Merge pull request #1591 from dexidp/google-group-whitelist

connector/google: support group whitelisting
This commit is contained in:
Nándor István Krácser 2019-12-06 15:53:00 +01:00 committed by GitHub
commit 1ac4f7fe42
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 22 additions and 1 deletions

View File

@ -29,6 +29,13 @@ connectors:
# hostedDomains: # hostedDomains:
# - example.com # - example.com
# The Google connector supports whitelisting allowed groups when using G Suite
# (Google Apps). The following field can be set to a list of groups
# that can log in:
#
# groups:
# - admins@example.com
# Google does not support the OpenID Connect groups claim and only supports # Google does not support the OpenID Connect groups claim and only supports
# fetching a user's group membership with a service account. # fetching a user's group membership with a service account.
# This service account requires an authentication JSON file and the email # This service account requires an authentication JSON file and the email

View File

@ -13,9 +13,10 @@ import (
"golang.org/x/oauth2" "golang.org/x/oauth2"
"github.com/dexidp/dex/connector" "github.com/dexidp/dex/connector"
pkg_groups "github.com/dexidp/dex/pkg/groups"
"github.com/dexidp/dex/pkg/log" "github.com/dexidp/dex/pkg/log"
"golang.org/x/oauth2/google" "golang.org/x/oauth2/google"
"google.golang.org/api/admin/directory/v1" admin "google.golang.org/api/admin/directory/v1"
) )
const ( const (
@ -34,6 +35,10 @@ type Config struct {
// If this field is nonempty, only users from a listed domain will be allowed to log in // If this field is nonempty, only users from a listed domain will be allowed to log in
HostedDomains []string `json:"hostedDomains"` HostedDomains []string `json:"hostedDomains"`
// Optional list of whitelisted groups
// If this field is nonempty, only users from a listed group will be allowed to log in
Groups []string `json:"groups"`
// Optional path to service account json // Optional path to service account json
// If nonempty, and groups claim is made, will use authentication from file to // If nonempty, and groups claim is made, will use authentication from file to
// check groups with the admin directory api // check groups with the admin directory api
@ -84,6 +89,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
logger: logger, logger: logger,
cancel: cancel, cancel: cancel,
hostedDomains: c.HostedDomains, hostedDomains: c.HostedDomains,
groups: c.Groups,
serviceAccountFilePath: c.ServiceAccountFilePath, serviceAccountFilePath: c.ServiceAccountFilePath,
adminEmail: c.AdminEmail, adminEmail: c.AdminEmail,
adminSrv: srv, adminSrv: srv,
@ -103,6 +109,7 @@ type googleConnector struct {
cancel context.CancelFunc cancel context.CancelFunc
logger log.Logger logger log.Logger
hostedDomains []string hostedDomains []string
groups []string
serviceAccountFilePath string serviceAccountFilePath string
adminEmail string adminEmail string
adminSrv *admin.Service adminSrv *admin.Service
@ -211,6 +218,13 @@ func (c *googleConnector) createIdentity(ctx context.Context, identity connector
if err != nil { if err != nil {
return identity, fmt.Errorf("google: could not retrieve groups: %v", err) return identity, fmt.Errorf("google: could not retrieve groups: %v", err)
} }
if len(c.groups) > 0 {
groups = pkg_groups.Filter(groups, c.groups)
if len(groups) == 0 {
return identity, fmt.Errorf("google: user %q is not in any of the required groups", claims.Username)
}
}
} }
identity = connector.Identity{ identity = connector.Identity{