mirrors/pinniped
1
0
Fork 0
mirror of https://github.com/vmware-tanzu/pinniped.git synced 2026-01-10 16:01:04 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

user sees error msg when GitHub login is denied due to allowed orgs

Browse Source 
Also renamed an interface function from GetName to GetResourceName.

Co-authored-by: Ryan Richard <richardry@vmware.com>
This commit is contained in:
Joshua Casey
2024-05-31 16:24:11 -05:00
committed by Ryan Richard
parent e3d8c71f97
commit 58b4ecc0aa
22 changed files with 200 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
internal/upstreamgithub/upstreamgithub.go
View File

@@ -6,7 +6,6 @@ package upstreamgithub
import (
"context"
"errors"
"fmt"
"net/http"
@@ -18,6 +17,7 @@ import (
"go.pinniped.dev/internal/federationdomain/downstreamsubject"
"go.pinniped.dev/internal/federationdomain/upstreamprovider"
"go.pinniped.dev/internal/githubclient"
"go.pinniped.dev/internal/plog"
"go.pinniped.dev/internal/setutil"
)
@@ -66,7 +66,7 @@ func New(config ProviderConfig) *Provider {
}
}
func (p *Provider) GetName() string {
func (p *Provider) GetResourceName() string {
return p.c.Name
}
@@ -147,7 +147,20 @@ func (p *Provider) GetUser(ctx context.Context, accessToken string, idpDisplayNa
}
if !p.c.AllowedOrganizations.Empty() && !p.c.AllowedOrganizations.HasAnyIgnoringCase(orgMembership) {
return nil, errors.New("user is not allowed to log in due to organization membership policy")
plog.Warning("user is not allowed to log in due to organization membership policy", // do not log username to avoid PII
"userBelongsToOrganizations", orgMembership,
"configuredAllowedOrganizations", p.c.AllowedOrganizations,
"identityProviderDisplayName", idpDisplayName,
"identityProviderResourceName", p.GetResourceName())
plog.Trace("user is not allowed to log in due to organization membership policy", // okay to log PII at trace level
"githubLogin", userInfo.Login,
"githubID", userInfo.ID,
"calculatedUsername", githubUser.Username,
"userBelongsToOrganizations", orgMembership,
"configuredAllowedOrganizations", p.c.AllowedOrganizations,
"identityProviderDisplayName", idpDisplayName,
"identityProviderResourceName", p.GetResourceName())
return nil, upstreamprovider.NewGitHubLoginDeniedError("user is not allowed to log in due to organization membership policy")
}
teamMembership, err := githubClient.GetTeamMembership(ctx, p.c.AllowedOrganizations)