config: error if groups are used without service account

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
2025-06-06 04:42:56 +02:00 · 2020-06-24 16:01:08 -07:00 · 2020-06-24 16:01:08 -07:00 · 1d1311a240
commit 1d1311a240
parent e3d290bde5
6 changed files with 16 additions and 2 deletions
--- a/.gitignore
+++ b/.gitignore
@ -86,3 +86,5 @@ docs/.vuepress/dist/
 .pomerium/

 !.pre-commit-config.yaml
+
+.service-accounts
--- a/config/options.go
+++ b/config/options.go
@ -579,6 +579,16 @@ func (o *Options) Validate() error {
 		}
 	}

+	// if no service account was defined, there should not be any policies that
+	// assert group membership
+	if o.ServiceAccount == "" {
+		for _, p := range o.Policies {
+			if len(p.AllowedGroups) != 0 {
+				return fmt.Errorf("config: `allowed_groups` requires `idp_service_account`")
+			}
+		}
+	}
+
 	// strip quotes from redirect address (#811)
 	o.HTTPRedirectAddr = strings.Trim(o.HTTPRedirectAddr, `"'`)

--- a/config/options_test.go
+++ b/config/options_test.go
@ -250,8 +250,8 @@ func TestOptionsFromViper(t *testing.T) {
 			false},
 		{"bad url", []byte(`{"policy":[{"from": "https://","to":"https://to.example"}]}`), nil, true},
 		{"bad policy", []byte(`{"policy":[{"allow_public_unauthenticated_access": "dog","to":"https://to.example"}]}`), nil, true},
-
 		{"bad file", []byte(`{''''}`), nil, true},
+		{"allowed_groups without idp_service_account should fail", []byte(`{"autocert_dir":"","insecure_server":true,"policy":[{"from": "https://from.example","to":"https://to.example","allowed_groups": "['group1']"}]}`), nil, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
--- a/docs/docs/identity-providers/azure.md
+++ b/docs/docs/identity-providers/azure.md
@ -121,6 +121,7 @@ IDP_PROVIDER="azure"
 IDP_PROVIDER_URL="https://login.microsoftonline.com/{REPLACE-ME-SEE-ABOVE}/v2.0"
 IDP_CLIENT_ID="REPLACE-ME"
 IDP_CLIENT_SECRET="REPLACE-ME"
+IDP_SERVICE_ACCOUNT="REPLACE-ME-SEE-ABOVE"
 ```

 [client id]: ../../configuration/readme.md#identity-provider-client-id
--- a/docs/docs/identity-providers/google.md
+++ b/docs/docs/identity-providers/google.md
@ -86,7 +86,7 @@ IDP_PROVIDER="google"
 IDP_PROVIDER_URL="https://accounts.google.com"
 IDP_CLIENT_ID="yyyy.apps.googleusercontent.com"
 IDP_CLIENT_SECRET="xxxxxx"
-IDP_SERVICE_ACCOUNT="zzzz" # output of `cat service-account-key.json | base64`
+IDP_SERVICE_ACCOUNT="zzzz" # output of `base64 -i service-account-key.json`
 ```

 [client id]: ../../configuration/readme.md#identity-provider-client-id
--- a/docs/docs/identity-providers/readme.md
+++ b/docs/docs/identity-providers/readme.md
@ -17,6 +17,7 @@ In this guide we'll cover how to do the following for each identity provider:
 1. Set a **[Redirect URL](https://www.oauth.com/oauth2-servers/redirect-uris/)** pointing back to Pomerium. For example, `https://${authenticate_service_url}/oauth2/callback`.
 2. Generate a **[Client ID]** and **[Client Secret]**.
 3. Configure Pomerium to use the **[Client ID]** and **[Client Secret]** keys.
+4. Configure Pomerium to synchronize directory data from your identity provider (e.g. groups membership), by setting a service account. 

 [client id]: ../../configuration/readme.md#identity-provider-client-id
 [client secret]: ../../configuration/readme.md#identity-provider-client-secret