Skip to content

Commit

Permalink
Corrected logic in group verification
Browse files Browse the repository at this point in the history
  • Loading branch information
@sabre1041
sabre1041 committed Dec 27, 2019
1 parent 296659c commit d31f6ea
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 9 deletions.
14 changes: 8 additions & 6 deletions connector/openshift/openshift.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -165,10 +165,12 @@ func (c *openshiftConnector) HandleCallback(s connector.Scopes, r *http.Request)
return identity, fmt.Errorf("openshift: get user: %v", err)
}

validGroups := validateRequiredGroups(user.Groups, c.groups)
if len(c.groups) > 0 {
validGroups := validateAllowedGroups(user.Groups, c.groups)

if !validGroups {
return identity, fmt.Errorf("openshift: user %q is not in any of the required groups", user.Name)
if !validGroups {
return identity, fmt.Errorf("openshift: user %q is not in any of the required groups", user.Name)
}
}

identity = connector.Identity{
Expand Down Expand Up @@ -211,10 +213,10 @@ func (c *openshiftConnector) user(ctx context.Context, client *http.Client) (u u
return u, err
}

func validateRequiredGroups(userGroups, requiredGroups []string) bool {
matchingGroups := groups.Filter(userGroups, requiredGroups)
func validateAllowedGroups(userGroups, allowedGroups []string) bool {
matchingGroups := groups.Filter(userGroups, allowedGroups)

return len(requiredGroups) == len(matchingGroups)
return len(matchingGroups) != 0
}

// newHTTPClient returns a new HTTP client
Expand Down
24 changes: 21 additions & 3 deletions connector/openshift/openshift_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,29 @@ func TestGetUser(t *testing.T) {
expectEquals(t, len(u.Groups), 1)
}

func TestVerifyGroupFn(t *testing.T) {
requiredGroups := []string{"users"}
func TestVerifySingleGroupFn(t *testing.T) {
allowedGroups := []string{"users"}
groupMembership := []string{"users", "org1"}

validGroupMembership := validateRequiredGroups(groupMembership, requiredGroups)
validGroupMembership := validateAllowedGroups(groupMembership, allowedGroups)

expectEquals(t, validGroupMembership, true)
}

func TestVerifySingleGroupFailureFn(t *testing.T) {
allowedGroups := []string{"admins"}
groupMembership := []string{"users"}

validGroupMembership := validateAllowedGroups(groupMembership, allowedGroups)

expectEquals(t, validGroupMembership, false)
}

func TestVerifyMultipleGroupFn(t *testing.T) {
allowedGroups := []string{"users", "admins"}
groupMembership := []string{"users", "org1"}

validGroupMembership := validateAllowedGroups(groupMembership, allowedGroups)

expectEquals(t, validGroupMembership, true)
}
Expand Down

0 comments on commit d31f6ea

Please sign in to comment.