microsoft: option for group UUIDs instead of name and group whitelist

This commit is contained in:
Maxime Desrosiers 2019-05-08 16:06:19 -04:00
parent 20a858da3b
commit 458585008b
No known key found for this signature in database
GPG Key ID: 20D8ABE882F6424F
2 changed files with 65 additions and 29 deletions

View File

@ -88,6 +88,9 @@ a member of. `onlySecurityGroups` configuration option restricts the list to
include only security groups. By default all groups (security, Office 365, include only security groups. By default all groups (security, Office 365,
mailing lists) are included. mailing lists) are included.
By default, dex resolve groups ids to groups names, to keep groups ids, you can
specify the configuration option `groupNameFormat: id`.
It is possible to require a user to be a member of a particular group in order It is possible to require a user to be a member of a particular group in order
to be successfully authenticated in dex. For example, with the following to be successfully authenticated in dex. For example, with the following
configuration file only the users who are members of at least one of the listed configuration file only the users who are members of at least one of the listed
@ -110,3 +113,6 @@ connectors:
- developers - developers
- devops - devops
``` ```
Also, `useGroupsAsWhitelist` configuration option, can restrict the groups
claims to include only the user's groups that are in the configured `groups`.

View File

@ -19,12 +19,23 @@ import (
"github.com/dexidp/dex/pkg/log" "github.com/dexidp/dex/pkg/log"
) )
// GroupNameFormat represents the format of the group identifier
// we use type of string instead of int because it's easier to
// marshall/unmarshall
type GroupNameFormat string
// Possible values for GroupNameFormat
const (
GroupID GroupNameFormat = "id"
GroupName GroupNameFormat = "name"
)
const ( const (
apiURL = "https://graph.microsoft.com" apiURL = "https://graph.microsoft.com"
// Microsoft requires this scope to access user's profile // Microsoft requires this scope to access user's profile
scopeUser = "user.read" scopeUser = "user.read"
// Microsoft requires this scope to list groups the user is a member of // Microsoft requires this scope to list groups the user is a member of
// and resolve their UUIDs to groups names. // and resolve their ids to groups names.
scopeGroups = "directory.read.all" scopeGroups = "directory.read.all"
) )
@ -36,6 +47,8 @@ type Config struct {
Tenant string `json:"tenant"` Tenant string `json:"tenant"`
OnlySecurityGroups bool `json:"onlySecurityGroups"` OnlySecurityGroups bool `json:"onlySecurityGroups"`
Groups []string `json:"groups"` Groups []string `json:"groups"`
GroupNameFormat GroupNameFormat `json:"groupNameFormat"`
UseGroupsAsWhitelist bool `json:"useGroupsAsWhitelist"`
} }
// Open returns a strategy for logging in through Microsoft. // Open returns a strategy for logging in through Microsoft.
@ -47,6 +60,8 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
tenant: c.Tenant, tenant: c.Tenant,
onlySecurityGroups: c.OnlySecurityGroups, onlySecurityGroups: c.OnlySecurityGroups,
groups: c.Groups, groups: c.Groups,
groupNameFormat: c.GroupNameFormat,
useGroupsAsWhitelist: c.UseGroupsAsWhitelist,
logger: logger, logger: logger,
} }
// By default allow logins from both personal and business/school // By default allow logins from both personal and business/school
@ -55,6 +70,15 @@ func (c *Config) Open(id string, logger log.Logger) (connector.Connector, error)
m.tenant = "common" m.tenant = "common"
} }
// By default, use group names
switch m.groupNameFormat {
case "":
m.groupNameFormat = GroupName
case GroupID, GroupName:
default:
return nil, fmt.Errorf("invalid groupNameFormat: %s", m.groupNameFormat)
}
return &m, nil return &m, nil
} }
@ -75,7 +99,9 @@ type microsoftConnector struct {
clientSecret string clientSecret string
tenant string tenant string
onlySecurityGroups bool onlySecurityGroups bool
groupNameFormat GroupNameFormat
groups []string groups []string
useGroupsAsWhitelist bool
logger log.Logger logger log.Logger
} }
@ -300,24 +326,28 @@ type group struct {
Name string `json:"displayName"` Name string `json:"displayName"`
} }
func (c *microsoftConnector) getGroups(ctx context.Context, client *http.Client, userID string) (groups []string, err error) { func (c *microsoftConnector) getGroups(ctx context.Context, client *http.Client, userID string) ([]string, error) {
ids, err := c.getGroupIDs(ctx, client) userGroups, err := c.getGroupIDs(ctx, client)
if err != nil { if err != nil {
return groups, err return nil, err
} }
groups, err = c.getGroupNames(ctx, client, ids) if c.groupNameFormat == GroupName {
userGroups, err = c.getGroupNames(ctx, client, userGroups)
if err != nil { if err != nil {
return return nil, err
}
} }
// ensure that the user is in at least one required group // ensure that the user is in at least one required group
filteredGroups := groups_pkg.Filter(groups, c.groups) filteredGroups := groups_pkg.Filter(userGroups, c.groups)
if len(c.groups) > 0 && len(filteredGroups) == 0 { if len(c.groups) > 0 && len(filteredGroups) == 0 {
return nil, fmt.Errorf("microsoft: user %v not in any of the required groups", userID) return nil, fmt.Errorf("microsoft: user %v not in any of the required groups", userID)
} else if c.useGroupsAsWhitelist {
return filteredGroups, nil
} }
return return userGroups, nil
} }
func (c *microsoftConnector) getGroupIDs(ctx context.Context, client *http.Client) (ids []string, err error) { func (c *microsoftConnector) getGroupIDs(ctx context.Context, client *http.Client) (ids []string, err error) {