Added an OIDC AllowGroups option for authorization.
This commit is contained in:
Zachary Newell
Kristoffer Dalby
parent
4453728614
commit
70f2f5d750
4 changed files with 44 additions and 0 deletions
38
oidc.go
38
oidc.go
|
|
@ -25,6 +25,7 @@ const (
|
|||
errEmptyOIDCCallbackParams = Error("empty OIDC callback params")
|
||||
errNoOIDCIDToken = Error("could not extract ID Token for OIDC callback")
|
||||
errOIDCAllowedDomains = Error("authenticated principal does not match any allowed domain")
|
||||
errOIDCAllowedGroups = Error("authenticated principal is not in any allowed group")
|
||||
errOIDCAllowedUsers = Error("authenticated principal does not match any allowed user")
|
||||
errOIDCInvalidMachineState = Error("requested machine state key expired before authorisation completed")
|
||||
errOIDCNodeKeyMissing = Error("could not get node key from cache")
|
||||
|
|
@ -209,6 +210,10 @@ func (h *Headscale) OIDCCallback(
|
|||
return
|
||||
}
|
||||
|
||||
if err := validateOIDCAllowedGroups(writer, h.cfg.OIDC.AllowedGroups, claims); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
if err := validateOIDCAllowedUsers(writer, h.cfg.OIDC.AllowedUsers, claims); err != nil {
|
||||
return
|
||||
}
|
||||
|
|
@ -404,6 +409,39 @@ func validateOIDCAllowedDomains(
|
|||
return nil
|
||||
}
|
||||
|
||||
// validateOIDCAllowedGroups checks if AllowedGroups is provided,
|
||||
// and that the user has one group in the list.
|
||||
// claims.Groups can be populated by adding a client scope named
|
||||
// 'groups' that contains group membership.
|
||||
func validateOIDCAllowedGroups(
|
||||
writer http.ResponseWriter,
|
||||
allowedGroups []string,
|
||||
claims *IDTokenClaims,
|
||||
) error {
|
||||
if len(allowedGroups) > 0 {
|
||||
for _, group := range allowedGroups {
|
||||
if IsStringInSlice(claims.Groups, group) {
|
||||
return nil
|
||||
}
|
||||
}
|
||||
|
||||
log.Error().Msg("authenticated principal not in any allowed groups")
|
||||
writer.Header().Set("Content-Type", "text/plain; charset=utf-8")
|
||||
writer.WriteHeader(http.StatusBadRequest)
|
||||
_, err := writer.Write([]byte("unauthorized principal (allowed groups)"))
|
||||
if err != nil {
|
||||
log.Error().
|
||||
Caller().
|
||||
Err(err).
|
||||
Msg("Failed to write response")
|
||||
}
|
||||
|
||||
return errOIDCAllowedGroups
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// validateOIDCAllowedUsers checks that if AllowedUsers is provided,
|
||||
// that the authenticated principal is part of that list.
|
||||
func validateOIDCAllowedUsers(
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue