diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index e73e950..b8f3f66 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -31,6 +31,7 @@ services: volumes: - ../cert:/vault/cert environment: + VAULT_LOG_LEVEL: debug VAULT_DEV_ROOT_TOKEN_ID: root_token VAULT_LOCAL_CONFIG: > { diff --git a/app/lib/clients/vault/identity_alias.rb b/app/lib/clients/vault/identity_alias.rb index d5cac85..a489e05 100644 --- a/app/lib/clients/vault/identity_alias.rb +++ b/app/lib/clients/vault/identity_alias.rb @@ -63,7 +63,7 @@ def write_identity_alias(type, identity_name, alias_name, auth_method) raise "no such #{type} #{identity_name}" end aliases = (identity.data[:aliases] || [ identity.data[:alias] ]) - identity_alias = find_alias(aliases, alias_name, "oidc") + identity_alias = find_alias(aliases, alias_name, auth_method) # only create alias when not existant unless identity_alias client.logical.write("identity/#{type}-alias", diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb index 7141f35..9ed050e 100644 --- a/app/lib/clients/vault/oidc.rb +++ b/app/lib/clients/vault/oidc.rb @@ -37,8 +37,10 @@ def create_default_role(client_id) bound_audiences: client_id, allowed_redirect_uris: Config[:oidc_redirect_uris], user_claim: "email", + groups_claim: "groups", oidc_scopes: "email", token_policies: "default") + # add 'verbose_oidc_logging: true` to params for JWT token debugging end def oidc_auth_data diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb index 7fbe942..fb82509 100644 --- a/app/lib/clients/vault/policy.rb +++ b/app/lib/clients/vault/policy.rb @@ -22,7 +22,7 @@ def assign_entity_policy(identity, policy_name) def assign_groups_policy(groups, policy_name) groups.each do |group| put_group(group, [ policy_name ]) - put_group_alias(group, "#{group}-alias", "oidc") + put_group_alias(group, group, "oidc") end end diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb index 0a88ddf..81c057e 100644 --- a/app/lib/utils/oidc_provider.rb +++ b/app/lib/utils/oidc_provider.rb @@ -57,7 +57,8 @@ def create_provider_webapp def create_provider_with_email_scope vault_client.logical.write("identity/oidc/scope/email", - template: '{"email": {{identity.entity.metadata.email}}}') + template: '{"groups": {{identity.entity.groups.names}}, + "email": {{identity.entity.metadata.email}}}') vault_client.logical.write("identity/oidc/provider/astral", issuer: Config[:oidc_provider_addr], allowed_client_ids: @client_id, @@ -90,5 +91,9 @@ def map_userpass_to_entity name: Config[:initial_user_name], canonical_id: entity_id, mount_accessor: accessor) + # setup a group membership for intial user + vault_client.logical.write("identity/group", + name: "read_group", + member_entity_ids: entity_id) end end