Commit 01df95f6 authored by ale's avatar ale
Browse files

Enforce group membership checks in the SAML server

parent d00e7f54
Pipeline #7585 passed with stages
in 29 seconds
......@@ -124,6 +124,20 @@ func (c *Config) GetSSOGroups(serviceProviderID string) []string {
return sp.SSOGroups
}
func (c *Config) GetAllSSOGroups() []string {
tmp := make(map[string]struct{})
for _, sp := range c.serviceProviderMap {
for _, group := range sp.SSOGroups {
tmp[group] = struct{}{}
}
}
var out []string
for group := range tmp {
out = append(out, group)
}
return out
}
// Read users from a YAML-encoded file, in a format surprisingly
// compatible with git.autistici.org/id/auth/server.
//
......@@ -311,7 +325,7 @@ func NewSAMLIDP(config *Config) (http.Handler, error) {
h := idp.Handler()
root := mux.NewRouter()
root.PathPrefix(ssoURL.Path).Handler(w.Wrap(h, svc, nil))
root.PathPrefix(ssoURL.Path).Handler(w.Wrap(h, svc, config.GetAllSSOGroups()))
root.Handle(metadataURL.Path, h)
return root, nil
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment