-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Allow multiple values for OIDC attribute requirements #12488
Allow multiple values for OIDC attribute requirements #12488
Conversation
Signed-off-by: Andrey Chugunov <andrey@chugunov.me>
Signed-off-by: Andrey Chugunov <andrey@chugunov.me>
Signed-off-by: Andrey Chugunov <andrey@chugunov.me>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks very much for contributing!
I think this is a good start, but also there is quite a lot that needs cleaning up - see the comments below.
Regarding the documentation, let us know if you need a hand with the English, but please could you have a go yourself first?
# `attribute_requirements` as shown below. All of the listed in `value` attributes and | ||
# any of the listed in `values` attributes must match for the login to be permitted. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This new sentence isn't very clear - please could you expand on it somewhat?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general this paragraph is very unclear to start with, so anything you can do to improve it would be much appreciated.
# If you specify both `value` and `values` entries, then only `value` entry will be checked | ||
# and `values` will be ignored. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
# If you specify both `value` and `values` entries, then only `value` entry will be checked | |
# and `values` will be ignored. | |
# If you specify both `value` and `values` entries, then only the `value` entry will be checked | |
# and `values` will be ignored. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
since you're using oneOf
in the json schema, my understanding is that if you specify both values, the configuration will be rejected. Are you sure this sentence is correct?
@@ -36,13 +36,27 @@ class SsoAttributeRequirement: | |||
"""Object describing a single requirement for SSO attributes.""" | |||
|
|||
attribute: str | |||
# If a value is not given, than the attribute must simply exist. | |||
value: Optional[str] | |||
# If a value or values are not given, than the attribute must simply exist. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
according to the schema, one or both of value
or values
is required - so I don't understand this comment?
value: Optional[str] = None | ||
values: Optional[List[str]] = [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rather than having both of these, could we just have a values: List[str]
, and convert value
into a single-item list?
# | ||
# attribute_requirements: | ||
# - attribute: given_name | ||
# values: ["Andries", "Michael"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think a different name might make the behaviour here clearer - for example allowable_values
?
} | ||
) | ||
def test_attribute_requirements_exists(self) -> None: | ||
"""The required attributes must exists.""" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"""The required attributes must exists.""" | |
"""The required attributes must exist.""" |
elif req.values: | ||
req_values.extend(req.values) | ||
else: | ||
# If the requirement is None or empty, the attribute existing is enough. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
having special behaviour for an empty list feels extremely unintuitive. At the very least it should be documented, but I am not in favour.
} | ||
) | ||
def test_attribute_requirements_contains_any_values(self) -> None: | ||
"""Test that auth succeeds if userinfo attribute CONTAINS ANY required values""" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"""Test that auth succeeds if userinfo attribute CONTAINS ANY required values""" | |
"""Test that auth succeeds if userinfo attribute contains any of the required values""" |
) | ||
def test_attribute_requirements_mismatch_any_values(self) -> None: | ||
""" | ||
Test that auth fails if attributes exist but don't match ANY VALUE, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Test that auth fails if attributes exist but don't match ANY VALUE, | |
Test that auth fails if attributes exist but don't match any of the required values, |
# match for the login to be permitted. Additional attributes can be added to | ||
# userinfo by expanding the `scopes` section of the OIDC config to retrieve | ||
# additional information from the OIDC provider. | ||
# `attribute_requirements` as shown below. All of the listed in `value` attributes and |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
by the way, don't forget to update the manual at https://github.com/matrix-org/synapse/blob/develop/docs/usage/configuration/config_documentation.md - currently this has to be done manually. Maybe best to wait until we can agree wording though.
@chugunov As this has sat around for a bit now: are you still interested in working on this? |
Closing due to lack of response. |
I need to filter SSO logins by multiple domains (Google OpenID uses
hd
claim in response)I've tried to extend the ability of filtering SSO attribute values for that use case, as described at #12238 (comment).
Signed-off-by: Andrey Chugunov andrey@chugunov.me
Pull Request Checklist
EventStore
toEventWorkerStore
.".code blocks
.(run the linters)