c92d Mon Sep 17 00:00:00 2001 From: Jusshersmith Date: Mon, 16 Mar 2020 16:21:05 +0000 Subject: [PATCH 1/2] sso_proxy: allow empty slice of groups --- internal/proxy/providers/sso.go | 3 +++ internal/proxy/providers/sso_test.go | 8 ++++---- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/internal/proxy/providers/sso.go b/internal/proxy/providers/sso.go index 1aca089c..08a496a6 100644 --- a/internal/proxy/providers/sso.go +++ b/internal/proxy/providers/sso.go @@ -181,6 +181,9 @@ func (p *SSOProvider) ValidateGroup(email string, allowedGroups []string, access logger.WithUser(email).WithAllowedGroups(allowedGroups).Info("validating groups") inGroups := []string{} + if len(allowedGroups) == 0 { + return inGroups, true, nil + } userGroups, err := p.UserGroups(email, allowedGroups, accessToken) if err != nil { diff --git a/internal/proxy/providers/sso_test.go b/internal/proxy/providers/sso_test.go index 1b9a2244..237cd540 100644 --- a/internal/proxy/providers/sso_test.go +++ b/internal/proxy/providers/sso_test.go @@ -144,11 +144,11 @@ func TestSSOProviderGroups(t *testing.T) { ProfileStatus int }{ { - Name: "invalid when no group id set", + Name: "valid when no group id set", Email: "michael.bland@gsa.gov", Groups: []string{}, ProxyGroupIds: []string{}, - ExpectedValid: false, + ExpectedValid: true, ExpectedInGroups: []string{}, ExpectError: nil, }, @@ -311,7 +311,7 @@ func TestSSOProviderValidateSessionState(t *testing.T) { ExpectedValid bool }{ { - Name: "invalid when no group id set", + Name: "valid when no group id set", SessionState: &sessions.SessionState{ AccessToken: "abc", Email: "michael.bland@gsa.gov", @@ -319,7 +319,7 @@ func TestSSOProviderValidateSessionState(t *testing.T) { ProviderResponse: http.StatusOK, Groups: []string{}, ProxyGroupIds: []string{}, - ExpectedValid: false, + ExpectedValid: true, }, { Name: "invalid when response is is not 200", From 565ab669161f5d2fe73808099c1ec2ad3af71cbb Mon Sep 17 00:00:00 2001 From: Jusshersmith Date: Mon, 16 Mar 2020 18:23:16 +0000 Subject: [PATCH 2/2] sso_proxy: allow use of wildcard --- internal/proxy/providers/sso.go | 2 +- internal/proxy/providers/sso_test.go | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/internal/proxy/providers/sso.go b/internal/proxy/providers/sso.go index 08a496a6..b4ebc9f0 100644 --- a/internal/proxy/providers/sso.go +++ b/internal/proxy/providers/sso.go @@ -181,7 +181,7 @@ func (p *SSOProvider) ValidateGroup(email string, allowedGroups []string, access logger.WithUser(email).WithAllowedGroups(allowedGroups).Info("validating groups") inGroups := []string{} - if len(allowedGroups) == 0 { + if len(allowedGroups) == 0 || len(allowedGroups) == 1 && allowedGroups[0] == "*" { return inGroups, true, nil } diff --git a/internal/proxy/providers/sso_test.go b/internal/proxy/providers/sso_test.go index 237cd540..fb176678 100644 --- a/internal/proxy/providers/sso_test.go +++ b/internal/proxy/providers/sso_test.go @@ -152,6 +152,15 @@ func TestSSOProviderGroups(t *testing.T) { ExpectedInGroups: []string{}, ExpectError: nil, }, + { + Name: "valid when group list consists of a single wildcard", + Email: "michael.bland@gsa.gov", + Groups: []string{}, + ProxyGroupIds: []string{"*"}, + ExpectedValid: true, + ExpectedInGroups: []string{}, + ExpectError: nil, + }, { Name: "valid when the group id exists", Email: "michael.bland@gsa.gov", @@ -321,6 +330,17 @@ func TestSSOProviderValidateSessionState(t *testing.T) { ProxyGroupIds: []string{}, ExpectedValid: true, }, + { + Name: "valid when group list consists of single wildcard", + SessionState: &sessions.SessionState{ + AccessToken: "abc", + Email: "michael.bland@gsa.gov", + }, + ProviderResponse: http.StatusOK, + Groups: []string{}, + ProxyGroupIds: []string{"*"}, + ExpectedValid: true, + }, { Name: "invalid when response is is not 200", SessionState: &sessions.SessionState{