From 8756c9e10aa0958e15602345c3422b37501d48a0 Mon Sep 17 00:00:00 2001
From: Geoff Wilson <geoff@gr-oss.io>
Date: Tue, 19 Nov 2024 11:59:14 -0500
Subject: [PATCH] Changes from verifying group membership -> policy assignment

---
 .devcontainer/docker-compose.yml        | 1 +
 app/lib/clients/vault/identity_alias.rb | 2 +-
 app/lib/clients/vault/oidc.rb           | 2 ++
 app/lib/clients/vault/policy.rb         | 2 +-
 app/lib/utils/oidc_provider.rb          | 7 ++++++-
 5 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
index e73e950..b8f3f66 100644
--- a/.devcontainer/docker-compose.yml
+++ b/.devcontainer/docker-compose.yml
@@ -31,6 +31,7 @@ services:
     volumes:
       - ../cert:/vault/cert
     environment:
+      VAULT_LOG_LEVEL: debug
       VAULT_DEV_ROOT_TOKEN_ID: root_token
       VAULT_LOCAL_CONFIG: >
         {
diff --git a/app/lib/clients/vault/identity_alias.rb b/app/lib/clients/vault/identity_alias.rb
index d5cac85..a489e05 100644
--- a/app/lib/clients/vault/identity_alias.rb
+++ b/app/lib/clients/vault/identity_alias.rb
@@ -63,7 +63,7 @@ def write_identity_alias(type, identity_name, alias_name, auth_method)
           raise "no such #{type} #{identity_name}"
         end
         aliases = (identity.data[:aliases] || [ identity.data[:alias] ])
-        identity_alias = find_alias(aliases, alias_name, "oidc")
+        identity_alias = find_alias(aliases, alias_name, auth_method)
         # only create alias when not existant
         unless identity_alias
           client.logical.write("identity/#{type}-alias",
diff --git a/app/lib/clients/vault/oidc.rb b/app/lib/clients/vault/oidc.rb
index 7141f35..9ed050e 100644
--- a/app/lib/clients/vault/oidc.rb
+++ b/app/lib/clients/vault/oidc.rb
@@ -37,8 +37,10 @@ def create_default_role(client_id)
           bound_audiences: client_id,
           allowed_redirect_uris: Config[:oidc_redirect_uris],
           user_claim: "email",
+          groups_claim: "groups",
           oidc_scopes: "email",
           token_policies: "default")
+        # add 'verbose_oidc_logging: true` to params for JWT token debugging
       end
 
       def oidc_auth_data
diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb
index 7fbe942..fb82509 100644
--- a/app/lib/clients/vault/policy.rb
+++ b/app/lib/clients/vault/policy.rb
@@ -22,7 +22,7 @@ def assign_entity_policy(identity, policy_name)
       def assign_groups_policy(groups, policy_name)
         groups.each do |group|
           put_group(group, [ policy_name ])
-          put_group_alias(group, "#{group}-alias", "oidc")
+          put_group_alias(group, group, "oidc")
         end
       end
 
diff --git a/app/lib/utils/oidc_provider.rb b/app/lib/utils/oidc_provider.rb
index 0a88ddf..81c057e 100644
--- a/app/lib/utils/oidc_provider.rb
+++ b/app/lib/utils/oidc_provider.rb
@@ -57,7 +57,8 @@ def create_provider_webapp
 
   def create_provider_with_email_scope
     vault_client.logical.write("identity/oidc/scope/email",
-                                template: '{"email": {{identity.entity.metadata.email}}}')
+                                template: '{"groups": {{identity.entity.groups.names}},
+                                            "email": {{identity.entity.metadata.email}}}')
     vault_client.logical.write("identity/oidc/provider/astral",
                                 issuer: Config[:oidc_provider_addr],
                                 allowed_client_ids: @client_id,
@@ -90,5 +91,9 @@ def map_userpass_to_entity
                                 name: Config[:initial_user_name],
                                 canonical_id: entity_id,
                                 mount_accessor: accessor)
+    # setup a group membership for intial user
+    vault_client.logical.write("identity/group",
+                                name: "read_group",
+                                member_entity_ids: entity_id)
   end
 end