From 1d1311a2400256d42d22a16fc02606379901058b Mon Sep 17 00:00:00 2001 From: Bobby DeSimone Date: Wed, 24 Jun 2020 16:01:08 -0700 Subject: [PATCH] config: error if groups are used without service account Signed-off-by: Bobby DeSimone --- .gitignore | 2 ++ config/options.go | 10 ++++++++++ config/options_test.go | 2 +- docs/docs/identity-providers/azure.md | 1 + docs/docs/identity-providers/google.md | 2 +- docs/docs/identity-providers/readme.md | 1 + 6 files changed, 16 insertions(+), 2 deletions(-) diff --git a/.gitignore b/.gitignore index 8fb4b03de..0f9d4eaae 100644 --- a/.gitignore +++ b/.gitignore @@ -86,3 +86,5 @@ docs/.vuepress/dist/ .pomerium/ !.pre-commit-config.yaml + +.service-accounts \ No newline at end of file diff --git a/config/options.go b/config/options.go index 3cf03f001..06fc322c0 100644 --- a/config/options.go +++ b/config/options.go @@ -579,6 +579,16 @@ func (o *Options) Validate() error { } } + // if no service account was defined, there should not be any policies that + // assert group membership + if o.ServiceAccount == "" { + for _, p := range o.Policies { + if len(p.AllowedGroups) != 0 { + return fmt.Errorf("config: `allowed_groups` requires `idp_service_account`") + } + } + } + // strip quotes from redirect address (#811) o.HTTPRedirectAddr = strings.Trim(o.HTTPRedirectAddr, `"'`) diff --git a/config/options_test.go b/config/options_test.go index ad69e7b92..5c760e453 100644 --- a/config/options_test.go +++ b/config/options_test.go @@ -250,8 +250,8 @@ func TestOptionsFromViper(t *testing.T) { false}, {"bad url", []byte(`{"policy":[{"from": "https://","to":"https://to.example"}]}`), nil, true}, {"bad policy", []byte(`{"policy":[{"allow_public_unauthenticated_access": "dog","to":"https://to.example"}]}`), nil, true}, - {"bad file", []byte(`{''''}`), nil, true}, + {"allowed_groups without idp_service_account should fail", []byte(`{"autocert_dir":"","insecure_server":true,"policy":[{"from": "https://from.example","to":"https://to.example","allowed_groups": "['group1']"}]}`), nil, true}, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { diff --git a/docs/docs/identity-providers/azure.md b/docs/docs/identity-providers/azure.md index 523adad81..17d867053 100644 --- a/docs/docs/identity-providers/azure.md +++ b/docs/docs/identity-providers/azure.md @@ -121,6 +121,7 @@ IDP_PROVIDER="azure" IDP_PROVIDER_URL="https://login.microsoftonline.com/{REPLACE-ME-SEE-ABOVE}/v2.0" IDP_CLIENT_ID="REPLACE-ME" IDP_CLIENT_SECRET="REPLACE-ME" +IDP_SERVICE_ACCOUNT="REPLACE-ME-SEE-ABOVE" ``` [client id]: ../../configuration/readme.md#identity-provider-client-id diff --git a/docs/docs/identity-providers/google.md b/docs/docs/identity-providers/google.md index a32e0fe53..d95bd665d 100644 --- a/docs/docs/identity-providers/google.md +++ b/docs/docs/identity-providers/google.md @@ -86,7 +86,7 @@ IDP_PROVIDER="google" IDP_PROVIDER_URL="https://accounts.google.com" IDP_CLIENT_ID="yyyy.apps.googleusercontent.com" IDP_CLIENT_SECRET="xxxxxx" -IDP_SERVICE_ACCOUNT="zzzz" # output of `cat service-account-key.json | base64` +IDP_SERVICE_ACCOUNT="zzzz" # output of `base64 -i service-account-key.json` ``` [client id]: ../../configuration/readme.md#identity-provider-client-id diff --git a/docs/docs/identity-providers/readme.md b/docs/docs/identity-providers/readme.md index 5d76497b6..46b2c3be7 100644 --- a/docs/docs/identity-providers/readme.md +++ b/docs/docs/identity-providers/readme.md @@ -17,6 +17,7 @@ In this guide we'll cover how to do the following for each identity provider: 1. Set a **[Redirect URL](https://www.oauth.com/oauth2-servers/redirect-uris/)** pointing back to Pomerium. For example, `https://${authenticate_service_url}/oauth2/callback`. 2. Generate a **[Client ID]** and **[Client Secret]**. 3. Configure Pomerium to use the **[Client ID]** and **[Client Secret]** keys. +4. Configure Pomerium to synchronize directory data from your identity provider (e.g. groups membership), by setting a service account. [client id]: ../../configuration/readme.md#identity-provider-client-id [client secret]: ../../configuration/readme.md#identity-provider-client-secret