move directory providers (#3633)

* remove directory providers and support for groups * idp: remove directory providers * better error messages * fix errors * restore postgres * fix test
2025-06-01 02:12:50 +02:00 · 2022-11-03 11:33:56 -06:00 · 2022-11-03 11:33:56 -06:00 · c178819875
commit c178819875
parent bb5c80bae9
78 changed files with 723 additions and 8703 deletions
--- a/config/policy.go
+++ b/config/policy.go
@ -38,7 +38,6 @@ type Policy struct {

 	// Identity related policy
 	AllowedUsers     []string                 `mapstructure:"allowed_users" yaml:"allowed_users,omitempty" json:"allowed_users,omitempty"`
-	AllowedGroups    []string                 `mapstructure:"allowed_groups" yaml:"allowed_groups,omitempty" json:"allowed_groups,omitempty"`
 	AllowedDomains   []string                 `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty" json:"allowed_domains,omitempty"`
 	AllowedIDPClaims identity.FlattenedClaims `mapstructure:"allowed_idp_claims" yaml:"allowed_idp_claims,omitempty" json:"allowed_idp_claims,omitempty"`

@ -192,7 +191,6 @@ type SubPolicy struct {
 	ID               string                   `mapstructure:"id" yaml:"id" json:"id"`
 	Name             string                   `mapstructure:"name" yaml:"name" json:"name"`
 	AllowedUsers     []string                 `mapstructure:"allowed_users" yaml:"allowed_users,omitempty" json:"allowed_users,omitempty"`
-	AllowedGroups    []string                 `mapstructure:"allowed_groups" yaml:"allowed_groups,omitempty" json:"allowed_groups,omitempty"`
 	AllowedDomains   []string                 `mapstructure:"allowed_domains" yaml:"allowed_domains,omitempty" json:"allowed_domains,omitempty"`
 	AllowedIDPClaims identity.FlattenedClaims `mapstructure:"allowed_idp_claims" yaml:"allowed_idp_claims,omitempty" json:"allowed_idp_claims,omitempty"`
 	Rego             []string                 `mapstructure:"rego" yaml:"rego" json:"rego,omitempty"`
@ -231,7 +229,6 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
 	p := &Policy{
 		From:                             pb.GetFrom(),
 		AllowedUsers:                     pb.GetAllowedUsers(),
-		AllowedGroups:                    pb.GetAllowedGroups(),
 		AllowedDomains:                   pb.GetAllowedDomains(),
 		AllowedIDPClaims:                 identity.NewFlattenedClaimsFromPB(pb.GetAllowedIdpClaims()),
 		Prefix:                           pb.GetPrefix(),
@ -317,7 +314,6 @@ func NewPolicyFromProto(pb *configpb.Route) (*Policy, error) {
 			ID:               sp.GetId(),
 			Name:             sp.GetName(),
 			AllowedUsers:     sp.GetAllowedUsers(),
-			AllowedGroups:    sp.GetAllowedGroups(),
 			AllowedDomains:   sp.GetAllowedDomains(),
 			AllowedIDPClaims: identity.NewFlattenedClaimsFromPB(sp.GetAllowedIdpClaims()),
 			Rego:             sp.GetRego(),
@ -347,7 +343,6 @@ func (p *Policy) ToProto() (*configpb.Route, error) {
 			Id:               sp.ID,
 			Name:             sp.Name,
 			AllowedUsers:     sp.AllowedUsers,
-			AllowedGroups:    sp.AllowedGroups,
 			AllowedDomains:   sp.AllowedDomains,
 			AllowedIdpClaims: sp.AllowedIDPClaims.ToPB(),
 			Rego:             sp.Rego,
@ -358,7 +353,6 @@ func (p *Policy) ToProto() (*configpb.Route, error) {
 		Name:                             fmt.Sprint(p.RouteID()),
 		From:                             p.From,
 		AllowedUsers:                     p.AllowedUsers,
-		AllowedGroups:                    p.AllowedGroups,
 		AllowedDomains:                   p.AllowedDomains,
 		AllowedIdpClaims:                 p.AllowedIDPClaims.ToPB(),
 		Prefix:                           p.Prefix,
@ -466,12 +460,12 @@ func (p *Policy) Validate() error {
 	}

 	// Only allow public access if no other whitelists are in place
-	if p.AllowPublicUnauthenticatedAccess && (p.AllowAnyAuthenticatedUser || p.AllowedDomains != nil || p.AllowedGroups != nil || p.AllowedUsers != nil) {
+	if p.AllowPublicUnauthenticatedAccess && (p.AllowAnyAuthenticatedUser || p.AllowedDomains != nil || p.AllowedUsers != nil) {
 		return fmt.Errorf("config: policy route marked as public but contains whitelists")
 	}

 	// Only allow any authenticated user if no other whitelists are in place
-	if p.AllowAnyAuthenticatedUser && (p.AllowedDomains != nil || p.AllowedGroups != nil || p.AllowedUsers != nil) {
+	if p.AllowAnyAuthenticatedUser && (p.AllowedDomains != nil || p.AllowedUsers != nil) {
 		return fmt.Errorf("config: policy route marked accessible for any authenticated user but contains whitelists")
 	}

@ -642,16 +636,6 @@ func (p *Policy) AllAllowedDomains() []string {
 	return ads
 }

-// AllAllowedGroups returns all the allowed groups.
-func (p *Policy) AllAllowedGroups() []string {
-	var ags []string
-	ags = append(ags, p.AllowedGroups...)
-	for _, sp := range p.SubPolicies {
-		ags = append(ags, sp.AllowedGroups...)
-	}
-	return ags
-}
-
 // AllAllowedIDPClaims returns all the allowed IDP claims.
 func (p *Policy) AllAllowedIDPClaims() []identity.FlattenedClaims {
 	var aics []identity.FlattenedClaims