Skip to content

Commit

Permalink
FET-118 Implement trust mapping
Browse files Browse the repository at this point in the history
  • Loading branch information
loafoe committed Apr 29, 2024
1 parent a78e926 commit 8bedccb
Show file tree
Hide file tree
Showing 3 changed files with 40 additions and 24 deletions.
6 changes: 6 additions & 0 deletions connector/hsdp/extend_payload.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,12 @@ func (c *HSDPConnector) ExtendPayload(scopes []string, payload []byte, cdata []b

c.logger.Info("ExtendPayload called for user: ", cd.Introspect.Username)

// Check if we have a trusted org mapping
aud := originalClaims["aud"].(string)
if orgID, ok := c.audienceTrustMap[aud]; ok {
trustedOrgID = orgID
}

for _, scope := range scopes {
// Experimental fill introspect body into claims
if scope == "hsp:iam:introspect" {
Expand Down
55 changes: 31 additions & 24 deletions connector/hsdp/hsdp.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,15 +24,16 @@ import (

// Config holds configuration options for OpenID Connect logins.
type Config struct {
Issuer string `json:"issuer"`
InsecureIssuer string `json:"insecureIssuer"`
ClientID string `json:"clientID"`
ClientSecret string `json:"clientSecret"`
RedirectURI string `json:"redirectURI"`
TrustedOrgID string `json:"trustedOrgID"`
SAML2LoginURL string `json:"saml2LoginURL"`
IAMURL string `json:"iamURL"`
IDMURL string `json:"idmURL"`
Issuer string `json:"issuer"`
InsecureIssuer string `json:"insecureIssuer"`
ClientID string `json:"clientID"`
ClientSecret string `json:"clientSecret"`
RedirectURI string `json:"redirectURI"`
TrustedOrgID string `json:"trustedOrgID"`
AudienceTrustMap AudienceTrustMap `json:"audienceTrustMap"`
SAML2LoginURL string `json:"saml2LoginURL"`
IAMURL string `json:"iamURL"`
IDMURL string `json:"idmURL"`

// Extensions implemented by HSP IAM
Extension
Expand Down Expand Up @@ -66,15 +67,18 @@ type Extension struct {
IntrospectionEndpoint string `json:"introspection_endpoint"`
}

type AudienceTrustMap map[string]string

// ConnectorData stores information for sessions authenticated by this connector
type ConnectorData struct {
RefreshToken []byte
AccessToken []byte
Assertion []byte
Groups []string
TrustedIDPOrg string
Introspect iam.IntrospectResponse
User iam.Profile
RefreshToken []byte
AccessToken []byte
Assertion []byte
Groups []string
TrustedIDPOrg string
AudienceTrustMap AudienceTrustMap
Introspect iam.IntrospectResponse
User iam.Profile
}

// Open returns a connector which can be used to log in users through an upstream
Expand Down Expand Up @@ -129,14 +133,15 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e

clientID := c.ClientID
return &HSDPConnector{
provider: provider,
client: client,
redirectURI: c.RedirectURI,
introspectURI: c.IntrospectionEndpoint,
trustedOrgID: c.TrustedOrgID,
samlLoginURL: c.SAML2LoginURL,
clientID: c.ClientID,
clientSecret: c.ClientSecret,
provider: provider,
client: client,
redirectURI: c.RedirectURI,
introspectURI: c.IntrospectionEndpoint,
trustedOrgID: c.TrustedOrgID,
audienceTrustMap: c.AudienceTrustMap,
samlLoginURL: c.SAML2LoginURL,
clientID: c.ClientID,
clientSecret: c.ClientSecret,
oauth2Config: &oauth2.Config{
ClientID: clientID,
ClientSecret: c.ClientSecret,
Expand Down Expand Up @@ -192,6 +197,7 @@ type HSDPConnector struct {
tenantGroups []string
insecureSkipEmailVerified bool
promptType string
audienceTrustMap AudienceTrustMap
}

func (c *HSDPConnector) isSAML() bool {
Expand Down Expand Up @@ -413,6 +419,7 @@ func (c *HSDPConnector) createIdentity(ctx context.Context, identity connector.I
cd.Groups = identity.Groups
}
cd.TrustedIDPOrg = trustedOrgID
cd.AudienceTrustMap = c.audienceTrustMap

// Attach connector data
connData, err := json.Marshal(&cd)
Expand Down
3 changes: 3 additions & 0 deletions connector/hsdp/hsdp_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,9 @@ func TestHandleCallback(t *testing.T) {
RedirectURI: fmt.Sprintf("%s/callback", serverURL),
BasicAuthUnsupported: &basicAuth,
TenantGroups: []string{"logreaders"},
AudienceTrustMap: map[string]string{
"clientID": "tenantID",
},
}

conn, err := newConnector(config)
Expand Down

0 comments on commit 8bedccb

Please sign in to comment.