Changes from verifying group membership -> policy assignment

G-Research · Nov 19, 2024 · 8756c9e · 8756c9e
1 parent 128b1c0
commit 8756c9e
Show file tree

Hide file tree

Showing 5 changed files with 11 additions and 3 deletions.
diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
@@ -31,6 +31,7 @@ services:
     volumes:
       - ../cert:/vault/cert
     environment:
+      VAULT_LOG_LEVEL: debug
       VAULT_DEV_ROOT_TOKEN_ID: root_token
       VAULT_LOCAL_CONFIG: >
         {

diff --git a/app/lib/clients/vault/identity_alias.rb b/app/lib/clients/vault/identity_alias.rb
@@ -63,7 +63,7 @@ def write_identity_alias(type, identity_name, alias_name, auth_method)
           raise "no such #{type} #{identity_name}"
         end
         aliases = (identity.data[:aliases] || [ identity.data[:alias] ])
-        identity_alias = find_alias(aliases, alias_name, "oidc")
+        identity_alias = find_alias(aliases, alias_name, auth_method)
         # only create alias when not existant
         unless identity_alias
           client.logical.write("identity/#{type}-alias",

diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb
@@ -37,8 +37,10 @@ def create_default_role(client_id)
           bound_audiences: client_id,
           allowed_redirect_uris: Config[:oidc_redirect_uris],
           user_claim: "email",
+          groups_claim: "groups",
           oidc_scopes: "email",
           token_policies: "default")
+        # add 'verbose_oidc_logging: true` to params for JWT token debugging
       end
 
       def oidc_auth_data

diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb
@@ -22,7 +22,7 @@ def assign_entity_policy(identity, policy_name)
       def assign_groups_policy(groups, policy_name)
         groups.each do |group|
           put_group(group, [ policy_name ])
-          put_group_alias(group, "#{group}-alias", "oidc")
+          put_group_alias(group, group, "oidc")
         end
       end
 

diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb
@@ -57,7 +57,8 @@ def create_provider_webapp
 
   def create_provider_with_email_scope
     vault_client.logical.write("identity/oidc/scope/email",
-                                template: '{"email": {{identity.entity.metadata.email}}}')
+                                template: '{"groups": {{identity.entity.groups.names}},
+                                            "email": {{identity.entity.metadata.email}}}')
     vault_client.logical.write("identity/oidc/provider/astral",
                                 issuer: Config[:oidc_provider_addr],
                                 allowed_client_ids: @client_id,
@@ -90,5 +91,9 @@ def map_userpass_to_entity
                                 name: Config[:initial_user_name],
                                 canonical_id: entity_id,
                                 mount_accessor: accessor)
+    # setup a group membership for intial user
+    vault_client.logical.write("identity/group",
+                                name: "read_group",
+                                member_entity_ids: entity_id)
   end
 end