Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: initial creation of allOf group auth #555

Closed
wants to merge 5 commits into from
Closed

feat: initial creation of allOf group auth #555

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
65293d6
feat: initial creation of allOf group auth
UnicornChance Jul 9, 2024
e84b952
fix: add unit tests
UnicornChance Jul 10, 2024
aba10c3
Merge branch 'main' into group-auth-allOf
UnicornChance Jul 12, 2024
f4759ba
Merge branch 'main' into group-auth-allOf
UnicornChance Jul 15, 2024
b164ab4
Merge branch 'main' into group-auth-allOf
UnicornChance Jul 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion docs/configuration/uds-operator.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,13 @@ The UDS Operator plays a pivotal role in managing the lifecycle of UDS Package C
- In addition, the operator is responsible for generating Istio Virtual Services and the associated network policies for the ingress gateway.
- **SSO Group Authentication:**
- Group authentication determines who can access the application based on keycloak group membership.
- At this time `anyOf` allows defining a list of groups, a user must belong to at least one of them.
- Group definition types:
- `anyOf` defines a list of groups, a user must belong to at least one of them.
- `allOf` defines a list of groups, a user must belong to **all** of them.
- These definitions can be used together to create more complicated authentication rules.
{{% alert-caution %}}
Warning: **SSO Group Authentication** is in Alpha and may not be stable. Avoid using in production. Feedback is appreciated to improve reliability.
{{% /alert-caution %}}
- **Authservice Protection:**
- Authservice authentication provides application agnostic SSO for applications that opt-in.
{{% alert-caution %}}
Expand Down
54 changes: 53 additions & 1 deletion src/pepr/operator/controllers/keycloak/client-sync.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ describe("Test Secret & Template Data Generation", () => {
});

describe("handleClientGroups function", () => {
it('should correctly transform groups into attributes["uds.core.groups"]', () => {
it('should correctly transform anyOf groups into attributes["uds.core.groups"]', () => {
// Arrange
const ssoWithGroups: Sso = {
clientId: "test-client",
Expand All @@ -164,6 +164,58 @@ describe("handleClientGroups function", () => {
expect(ssoWithGroups.groups).toBeUndefined();
});

it('should correctly transform alllOf groups into attributes["uds.core.groups"]', () => {
// Arrange
const ssoWithGroups: Sso = {
clientId: "test-client",
name: "Test Client",
redirectUris: ["https://example.com/callback"],
groups: {
allOf: ["group1", "group2"],
},
};

// Act
handleClientGroups(ssoWithGroups);

// Assert
expect(ssoWithGroups.attributes).toBeDefined();
expect(typeof ssoWithGroups.attributes).toBe("object");
expect(ssoWithGroups.attributes!["uds.core.groups"]).toEqual(
JSON.stringify({
allOf: ["group1", "group2"],
}),
);
expect(ssoWithGroups.groups).toBeUndefined();
});

it('should correctly transform alllOf and anyOf groups into attributes["uds.core.groups"]', () => {
// Arrange
const ssoWithGroups: Sso = {
clientId: "test-client",
name: "Test Client",
redirectUris: ["https://example.com/callback"],
groups: {
anyOf: ["group1", "group2"],
allOf: ["group3", "group4"],
},
};

// Act
handleClientGroups(ssoWithGroups);

// Assert
expect(ssoWithGroups.attributes).toBeDefined();
expect(typeof ssoWithGroups.attributes).toBe("object");
expect(ssoWithGroups.attributes!["uds.core.groups"]).toEqual(
JSON.stringify({
anyOf: ["group1", "group2"],
allOf: ["group3", "group4"],
}),
);
expect(ssoWithGroups.groups).toBeUndefined();
});

it('should set attributes["uds.core.groups"] to an empty object if groups are not provided', () => {
// Arrange
const ssoWithoutGroups: Sso = {
Expand Down
2 changes: 1 addition & 1 deletion src/pepr/operator/controllers/keycloak/client-sync.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -174,7 +174,7 @@ async function syncClient(
* @param clientReq - The client request object.
*/
export function handleClientGroups(clientReq: Sso) {
if (clientReq.groups?.anyOf) {
if (clientReq.groups?.anyOf || clientReq.groups?.allOf) {
clientReq.attributes = clientReq.attributes || {};
clientReq.attributes["uds.core.groups"] = JSON.stringify(clientReq.groups);
} else {
Expand Down
5 changes: 5 additions & 0 deletions src/pepr/operator/crd/generated/package-v1alpha1.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -593,6 +593,11 @@ export interface Groups {
* List of groups allowed to access to client
*/
anyOf?: string[];

/**
* List of groups required to access client
*/
allOf?: string[];
}

/**
Expand Down
7 changes: 7 additions & 0 deletions src/pepr/operator/crd/sources/package/v1alpha1.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -358,6 +358,13 @@ const sso = {
type: "string",
},
},
allOf: {
description: "List of groups required to access client",
type: "array",
items: {
type: "string",
},
},
},
},
},
Expand Down