Optionally fetch transitive groups in the Google OIDC connector

gravitational · Jan 11, 2022 · 9dbb4f2 · 9dbb4f2
1 parent 95362ee
commit 9dbb4f2
Show file tree

Hide file tree

Showing 6 changed files with 827 additions and 851 deletions.
diff --git a/api/types/oidc.go b/api/types/oidc.go
@@ -88,6 +88,10 @@ type OIDCConnector interface {
 	// https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
 	// "Note: Although you can use service accounts in applications that run from a Google Workspace (formerly G Suite) domain, service accounts are not members of your Google Workspace account and aren’t subject to domain policies set by  administrators. For example, a policy set in the Google Workspace admin console to restrict the ability of end users to share documents outside of the domain would not apply to service accounts."
 	GetGoogleAdminEmail() string
+	// GetGoogleTransitiveGroups returns true if the connector is meant to fetch
+	// the list of transitive groups or just the groups that users directly
+	// belong to.
+	GetGoogleTransitiveGroups() bool
 }
 
 // NewOIDCConnector returns a new OIDCConnector based off a name and OIDCConnectorSpecV2.
@@ -143,6 +147,11 @@ func (o *OIDCConnectorV2) GetGoogleAdminEmail() string {
 	return o.Spec.GoogleAdminEmail
 }
 
+// GetGoogleTransitiveGroups returns true if we should fetch transitive groups
+func (o *OIDCConnectorV2) GetGoogleTransitiveGroups() bool {
+	return o.Spec.GoogleTransitiveGroups
+}
+
 // GetVersion returns resource version
 func (o *OIDCConnectorV2) GetVersion() string {
 	return o.Version