diff --git a/README.md b/README.md index c3086dd..d7fbe72 100644 --- a/README.md +++ b/README.md @@ -206,7 +206,7 @@ spec: endpointRef: name: azure-entra namespace: krateo-system - filter: .value | map(.displayName) + filter: .groups.value | map(.displayName) ``` To obtain groups through the rest action, add `Directory.Read.All` in the `additionalScopes`. diff --git a/internal/helpers/restaction/resolver.go b/internal/helpers/restaction/resolver.go index 7c7bec8..a6b8095 100644 --- a/internal/helpers/restaction/resolver.go +++ b/internal/helpers/restaction/resolver.go @@ -38,14 +38,17 @@ func Resolve(ctx context.Context, rc *rest.Config, restaction *core.ObjectRef, e return nil, fmt.Errorf("failed to create http request for restaction call to snowplow: %w", err) } - jwt, _ := xcontext.AccessToken(ctx) - request.Header.Add("Authorization", fmt.Sprintf("Bearer: %s", jwt)) + jwt, ok := xcontext.AccessToken(ctx) + if !ok { + return nil, fmt.Errorf("failed to retrieve jwt token for authn") + } + request.Header.Set("Authorization", fmt.Sprintf("Bearer %s", jwt)) resp, err := http.DefaultClient.Do(request) if err != nil { return nil, fmt.Errorf("failed to send http request for restaction call to snowplow: %w", err) } - responseRaw, err := io.ReadAll(resp.Body) + responseRaw, _ := io.ReadAll(resp.Body) defer resp.Body.Close() var responseStruct Response diff --git a/internal/routes/auth/oauth/login.go b/internal/routes/auth/oauth/login.go index 0427f11..9e76a71 100644 --- a/internal/routes/auth/oauth/login.go +++ b/internal/routes/auth/oauth/login.go @@ -99,8 +99,6 @@ func (r *loginRoute) Handler() http.HandlerFunc { return } - ctx := context.WithValue(req.Context(), restaction.RestActionContextKey("username"), r.ctx.Value(restaction.RestActionContextKey("username")).(string)) - ctx = context.WithValue(ctx, restaction.RestActionContextKey("snowplowURL"), r.ctx.Value(restaction.RestActionContextKey("snowplowURL")).(string)) userinfo := userInfo{} log.Debug().Str("name", name).Msg("resolving restaction") if restactionRef != nil { @@ -110,7 +108,7 @@ func (r *loginRoute) Handler() http.HandlerFunc { encode.InternalError(wri, err) return } - additionalFieldstoReplace, err := restaction.Resolve(ctx, r.rc, restactionRef, uuid.New().String(), tok.AccessToken) + additionalFieldstoReplace, err := restaction.Resolve(r.ctx, r.rc, restactionRef, uuid.New().String(), tok.AccessToken) if err != nil { log.Err(err).Str("name", name).Msg("unable to resolve restaction") encode.InternalError(wri, err) diff --git a/internal/routes/auth/oidc/login.go b/internal/routes/auth/oidc/login.go index 22855bf..6bb1f67 100644 --- a/internal/routes/auth/oidc/login.go +++ b/internal/routes/auth/oidc/login.go @@ -91,12 +91,9 @@ func (r *loginRoute) Handler() http.HandlerFunc { return } - ctx := context.WithValue(req.Context(), restaction.RestActionContextKey("username"), r.ctx.Value(restaction.RestActionContextKey("username")).(string)) - ctx = context.WithValue(ctx, restaction.RestActionContextKey("snowplowURL"), r.ctx.Value(restaction.RestActionContextKey("snowplowURL")).(string)) - log.Debug().Str("name", name).Msg("resolving restaction") if cfg.RESTActionRef != nil { - additionalFieldstoReplace, err := restaction.Resolve(ctx, r.rc, cfg.RESTActionRef, idToken.email, idToken.bearerToken) + additionalFieldstoReplace, err := restaction.Resolve(r.ctx, r.rc, cfg.RESTActionRef, idToken.email, idToken.bearerToken) if err != nil { log.Err(err).Str("name", name).Msg("unable to resolve restaction") encode.InternalError(wri, err) diff --git a/main.go b/main.go index f6f7971..ac9e396 100644 --- a/main.go +++ b/main.go @@ -217,7 +217,7 @@ func main() { defer stop() // Create authn clientconfig to call snowplow's RESTActions - _, err = signup.Do(context.TODO(), signup.Options{ + _, _ = signup.Do(context.TODO(), signup.Options{ RestConfig: cfg, Namespace: *storageNamespace, CAData: string(cfg.CAData), diff --git a/testdata/oauth.yaml b/testdata/oauth.yaml index 85c16a3..cfc6d17 100644 --- a/testdata/oauth.yaml +++ b/testdata/oauth.yaml @@ -44,7 +44,7 @@ spec: name: github-api namespace: krateo-system filter: | - { "name": .login, "email": .email, "preferredUsername": .login, "avatarURL": .avatar_url } + { "name": .userInfo.login, "email": .userInfo.email, "preferredUsername": .userInfo.login, "avatarURL": .userInfo.avatar_url } - name: groups verb: POST headers: @@ -55,7 +55,7 @@ spec: endpointRef: name: github-graphql-api namespace: krateo-system - filter: "[.data.organization.teams.edges[] | .node.slug]" + filter: "[.groups.data.organization.teams.edges[] | .node.slug]" filter: | {groups: .groups, "name": .userInfo.name, "email": .userInfo.email, "preferredUsername": .userInfo.preferredUsername, "avatarURL": .userInfo.AvatarURL } --- diff --git a/testdata/oidc-azure.yaml b/testdata/oidc-azure.yaml index 12821cf..ab368a3 100644 --- a/testdata/oidc-azure.yaml +++ b/testdata/oidc-azure.yaml @@ -7,6 +7,14 @@ metadata: stringData: clientSecret: --- +apiVersion: "v1" +kind: Secret +metadata: + name: azure-entra + namespace: krateo-system +stringData: + server-url: https://graph.microsoft.com +--- apiVersion: oidc.authn.krateo.io/v1alpha1 kind: OIDCConfig metadata: @@ -49,4 +57,4 @@ spec: endpointRef: name: azure-entra namespace: krateo-system - filter: .value | map(.displayName) + filter: .groups.value | map(.displayName)