Enforce group membership checks in the SAML server

01df95f6 · ale · d00e7f54 · 01df95f6
Commit 01df95f6 authored Aug 23, 2020 by ale
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 1 deletion

saml/saml.go saml/saml.go +15 -1

No files found.
--- a/saml/saml.go
+++ b/saml/saml.go
@@ -124,6 +124,20 @@ func (c *Config) GetSSOGroups(serviceProviderID string) []string {
 	return sp.SSOGroups
 }

+func (c *Config) GetAllSSOGroups() []string {
+	tmp := make(map[string]struct{})
+	for _, sp := range c.serviceProviderMap {
+		for _, group := range sp.SSOGroups {
+			tmp[group] = struct{}{}
+		}
+	}
+	var out []string
+	for group := range tmp {
+		out = append(out, group)
+	}
+	return out
+}
+
 // Read users from a YAML-encoded file, in a format surprisingly
 // compatible with git.autistici.org/id/auth/server.
 //
@@ -311,7 +325,7 @@ func NewSAMLIDP(config *Config) (http.Handler, error) {
 	h := idp.Handler()

 	root := mux.NewRouter()
-	root.PathPrefix(ssoURL.Path).Handler(w.Wrap(h, svc, nil))
+	root.PathPrefix(ssoURL.Path).Handler(w.Wrap(h, svc, config.GetAllSSOGroups()))
 	root.Handle(metadataURL.Path, h)
 	return root, nil
 }