Skip to content

Commit

Permalink
auth.gitlab: account for role_attribute_path_strict (grafana#50088)
Browse files Browse the repository at this point in the history
  • Loading branch information
gamab authored Jun 3, 2022
1 parent a165b40 commit 6c7b6a7
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 7 deletions.
11 changes: 8 additions & 3 deletions pkg/login/social/gitlab_oauth.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package social

import (
"encoding/json"
"errors"
"fmt"
"net/http"
"regexp"
Expand All @@ -13,9 +14,10 @@ import (

type SocialGitlab struct {
*SocialBase
allowedGroups []string
apiUrl string
roleAttributePath string
allowedGroups []string
apiUrl string
roleAttributePath string
roleAttributeStrict bool
}

func (s *SocialGitlab) Type() int {
Expand Down Expand Up @@ -119,6 +121,9 @@ func (s *SocialGitlab) UserInfo(client *http.Client, token *oauth2.Token) (*Basi
if err != nil {
s.log.Error("Failed to extract role", "error", err)
}
if s.roleAttributeStrict && !models.RoleType(role).IsValid() {
return nil, errors.New("invalid role")
}

userInfo := &BasicUserInfo{
Id: fmt.Sprintf("%d", data.Id),
Expand Down
9 changes: 5 additions & 4 deletions pkg/login/social/social.go
Original file line number Diff line number Diff line change
Expand Up @@ -130,10 +130,11 @@ func ProvideService(cfg *setting.Cfg) *SocialService {
// GitLab.
if name == "gitlab" {
ss.socialMap["gitlab"] = &SocialGitlab{
SocialBase: newSocialBase(name, &config, info),
apiUrl: info.ApiUrl,
allowedGroups: util.SplitString(sec.Key("allowed_groups").String()),
roleAttributePath: info.RoleAttributePath,
SocialBase: newSocialBase(name, &config, info),
apiUrl: info.ApiUrl,
allowedGroups: util.SplitString(sec.Key("allowed_groups").String()),
roleAttributePath: info.RoleAttributePath,
roleAttributeStrict: info.RoleAttributeStrict,
}
}

Expand Down

0 comments on commit 6c7b6a7

Please sign in to comment.