Issue #1102 - Add config to explicitly enable loading all github groups

2018-11-19 10:14:38 -08:00
parent 2425c6ea63
commit 7bd084bc07
3 changed files with 23 additions and 5 deletions
--- a/connector/github/github.go
+++ b/connector/github/github.go
@@ -48,6 +48,7 @@ type Config struct {
 	HostName      string `json:"hostName"`
 	RootCA        string `json:"rootCA"`
 	TeamNameField string `json:"teamNameField"`
+	LoadAllGroups bool   `json:"loadAllGroups"`
 }

 // Org holds org-team filters, in which teams are optional.
@@ -107,6 +108,7 @@ func (c *Config) Open(id string, logger logrus.FieldLogger) (connector.Connector
 		}

 	}
+	g.loadAllGroups = c.LoadAllGroups

 	switch c.TeamNameField {
 	case "name", "slug", "":
@@ -142,8 +144,11 @@ type githubConnector struct {
 	// Used to support untrusted/self-signed CA certs.
 	rootCA string
 	// HTTP Client that trusts the custom delcared rootCA cert.
-	httpClient    *http.Client
+	httpClient *http.Client
+	// optional choice between 'name' (default) or 'slug'
 	teamNameField string
+	// if set to true and no orgs are configured then connector loads all user claims (all orgs and team)
+	loadAllGroups bool
 }

 // groupsRequired returns whether dex requires GitHub's 'read:org' scope. Dex
@@ -325,7 +330,7 @@ func (c *githubConnector) getGroups(ctx context.Context, client *http.Client, gr
 		return c.groupsForOrgs(ctx, client, userLogin)
 	} else if c.org != "" {
 		return c.teamsForOrg(ctx, client, c.org)
-	} else if groupScope {
+	} else if groupScope && c.loadAllGroups {
 		return c.userGroups(ctx, client)
 	}
 	return nil, nil
--- a/connector/github/github_test.go
+++ b/connector/github/github_test.go
@@ -115,6 +115,9 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
 			"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9",
 			"expires_in":   "30",
 		}},
+		"/user/orgs": {
+			data: []org{{Login: "org-1"}},
+		},
 	})
 	defer s.Close()

@@ -125,10 +128,18 @@ func TestUsernameIncludedInFederatedIdentity(t *testing.T) {
 	expectNil(t, err)

 	c := githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient()}
-	identity, err := c.HandleCallback(connector.Scopes{}, req)
+	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, req)

 	expectNil(t, err)
 	expectEquals(t, identity.Username, "some-login")
+	expectEquals(t, 0, len(identity.Groups))
+
+	c = githubConnector{apiURL: s.URL, hostName: hostURL.Host, httpClient: newClient(), loadAllGroups: true}
+	identity, err = c.HandleCallback(connector.Scopes{Groups: true}, req)
+
+	expectNil(t, err)
+	expectEquals(t, identity.Username, "some-login")
+	expectEquals(t, identity.Groups, []string{"org-1"})

 }