forked from concourse/concourse
-
Notifications
You must be signed in to change notification settings - Fork 0
/
oidc_flags.go
97 lines (79 loc) · 3.24 KB
/
oidc_flags.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
package skycmd
import (
"encoding/json"
"errors"
"github.com/concourse/dex/connector/oidc"
"github.com/concourse/flag"
multierror "github.com/hashicorp/go-multierror"
)
func init() {
RegisterConnector(&Connector{
id: "oidc",
config: &OIDCFlags{},
teamConfig: &OIDCTeamFlags{},
})
}
type OIDCFlags struct {
DisplayName string `long:"display-name" description:"The auth provider name displayed to users on the login page"`
Issuer string `long:"issuer" description:"(Required) An OIDC issuer URL that will be used to discover provider configuration using the .well-known/openid-configuration"`
ClientID string `long:"client-id" description:"(Required) Client id"`
ClientSecret string `long:"client-secret" description:"(Required) Client secret"`
Scopes []string `long:"scope" description:"Any additional scopes that need to be requested during authorization"`
GroupsKey string `long:"groups-key" default:"groups" description:"The groups key indicates which claim to use to map external groups to Concourse teams."`
UserNameKey string `long:"user-name-key" default:"username" description:"The user name key indicates which claim to use to map an external user name to a Concourse user name."`
HostedDomains []string `long:"hosted-domains" description:"List of whitelisted domains when using Google, only users from a listed domain will be allowed to log in"`
CACerts []flag.File `long:"ca-cert" description:"CA Certificate"`
InsecureSkipVerify bool `long:"skip-ssl-validation" description:"Skip SSL validation"`
}
func (flag *OIDCFlags) Name() string {
if flag.DisplayName != "" {
return flag.DisplayName
}
return "OIDC"
}
func (flag *OIDCFlags) Validate() error {
var errs *multierror.Error
if flag.Issuer == "" {
errs = multierror.Append(errs, errors.New("Missing issuer"))
}
if flag.ClientID == "" {
errs = multierror.Append(errs, errors.New("Missing client-id"))
}
if flag.ClientSecret == "" {
errs = multierror.Append(errs, errors.New("Missing client-secret"))
}
return errs.ErrorOrNil()
}
func (flag *OIDCFlags) Serialize(redirectURI string) ([]byte, error) {
if err := flag.Validate(); err != nil {
return nil, err
}
caCerts := []string{}
for _, file := range flag.CACerts {
caCerts = append(caCerts, file.Path())
}
config := oidc.Config{
Issuer: flag.Issuer,
ClientID: flag.ClientID,
ClientSecret: flag.ClientSecret,
Scopes: flag.Scopes,
UserNameKey: flag.UserNameKey,
HostedDomains: flag.HostedDomains,
RootCAs: caCerts,
InsecureSkipVerify: flag.InsecureSkipVerify,
RedirectURI: redirectURI,
}
config.ClaimMapping.GroupsKey = flag.GroupsKey
config.ClaimMapping.PreferredUsernameKey = flag.UserNameKey
return json.Marshal(config)
}
type OIDCTeamFlags struct {
Users []string `json:"users" long:"user" description:"A whitelisted OIDC user" value-name:"USERNAME"`
Groups []string `json:"groups" long:"group" description:"A whitelisted OIDC group" value-name:"GROUP_NAME"`
}
func (flag *OIDCTeamFlags) GetUsers() []string {
return flag.Users
}
func (flag *OIDCTeamFlags) GetGroups() []string {
return flag.Groups
}