From e7e70dbac6e889ef152af234914874baced3f0dd Mon Sep 17 00:00:00 2001 From: MichaelKo Date: Tue, 30 May 2023 11:07:04 +0200 Subject: [PATCH] Chore: Adding "allowed_groups" Configuration Parameter to Generic OAuth Method (#69025) * feat: add allowed_groups for Generic OAuth * docs: add allowed_groups more docs for Generic OAuth --- conf/defaults.ini | 1 + .../generic-oauth/index.md | 3 +++ pkg/login/social/generic_oauth.go | 21 +++++++++++++++++++ pkg/login/social/social.go | 1 + 4 files changed, 26 insertions(+) diff --git a/conf/defaults.ini b/conf/defaults.ini index 4a7c485db66..43aa0183205 100644 --- a/conf/defaults.ini +++ b/conf/defaults.ini @@ -736,6 +736,7 @@ token_url = api_url = teams_url = allowed_domains = +allowed_groups = team_ids = allowed_organizations = tls_skip_verify_insecure = false diff --git a/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md b/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md index 09d1eb36d4e..e510f2990b3 100644 --- a/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md +++ b/docs/sources/setup-grafana/configure-security/configure-authentication/generic-oauth/index.md @@ -45,6 +45,7 @@ auth_url = token_url = api_url = allowed_domains = mycompany.com mycompany.org +allowed_groups = ["Admins", "Software Engineers"] tls_skip_verify_insecure = false tls_client_cert = tls_client_key = @@ -85,6 +86,8 @@ Similarly, group mappings are made using [JMESPath](http://jmespath.org/examples Furthermore, Grafana will check for the presence of at least one of the teams specified via the `team_ids` configuration option using the [JMESPath](http://jmespath.org/examples.html) specified via the `team_ids_attribute_path` configuration option. The JSON used for the path lookup is the HTTP response obtained from querying the Teams endpoint specified via the `teams_url` configuration option (using `/teams` as a fallback endpoint). The result should be a string array of Grafana Team IDs. Using this setting ensures that only certain teams is allowed to authenticate to Grafana using your OAuth provider. +You can limit access to only members of a given group or list of groups by setting the `allowed_groups` option. + ### Login Customize user login using `login_attribute_path` configuration option. Order of operations is as follows: diff --git a/pkg/login/social/generic_oauth.go b/pkg/login/social/generic_oauth.go index 637d0b6f765..e755b85e4eb 100644 --- a/pkg/login/social/generic_oauth.go +++ b/pkg/login/social/generic_oauth.go @@ -31,6 +31,23 @@ type SocialGenericOAuth struct { idTokenAttributeName string teamIdsAttributePath string teamIds []string + allowedGroups []string +} + +func (s *SocialGenericOAuth) IsGroupMember(groups []string) bool { + if len(s.allowedGroups) == 0 { + return true + } + + for _, allowedGroup := range s.allowedGroups { + for _, group := range groups { + if group == allowedGroup { + return true + } + } + } + + return false } func (s *SocialGenericOAuth) IsTeamMember(client *http.Client) bool { @@ -182,6 +199,10 @@ func (s *SocialGenericOAuth) UserInfo(client *http.Client, token *oauth2.Token) return nil, errors.New("user not a member of one of the required organizations") } + if !s.IsGroupMember(userInfo.Groups) { + return nil, errMissingGroupMembership + } + s.log.Debug("User info result", "result", userInfo) return userInfo, nil } diff --git a/pkg/login/social/social.go b/pkg/login/social/social.go index 4921badabdc..a379d06ef8c 100644 --- a/pkg/login/social/social.go +++ b/pkg/login/social/social.go @@ -214,6 +214,7 @@ func ProvideService(cfg *setting.Cfg, teamIdsAttributePath: sec.Key("team_ids_attribute_path").String(), teamIds: sec.Key("team_ids").Strings(","), allowedOrganizations: util.SplitString(sec.Key("allowed_organizations").String()), + allowedGroups: util.SplitString(sec.Key("allowed_groups").String()), } }