From 01df95f6610eaf3f8a217b8465b1a5b025610043 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sun, 23 Aug 2020 22:46:17 +0100
Subject: [PATCH] Enforce group membership checks in the SAML server

---
 saml/saml.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/saml/saml.go b/saml/saml.go
index 64a39e9..471af5a 100644
--- a/saml/saml.go
+++ b/saml/saml.go
@@ -124,6 +124,20 @@ func (c *Config) GetSSOGroups(serviceProviderID string) []string {
 	return sp.SSOGroups
 }
 
+func (c *Config) GetAllSSOGroups() []string {
+	tmp := make(map[string]struct{})
+	for _, sp := range c.serviceProviderMap {
+		for _, group := range sp.SSOGroups {
+			tmp[group] = struct{}{}
+		}
+	}
+	var out []string
+	for group := range tmp {
+		out = append(out, group)
+	}
+	return out
+}
+
 // Read users from a YAML-encoded file, in a format surprisingly
 // compatible with git.autistici.org/id/auth/server.
 //
@@ -311,7 +325,7 @@ func NewSAMLIDP(config *Config) (http.Handler, error) {
 	h := idp.Handler()
 
 	root := mux.NewRouter()
-	root.PathPrefix(ssoURL.Path).Handler(w.Wrap(h, svc, nil))
+	root.PathPrefix(ssoURL.Path).Handler(w.Wrap(h, svc, config.GetAllSSOGroups()))
 	root.Handle(metadataURL.Path, h)
 	return root, nil
 }
-- 
GitLab