mirror
/
dex
mirror of https://github.com/dexidp/dex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Added Email of Keystone to Identity (#1681) 

* Added Email of Keystone to Identity

After the successful login to keystone, the Email of the logged in user
is fetch from keystone and provided to `identity.Email`.

This is useful for upstream software that uses the Email as the primary
identification.

* Removed unnecessary code from getUsers

* Changed creation of userResponse in keystone

* Fixing linter error

Co-authored-by: Christoph Glaubitz <christoph.glaubitz@innovo-cloud.de>
pull/1673/head
Ken Perkins 6 years ago committed by GitHub
parent
ebef257dcd
commit
f6476b62f2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 124 additions and 32 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 45
      connector/keystone/keystone.go
  2. 111
      connector/keystone/keystone_test.go

45
connector/keystone/keystone.go
Unescape View File

@ -95,6 +95,14 @@ type groupsResponse struct {
Groups []group `json:"groups"` Groups []group `json:"groups"`
} }
type userResponse struct {
User struct {
Name string `json:"name"`
Email string `json:"email"`
ID string `json:"id"`
} `json:"user"`
}
var ( var (
_ connector.PasswordConnector = &conn{} _ connector.PasswordConnector = &conn{}
_ connector.RefreshConnector = &conn{} _ connector.RefreshConnector = &conn{}
@ -143,6 +151,16 @@ func (p *conn) Login(ctx context.Context, scopes connector.Scopes, username, pas
} }
identity.Username = username identity.Username = username
identity.UserID = tokenResp.Token.User.ID identity.UserID = tokenResp.Token.User.ID
user, err := p.getUser(ctx, tokenResp.Token.User.ID, token)
if err != nil {
return identity, false, err
}
if user.User.Email != "" {
identity.Email = user.User.Email
identity.EmailVerified = true
}
return identity, true, nil return identity, true, nil
} }
@ -216,26 +234,43 @@ func (p *conn) getAdminToken(ctx context.Context) (string, error) {
} }
func (p *conn) checkIfUserExists(ctx context.Context, userID string, token string) (bool, error) { func (p *conn) checkIfUserExists(ctx context.Context, userID string, token string) (bool, error) {
user, err := p.getUser(ctx, userID, token)
return user != nil, err
}
func (p *conn) getUser(ctx context.Context, userID string, token string) (*userResponse, error) {
// https://developer.openstack.org/api-ref/identity/v3/#show-user-details // https://developer.openstack.org/api-ref/identity/v3/#show-user-details
userURL := p.Host + "/v3/users/" + userID userURL := p.Host + "/v3/users/" + userID
client := &http.Client{} client := &http.Client{}
req, err := http.NewRequest("GET", userURL, nil) req, err := http.NewRequest("GET", userURL, nil)
if err != nil { if err != nil {
return false, err return nil, err
} }
req.Header.Set("X-Auth-Token", token) req.Header.Set("X-Auth-Token", token)
req = req.WithContext(ctx) req = req.WithContext(ctx)
resp, err := client.Do(req) resp, err := client.Do(req)
if err != nil { if err != nil {
return false, err return nil, err
} }
defer resp.Body.Close() defer resp.Body.Close()
if resp.StatusCode == 200 { if resp.StatusCode != 200 {
return true, nil return nil, err
}
data, err := ioutil.ReadAll(resp.Body)
if err != nil {
return nil, err
} }
return false, err
user := userResponse{}
err = json.Unmarshal(data, &user)
if err != nil {
return nil, err
}
return &user, nil
} }
func (p *conn) getUserGroups(ctx context.Context, userID string, token string) ([]string, error) { func (p *conn) getUserGroups(ctx context.Context, userID string, token string) ([]string, error) {

