connector/saml: add 'FilterGroups' setting

This should make AllowedGroups equivalent to an LDAP group filter: When set to true, only the groups from AllowedGroups will be included in the user's identity. Signed-off-by: Stephan Renatus <srenatus@chef.io>
2020-05-11 11:42:26 +02:00
parent d87cf1c924
commit 4a0feaf589
3 changed files with 34 additions and 0 deletions
--- a/connector/saml/saml_test.go
+++ b/connector/saml/saml_test.go
@@ -53,6 +53,7 @@ type responseTest struct {
 	emailAttr     string
 	groupsAttr    string
 	allowedGroups []string
+	filterGroups  bool

 	// Expected outcome of the test.
 	wantErr   bool
@@ -121,6 +122,29 @@ func TestGroupsWhitelist(t *testing.T) {
 	test.run(t)
 }

+func TestGroupsWhitelistWithFiltering(t *testing.T) {
+	test := responseTest{
+		caFile:        "testdata/ca.crt",
+		respFile:      "testdata/good-resp.xml",
+		now:           "2017-04-04T04:34:59.330Z",
+		usernameAttr:  "Name",
+		emailAttr:     "email",
+		groupsAttr:    "groups",
+		allowedGroups: []string{"Admins"},
+		filterGroups:  true,
+		inResponseTo:  "6zmm5mguyebwvajyf2sdwwcw6m",
+		redirectURI:   "http://127.0.0.1:5556/dex/callback",
+		wantIdent: connector.Identity{
+			UserID:        "eric.chiang+okta@coreos.com",
+			Username:      "Eric",
+			Email:         "eric.chiang+okta@coreos.com",
+			EmailVerified: true,
+			Groups:        []string{"Admins"}, // "Everyone" is filtered
+		},
+	}
+	test.run(t)
+}
+
 func TestGroupsWhitelistEmpty(t *testing.T) {
 	test := responseTest{
 		caFile:        "testdata/ca.crt",
@@ -388,6 +412,7 @@ func (r responseTest) run(t *testing.T) {
 		RedirectURI:   r.redirectURI,
 		EntityIssuer:  r.entityIssuer,
 		AllowedGroups: r.allowedGroups,
+		FilterGroups:  r.filterGroups,
 		// Never logging in, don't need this.
 		SSOURL: "http://foo.bar/",
 	}