FET-118 Implement trust mapping

philips-forks · Feb 13, 2024 · 2549844 · 2549844
1 parent fe6673c
commit 2549844
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 24 deletions.
diff --git a/connector/hsdp/extend_payload.go b/connector/hsdp/extend_payload.go
@@ -21,6 +21,12 @@ func (c *HSDPConnector) ExtendPayload(scopes []string, payload []byte, cdata []b
 
 	c.logger.Info("ExtendPayload called for user: ", cd.Introspect.Username)
 
+	// Check if we have a trusted org mapping
+	aud := originalClaims["aud"].(string)
+	if orgID, ok := c.audienceTrustMap[aud]; ok {
+		trustedOrgID = orgID
+	}
+
 	for _, scope := range scopes {
 		// Experimental fill introspect body into claims
 		if scope == "hsp:iam:introspect" {

diff --git a/connector/hsdp/hsdp.go b/connector/hsdp/hsdp.go
@@ -24,15 +24,16 @@ import (
 
 // Config holds configuration options for OpenID Connect logins.
 type Config struct {
-	Issuer         string `json:"issuer"`
-	InsecureIssuer string `json:"insecureIssuer"`
-	ClientID       string `json:"clientID"`
-	ClientSecret   string `json:"clientSecret"`
-	RedirectURI    string `json:"redirectURI"`
-	TrustedOrgID   string `json:"trustedOrgID"`
-	SAML2LoginURL  string `json:"saml2LoginURL"`
-	IAMURL         string `json:"iamURL"`
-	IDMURL         string `json:"idmURL"`
+	Issuer           string           `json:"issuer"`
+	InsecureIssuer   string           `json:"insecureIssuer"`
+	ClientID         string           `json:"clientID"`
+	ClientSecret     string           `json:"clientSecret"`
+	RedirectURI      string           `json:"redirectURI"`
+	TrustedOrgID     string           `json:"trustedOrgID"`
+	AudienceTrustMap AudienceTrustMap `json:"audienceTrustMap"`
+	SAML2LoginURL    string           `json:"saml2LoginURL"`
+	IAMURL           string           `json:"iamURL"`
+	IDMURL           string           `json:"idmURL"`
 
 	// Extensions implemented by HSP IAM
 	Extension
@@ -66,15 +67,18 @@ type Extension struct {
 	IntrospectionEndpoint string `json:"introspection_endpoint"`
 }
 
+type AudienceTrustMap map[string]string
+
 // ConnectorData stores information for sessions authenticated by this connector
 type ConnectorData struct {
-	RefreshToken  []byte
-	AccessToken   []byte
-	Assertion     []byte
-	Groups        []string
-	TrustedIDPOrg string
-	Introspect    iam.IntrospectResponse
-	User          iam.Profile
+	RefreshToken     []byte
+	AccessToken      []byte
+	Assertion        []byte
+	Groups           []string
+	TrustedIDPOrg    string
+	AudienceTrustMap AudienceTrustMap
+	Introspect       iam.IntrospectResponse
+	User             iam.Profile
 }
 
 // Open returns a connector which can be used to log in users through an upstream
@@ -129,14 +133,15 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
 
 	clientID := c.ClientID
 	return &HSDPConnector{
-		provider:      provider,
-		client:        client,
-		redirectURI:   c.RedirectURI,
-		introspectURI: c.IntrospectionEndpoint,
-		trustedOrgID:  c.TrustedOrgID,
-		samlLoginURL:  c.SAML2LoginURL,
-		clientID:      c.ClientID,
-		clientSecret:  c.ClientSecret,
+		provider:         provider,
+		client:           client,
+		redirectURI:      c.RedirectURI,
+		introspectURI:    c.IntrospectionEndpoint,
+		trustedOrgID:     c.TrustedOrgID,
+		audienceTrustMap: c.AudienceTrustMap,
+		samlLoginURL:     c.SAML2LoginURL,
+		clientID:         c.ClientID,
+		clientSecret:     c.ClientSecret,
 		oauth2Config: &oauth2.Config{
 			ClientID:     clientID,
 			ClientSecret: c.ClientSecret,
@@ -192,6 +197,7 @@ type HSDPConnector struct {
 	tenantGroups              []string
 	insecureSkipEmailVerified bool
 	promptType                string
+	audienceTrustMap          AudienceTrustMap
 }
 
 func (c *HSDPConnector) isSAML() bool {
@@ -413,6 +419,7 @@ func (c *HSDPConnector) createIdentity(ctx context.Context, identity connector.I
 		cd.Groups = identity.Groups
 	}
 	cd.TrustedIDPOrg = trustedOrgID
+	cd.AudienceTrustMap = c.audienceTrustMap
 
 	// Attach connector data
 	connData, err := json.Marshal(&cd)

diff --git a/connector/hsdp/hsdp_test.go b/connector/hsdp/hsdp_test.go
@@ -78,6 +78,9 @@ func TestHandleCallback(t *testing.T) {
 				RedirectURI:          fmt.Sprintf("%s/callback", serverURL),
 				BasicAuthUnsupported: &basicAuth,
 				TenantGroups:         []string{"logreaders"},
+				AudienceTrustMap: map[string]string{
+					"clientID": "tenantID",
+				},
 			}
 
 			conn, err := newConnector(config)