fix: add feedback from review

2025-01-09 18:09:08 +01:00 · 2025-01-09 18:09:08 +01:00 · a7937a81a7
parent 9bd6a1306a
commit a7937a81a7
10 changed files with 10 additions and 12 deletions
--- a/pkg/apis/middleware/session.go
+++ b/pkg/apis/middleware/session.go
@ -25,7 +25,7 @@ func CreateTokenToSessionFunc(verify VerifyFunc) TokenToSessionFunc {
 			Verified          *bool    `json:"email_verified"`
 			PreferredUsername string   `json:"preferred_username"`
 			Groups            []string `json:"groups"`
-			Acr               string   `json:"acr"`
+			ACR               string   `json:"acr"`
 		}

 		idToken, err := verify(ctx, token)
@ -50,7 +50,7 @@ func CreateTokenToSessionFunc(verify VerifyFunc) TokenToSessionFunc {
 			User:              claims.Subject,
 			Groups:            claims.Groups,
 			PreferredUsername: claims.PreferredUsername,
-			Acr:               claims.Acr,
+			ACR:               claims.ACR,
 			AccessToken:       token,
 			IDToken:           token,
 			RefreshToken:      "",
--- a/pkg/apis/options/legacy_options.go
+++ b/pkg/apis/options/legacy_options.go
@ -727,7 +727,6 @@ func (l *LegacyProvider) convert() (Providers, error) {
 		provider.KeycloakConfig = KeycloakOptions{
 			Groups: l.KeycloakGroups,
 			Roles:  l.AllowedRoles,
-			ACRs:   l.AcrValues,
 		}
 	case "keycloak":
 		provider.KeycloakConfig = KeycloakOptions{
--- a/pkg/apis/options/providers.go
+++ b/pkg/apis/options/providers.go
@ -149,7 +149,6 @@ type KeycloakOptions struct {

 	// Role enables to restrict login to users with role (only available when using the keycloak-oidc provider)
 	Roles []string `json:"roles,omitempty"`
-	ACRs  string   `json:"acr,omitempty"`
 }

 type AzureOptions struct {
@ -261,6 +260,8 @@ type OIDCOptions struct {
 	// ExtraAudiences is a list of additional audiences that are allowed
 	// to pass verification in addition to the client id.
 	ExtraAudiences []string `json:"extraAudiences,omitempty"`
+	// to pass acr values to the provider
+	ACRs string `json:"acr,omitempty"`
 }

 type LoginGovOptions struct {
--- a/pkg/apis/sessions/session_state.go
+++ b/pkg/apis/sessions/session_state.go
@ -28,7 +28,7 @@ type SessionState struct {
 	User              string   `msgpack:"u,omitempty"`
 	Groups            []string `msgpack:"g,omitempty"`
 	PreferredUsername string   `msgpack:"pu,omitempty"`
-	Acr               string   `msgpack:"acr,omitempty"`
+	ACR               string   `msgpack:"acr,omitempty"`

 	// Internal helpers, not serialized
 	Clock clock.Clock `msgpack:"-"`
@ -150,7 +150,7 @@ func (s *SessionState) GetClaim(claim string) []string {
 	case "preferred_username":
 		return []string{s.PreferredUsername}
 	case "acr":
-		return []string{s.Acr}
+		return []string{s.ACR}
 	default:
 		return []string{}
 	}
--- a/providers/keycloak.go
+++ b/providers/keycloak.go
@ -61,7 +61,6 @@ func NewKeycloakProvider(p *ProviderData, opts options.KeycloakOptions) *Keycloa

 	provider := &KeycloakProvider{ProviderData: p}
 	provider.setAllowedGroups(opts.Groups)
-	provider.setAllowedACR(opts.ACRs)
 	return provider
 }

--- a/providers/keycloak_oidc.go
+++ b/providers/keycloak_oidc.go
@ -26,7 +26,6 @@ func NewKeycloakOIDCProvider(p *ProviderData, opts options.Provider) *KeycloakOI
 	}

 	provider.addAllowedRoles(opts.KeycloakConfig.Roles)
-	provider.setAllowedACR(opts.KeycloakConfig.ACRs)
 	return provider
 }

--- a/providers/oidc.go
+++ b/providers/oidc.go
@ -46,6 +46,7 @@ func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider {
 	}

 	p.setProviderDefaults(oidcProviderDefaults)
+	p.setAllowedACR(opts.ACRs)
 	p.getAuthorizationHeaderFunc = makeOIDCHeader

 	return &OIDCProvider{
--- a/providers/provider_data.go
+++ b/providers/provider_data.go
@ -268,7 +268,7 @@ func (p *ProviderData) buildSessionFromClaims(rawIDToken, accessToken string) (*
 		{p.UserClaim, &ss.User},
 		{p.EmailClaim, &ss.Email},
 		{p.GroupsClaim, &ss.Groups},
-		{oidcAcrClaim, &ss.Acr},
+		{oidcAcrClaim, &ss.ACR},
 		// TODO (@NickMeves) Deprecate for dynamic claim to session mapping
 		{"preferred_username", &ss.PreferredUsername},
 	} {
--- a/providers/provider_default.go
+++ b/providers/provider_default.go
@ -117,8 +117,7 @@ func (p *ProviderData) EnrichSession(_ context.Context, _ *sessions.SessionState
 // This is not used for fine-grained per route authorization rules.
 func (p *ProviderData) Authorize(_ context.Context, s *sessions.SessionState) (bool, error) {
 	if len(p.AllowedACRs) > 0 {
-		var _, ok = p.AllowedACRs[s.Acr]
-		if !ok {
+		if _, ok := p.AllowedACRs[s.ACR]; !ok {
 			return false, nil
 		}
 	}
--- a/providers/provider_default_test.go
+++ b/providers/provider_default_test.go
@ -128,7 +128,7 @@ func TestProviderDataAuthorize(t *testing.T) {

 			session := &sessions.SessionState{
 				Groups: tc.groups,
-				Acr:    tc.userAcr,
+				ACR:    tc.userAcr,
 			}
 			p := &ProviderData{}
 			p.setAllowedGroups(tc.allowedGroups)