111
connector/keystone/keystone_test.go
Unescape View File

@ -35,12 +35,6 @@ var (
groupsURL = "" groupsURL = ""
) )
type userResponse struct {
User struct {
ID string `json:"id"`
} `json:"user"`
}
type groupResponse struct { type groupResponse struct {
Group struct { Group struct {
ID string `json:"id"` ID string `json:"id"`
@ -144,7 +138,7 @@ func createUser(t *testing.T, token, userName, userEmail, userPass string) strin
} }
// delete group or user // delete group or user
func delete(t *testing.T, token, id, uri string) { func deleteResource(t *testing.T, token, id, uri string) {
t.Helper() t.Helper()
client := &http.Client{} client := &http.Client{}
@ -246,20 +240,86 @@ func TestIncorrectCredentialsLogin(t *testing.T) {
func TestValidUserLogin(t *testing.T) { func TestValidUserLogin(t *testing.T) {
setupVariables(t) setupVariables(t)
token, _ := getAdminToken(t, adminUser, adminPass) token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(t, token, testUser, testEmail, testPass)
c := conn{Host: keystoneURL, Domain: testDomain, type tUser struct {
AdminUsername: adminUser, AdminPassword: adminPass} username string
s := connector.Scopes{OfflineAccess: true, Groups: true} domain string
identity, validPW, err := c.Login(context.Background(), s, testUser, testPass) email string
if err != nil { password string
t.Fatal(err.Error()) }
type expect struct {
username string
email string
verifiedEmail bool
}
var tests = []struct {
name string
input tUser
expected expect
}{
{
name: "test with email address",
input: tUser{
username: testUser,
domain: testDomain,
email: testEmail,
password: testPass,
},
expected: expect{
username: testUser,
email: testEmail,
verifiedEmail: true,
},
},
{
name: "test without email address",
input: tUser{
username: testUser,
domain: testDomain,
email: "",
password: testPass,
},
expected: expect{
username: testUser,
email: "",
verifiedEmail: false,
},
},
} }
t.Log(identity)
if !validPW { for _, tt := range tests {
t.Fatal("Valid password was not accepted") t.Run(tt.name, func(t *testing.T) {
userID := createUser(t, token, tt.input.username, tt.input.email, tt.input.password)
defer deleteResource(t, token, userID, usersURL)
c := conn{Host: keystoneURL, Domain: tt.input.domain,
AdminUsername: adminUser, AdminPassword: adminPass}
s := connector.Scopes{OfflineAccess: true, Groups: true}
identity, validPW, err := c.Login(context.Background(), s, tt.input.username, tt.input.password)
if err != nil {
t.Fatal(err.Error())
}
t.Log(identity)
if identity.Username != tt.expected.username {
t.Fatalf("Invalid user. Got: %v. Wanted: %v", identity.Username, tt.expected.username)
}
if identity.UserID == "" {
t.Fatalf("Didn't get any UserID back")
}
if identity.Email != tt.expected.email {
t.Fatalf("Invalid email. Got: %v. Wanted: %v", identity.Email, tt.expected.email)
}
if identity.EmailVerified != tt.expected.verifiedEmail {
t.Fatalf("Invalid verifiedEmail. Got: %v. Wanted: %v", identity.EmailVerified, tt.expected.verifiedEmail)
}
if !validPW {
t.Fatal("Valid password was not accepted")
}
})
} }
delete(t, token, userID, usersURL)
} }
func TestUseRefreshToken(t *testing.T) { func TestUseRefreshToken(t *testing.T) {
@ -267,6 +327,7 @@ func TestUseRefreshToken(t *testing.T) {
token, adminID := getAdminToken(t, adminUser, adminPass) token, adminID := getAdminToken(t, adminUser, adminPass)
groupID := createGroup(t, token, "Test group description", testGroup) groupID := createGroup(t, token, "Test group description", testGroup)
addUserToGroup(t, token, groupID, adminID) addUserToGroup(t, token, groupID, adminID)
defer deleteResource(t, token, groupID, groupsURL)
