k-space/dex
Archived
11
0
Fork 0
Code Issues Pull Requests Packages Projects Activity

connector/google: support group whitelisting

Browse Source 
Signed-off-by: Nandor Kracser <bonifaido@gmail.com>
This commit is contained in:
Nandor Kracser
2019-12-03 16:27:07 +01:00
parent c41035732f
commit a38e215891
2 changed files with 22 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
connector/google/google.go
View File

@@ -13,9 +13,10 @@ import (
"golang.org/x/oauth2"
"github.com/dexidp/dex/connector"
pkg_groups "github.com/dexidp/dex/pkg/groups"
"github.com/dexidp/dex/pkg/log"
"golang.org/x/oauth2/google"
"google.golang.org/api/admin/directory/v1"
admin "google.golang.org/api/admin/directory/v1"
)
const (
@@ -34,6 +35,10 @@ type Config struct {
// If this field is nonempty, only users from a listed domain will be allowed to log in
HostedDomains []string `json:"hostedDomains"`
// Optional list of whitelisted groups
// If this field is nonempty, only users from a listed group will be allowed to log in
Groups []string `json:"groups"`
// Optional path to service account json
// If nonempty, and groups claim is made, will use authentication from file to
// check groups with the admin directory api
@@ -84,6 +89,7 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
logger: logger,
cancel: cancel,
hostedDomains: c.HostedDomains,
groups: c.Groups,
serviceAccountFilePath: c.ServiceAccountFilePath,
adminEmail: c.AdminEmail,
adminSrv: srv,
@@ -103,6 +109,7 @@ type googleConnector struct {
cancel context.CancelFunc
logger log.Logger
hostedDomains []string
groups []string
serviceAccountFilePath string
adminEmail string
adminSrv *admin.Service
@@ -211,6 +218,13 @@ func (c *googleConnector) createIdentity(ctx context.Context, identity connector
if err != nil {
return identity, fmt.Errorf("google: could not retrieve groups: %v", err)
}
if len(c.groups) > 0 {
groups = pkg_groups.Filter(groups, c.groups)
if len(groups) == 0 {
return identity, fmt.Errorf("google: user %q is not in any of the required groups", claims.Username)
}
}
}
identity = connector.Identity{