fix(connector/google): make admin email optional for default creds

Signed-off-by: Mark Sagi-Kazar <mark.sagikazar@gmail.com>
This commit is contained in:
Mark Sagi-Kazar 2022-10-04 08:55:57 +02:00
parent 19b3aab323
commit 261adee26b
No known key found for this signature in database
GPG Key ID: 31AB0439F4C5C90E
2 changed files with 14 additions and 6 deletions

View File

@ -283,7 +283,9 @@ func (c *googleConnector) getGroups(email string, fetchTransitiveGroupMembership
// the google admin api. If no serviceAccountFilePath is defined, the application default credential // the google admin api. If no serviceAccountFilePath is defined, the application default credential
// is used. // is used.
func createDirectoryService(serviceAccountFilePath, email string, logger log.Logger) (*admin.Service, error) { func createDirectoryService(serviceAccountFilePath, email string, logger log.Logger) (*admin.Service, error) {
if email == "" { // We know impersonation is required when using a service account credential
// TODO: or is it?
if email == "" && serviceAccountFilePath != "" {
return nil, fmt.Errorf("directory service requires adminEmail") return nil, fmt.Errorf("directory service requires adminEmail")
} }
@ -308,7 +310,12 @@ func createDirectoryService(serviceAccountFilePath, email string, logger log.Log
if err != nil { if err != nil {
return nil, fmt.Errorf("unable to parse credentials to config: %v", err) return nil, fmt.Errorf("unable to parse credentials to config: %v", err)
} }
config.Subject = email
// Only attempt impersonation when there is a user configured
if email != "" {
config.Subject = email
}
return admin.NewService(ctx, option.WithHTTPClient(config.Client(ctx))) return admin.NewService(ctx, option.WithHTTPClient(config.Client(ctx)))
} }

View File

@ -74,10 +74,11 @@ func TestOpen(t *testing.T) {
for name, reference := range map[string]testCase{ for name, reference := range map[string]testCase{
"missing_admin_email": { "missing_admin_email": {
config: &Config{ config: &Config{
ClientID: "testClient", ClientID: "testClient",
ClientSecret: "testSecret", ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback", RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups"}, Scopes: []string{"openid", "groups"},
ServiceAccountFilePath: serviceAccountFilePath,
}, },
expectedErr: "requires adminEmail", expectedErr: "requires adminEmail",
}, },