directory.Group entry for groups (#1118)

* store directory groups separate from directory users * fix group lookup, azure display name * remove fields restriction * fix test * also support email * use Email as name for google' * remove changed file * show groups on dashboard * fix test * re-add accidentally removed code
2025-08-03 16:59:22 +02:00 · 2020-07-22 11:28:53 -06:00 · 2020-07-22 11:28:53 -06:00 · 1ad243dfd1
commit 1ad243dfd1
parent 489cdd8b63
25 changed files with 525 additions and 209 deletions
--- a/authorize/evaluator/evaluator.go
+++ b/authorize/evaluator/evaluator.go
@ -30,9 +30,10 @@ import (
 )

 const (
-	sessionTypeURL       = "type.googleapis.com/session.Session"
-	userTypeURL          = "type.googleapis.com/user.User"
-	directoryUserTypeURL = "type.googleapis.com/directory.User"
+	sessionTypeURL        = "type.googleapis.com/session.Session"
+	userTypeURL           = "type.googleapis.com/user.User"
+	directoryUserTypeURL  = "type.googleapis.com/directory.User"
+	directoryGroupTypeURL = "type.googleapis.com/directory.Group"
 )

 // Evaluator specifies the interface for a policy engine.
@ -217,7 +218,16 @@ func (e *Evaluator) JWTPayload(req *Request) map[string]interface{} {
 			payload["email"] = u.GetEmail()
 		}
 		if du, ok := req.DataBrokerData.Get("type.googleapis.com/directory.User", s.GetUserId()).(*directory.User); ok {
-			payload["groups"] = du.GetGroups()
+			var groupNames []string
+			for _, groupID := range du.GetGroupIds() {
+				if dg, ok := req.DataBrokerData.Get("type.googleapis.com/directory.Group", groupID).(*directory.Group); ok {
+					groupNames = append(groupNames, dg.Name)
+				}
+			}
+			var groups []string
+			groups = append(groups, du.GetGroupIds()...)
+			groups = append(groups, groupNames...)
+			payload["groups"] = groups
 		}
 	}
 	return payload
@ -255,9 +265,9 @@ type input struct {
 }

 type dataBrokerDataInput struct {
-	Session       interface{} `json:"session,omitempty"`
-	User          interface{} `json:"user,omitempty"`
-	DirectoryUser interface{} `json:"directory_user,omitempty"`
+	Session interface{} `json:"session,omitempty"`
+	User    interface{} `json:"user,omitempty"`
+	Groups  interface{} `json:"groups,omitempty"`
 }

 func (e *Evaluator) newInput(req *Request, isValidClientCertificate bool) *input {
@ -265,7 +275,23 @@ func (e *Evaluator) newInput(req *Request, isValidClientCertificate bool) *input
 	i.DataBrokerData.Session = req.DataBrokerData.Get(sessionTypeURL, req.Session.ID)
 	if obj, ok := i.DataBrokerData.Session.(interface{ GetUserId() string }); ok {
 		i.DataBrokerData.User = req.DataBrokerData.Get(userTypeURL, obj.GetUserId())
-		i.DataBrokerData.DirectoryUser = req.DataBrokerData.Get(directoryUserTypeURL, obj.GetUserId())
+
+		user, ok := req.DataBrokerData.Get(directoryUserTypeURL, obj.GetUserId()).(*directory.User)
+		if ok {
+			var groups []string
+			for _, groupID := range user.GetGroupIds() {
+				if dg, ok := req.DataBrokerData.Get(directoryGroupTypeURL, groupID).(*directory.Group); ok {
+					if dg.Name != "" {
+						groups = append(groups, dg.Name)
+					}
+					if dg.Email != "" {
+						groups = append(groups, dg.Email)
+					}
+				}
+			}
+			groups = append(groups, user.GetGroupIds()...)
+			i.DataBrokerData.Groups = groups
+		}
 	}
 	i.HTTP = req.HTTP
 	i.Session = req.Session