c := conn{Host: keystoneURL, Domain: testDomain, c := conn{Host: keystoneURL, Domain: testDomain,
AdminUsername: adminUser, AdminPassword: adminPass} AdminUsername: adminUser, AdminPassword: adminPass}
@ -282,8 +343,6 @@ func TestUseRefreshToken(t *testing.T) {
t.Fatal(err.Error()) t.Fatal(err.Error())
} }
delete(t, token, groupID, groupsURL)
expectEquals(t, 1, len(identityRefresh.Groups)) expectEquals(t, 1, len(identityRefresh.Groups))
expectEquals(t, testGroup, identityRefresh.Groups[0]) expectEquals(t, testGroup, identityRefresh.Groups[0])
} }
@ -307,7 +366,7 @@ func TestUseRefreshTokenUserDeleted(t *testing.T) {
t.Fatal(err.Error()) t.Fatal(err.Error())
} }
delete(t, token, userID, usersURL) deleteResource(t, token, userID, usersURL)
_, err = c.Refresh(context.Background(), s, identityLogin) _, err = c.Refresh(context.Background(), s, identityLogin)
if !strings.Contains(err.Error(), "does not exist") { if !strings.Contains(err.Error(), "does not exist") {
@ -319,6 +378,7 @@ func TestUseRefreshTokenGroupsChanged(t *testing.T) {
setupVariables(t) setupVariables(t)
token, _ := getAdminToken(t, adminUser, adminPass) token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(t, token, testUser, testEmail, testPass) userID := createUser(t, token, testUser, testEmail, testPass)
defer deleteResource(t, token, userID, usersURL)
c := conn{Host: keystoneURL, Domain: testDomain, c := conn{Host: keystoneURL, Domain: testDomain,
AdminUsername: adminUser, AdminPassword: adminPass} AdminUsername: adminUser, AdminPassword: adminPass}
@ -338,15 +398,13 @@ func TestUseRefreshTokenGroupsChanged(t *testing.T) {
groupID := createGroup(t, token, "Test group", testGroup) groupID := createGroup(t, token, "Test group", testGroup)
addUserToGroup(t, token, groupID, userID) addUserToGroup(t, token, groupID, userID)
defer deleteResource(t, token, groupID, groupsURL)
identityRefresh, err = c.Refresh(context.Background(), s, identityLogin) identityRefresh, err = c.Refresh(context.Background(), s, identityLogin)
if err != nil { if err != nil {
t.Fatal(err.Error()) t.Fatal(err.Error())
} }
delete(t, token, groupID, groupsURL)
delete(t, token, userID, usersURL)
expectEquals(t, 1, len(identityRefresh.Groups)) expectEquals(t, 1, len(identityRefresh.Groups))
} }
@ -354,6 +412,7 @@ func TestNoGroupsInScope(t *testing.T) {
setupVariables(t) setupVariables(t)
token, _ := getAdminToken(t, adminUser, adminPass) token, _ := getAdminToken(t, adminUser, adminPass)
userID := createUser(t, token, testUser, testEmail, testPass) userID := createUser(t, token, testUser, testEmail, testPass)
defer deleteResource(t, token, userID, usersURL)
c := conn{Host: keystoneURL, Domain: testDomain, c := conn{Host: keystoneURL, Domain: testDomain,
AdminUsername: adminUser, AdminPassword: adminPass} AdminUsername: adminUser, AdminPassword: adminPass}
@ -361,6 +420,7 @@ func TestNoGroupsInScope(t *testing.T) {
groupID := createGroup(t, token, "Test group", testGroup) groupID := createGroup(t, token, "Test group", testGroup)
addUserToGroup(t, token, groupID, userID) addUserToGroup(t, token, groupID, userID)
defer deleteResource(t, token, groupID, groupsURL)
identityLogin, _, err := c.Login(context.Background(), s, testUser, testPass) identityLogin, _, err := c.Login(context.Background(), s, testUser, testPass)
if err != nil { if err != nil {
@ -373,9 +433,6 @@ func TestNoGroupsInScope(t *testing.T) {
t.Fatal(err.Error()) t.Fatal(err.Error())
} }
expectEquals(t, 0, len(identityRefresh.Groups)) expectEquals(t, 0, len(identityRefresh.Groups))
delete(t, token, groupID, groupsURL)
delete(t, token, userID, usersURL)
} }
func setupVariables(t *testing.T) { func setupVariables(t *testing.T) {

Write Preview
Loading…
Cancel
Save