Merge a7937a81a7 into 110d51d1d7

2025-10-28 10:25:15 +01:00 · 2025-10-28 10:25:15 +01:00 · f5a8d15807
parent 110d51d1d7 a7937a81a7
commit f5a8d15807
7 changed files with 46 additions and 0 deletions
--- a/pkg/apis/middleware/session.go
+++ b/pkg/apis/middleware/session.go
@ -25,6 +25,7 @@ func CreateTokenToSessionFunc(verify VerifyFunc) TokenToSessionFunc {
 			Verified          *bool    `json:"email_verified"`
 			PreferredUsername string   `json:"preferred_username"`
 			Groups            []string `json:"groups"`
+			ACR               string   `json:"acr"`
 		}

 		idToken, err := verify(ctx, token)
@ -49,6 +50,7 @@ func CreateTokenToSessionFunc(verify VerifyFunc) TokenToSessionFunc {
 			User:              claims.Subject,
 			Groups:            claims.Groups,
 			PreferredUsername: claims.PreferredUsername,
+			ACR:               claims.ACR,
 			AccessToken:       token,
 			IDToken:           token,
 			RefreshToken:      "",
--- a/pkg/apis/options/providers.go
+++ b/pkg/apis/options/providers.go
@ -272,6 +272,8 @@ type OIDCOptions struct {
 	// ExtraAudiences is a list of additional audiences that are allowed
 	// to pass verification in addition to the client id.
 	ExtraAudiences []string `json:"extraAudiences,omitempty"`
+	// to pass acr values to the provider
+	ACRs string `json:"acr,omitempty"`
 }

 type LoginGovOptions struct {
--- a/pkg/apis/sessions/session_state.go
+++ b/pkg/apis/sessions/session_state.go
@ -27,6 +27,7 @@ type SessionState struct {
 	User              string   `msgpack:"u,omitempty"`
 	Groups            []string `msgpack:"g,omitempty"`
 	PreferredUsername string   `msgpack:"pu,omitempty"`
+	ACR               string   `msgpack:"acr,omitempty"`

 	// Internal helpers, not serialized
 	Clock func() time.Time `msgpack:"-"` // override for time.Now, for testing
@ -154,6 +155,8 @@ func (s *SessionState) GetClaim(claim string) []string {
 		return groups
 	case "preferred_username":
 		return []string{s.PreferredUsername}
+	case "acr":
+		return []string{s.ACR}
 	default:
 		return []string{}
 	}
--- a/providers/oidc.go
+++ b/providers/oidc.go
@ -46,6 +46,7 @@ func NewOIDCProvider(p *ProviderData, opts options.OIDCOptions) *OIDCProvider {
 	}

 	p.setProviderDefaults(oidcProviderDefaults)
+	p.setAllowedACR(opts.ACRs)
 	p.getAuthorizationHeaderFunc = makeOIDCHeader

 	return &OIDCProvider{
--- a/providers/provider_data.go
+++ b/providers/provider_data.go
@ -22,6 +22,7 @@ import (
 const (
 	// This is not exported as it's not currently user configurable
 	oidcUserClaim = "sub"
+	oidcAcrClaim  = "acr"
 )

 // ProviderData contains information required to configure all implementations
@ -55,6 +56,7 @@ type ProviderData struct {
 	// Universal Group authorization data structure
 	// any provider can set to consume
 	AllowedGroups map[string]struct{}
+	AllowedACRs   map[string]struct{}

 	getAuthorizationHeaderFunc func(string) http.Header
 	loginURLParameterDefaults  url.Values
@ -183,6 +185,14 @@ func (p *ProviderData) setAllowedGroups(groups []string) {
 	}
 }

+func (p *ProviderData) setAllowedACR(acrs string) {
+	p.AllowedACRs = make(map[string]struct{})
+	var resultingACRs = strings.Split(acrs, ",")
+	for _, acr := range resultingACRs {
+		p.AllowedACRs[acr] = struct{}{}
+	}
+}
+
 type providerDefaults struct {
 	name        string
 	loginURL    *url.URL
@ -260,6 +270,7 @@ func (p *ProviderData) buildSessionFromClaims(rawIDToken, accessToken string) (*
 		{p.UserClaim, &ss.User},
 		{p.EmailClaim, &ss.Email},
 		{p.GroupsClaim, &ss.Groups},
+		{oidcAcrClaim, &ss.ACR},
 		// TODO (@NickMeves) Deprecate for dynamic claim to session mapping
 		{"preferred_username", &ss.PreferredUsername},
 	} {
--- a/providers/provider_default.go
+++ b/providers/provider_default.go
@ -121,6 +121,12 @@ func (p *ProviderData) EnrichSession(_ context.Context, _ *sessions.SessionState
 // Authorize performs global authorization on an authenticated session.
 // This is not used for fine-grained per route authorization rules.
 func (p *ProviderData) Authorize(_ context.Context, s *sessions.SessionState) (bool, error) {
+	if len(p.AllowedACRs) > 0 {
+		if _, ok := p.AllowedACRs[s.ACR]; !ok {
+			return false, nil
+		}
+	}
+
 	if len(p.AllowedGroups) == 0 {
 		return true, nil
 	}
--- a/providers/provider_default_test.go
+++ b/providers/provider_default_test.go
@ -76,6 +76,8 @@ func TestProviderDataAuthorize(t *testing.T) {
 		name          string
 		allowedGroups []string
 		groups        []string
+		acr           string
+		userAcr       string
 		expectedAuthZ bool
 	}{
 		{
@ -102,6 +104,23 @@ func TestProviderDataAuthorize(t *testing.T) {
 			groups:        []string{"baz", "foo"},
 			expectedAuthZ: false,
 		},
+		{
+			name:          "UserNotAllowedForACRLevel",
+			acr:           "1",
+			expectedAuthZ: false,
+		},
+		{
+			name:          "UserNotAllowedForACRLevel",
+			acr:           "1",
+			userAcr:       "1",
+			expectedAuthZ: true,
+		},
+		{
+			name:          "UserNotAllowedForACRLevel",
+			acr:           "2",
+			userAcr:       "somethingElse",
+			expectedAuthZ: false,
+		},
 	}

 	for _, tc := range testCases {
@ -110,9 +129,11 @@ func TestProviderDataAuthorize(t *testing.T) {

 			session := &sessions.SessionState{
 				Groups: tc.groups,
+				ACR:    tc.userAcr,
 			}
 			p := &ProviderData{}
 			p.setAllowedGroups(tc.allowedGroups)
+			p.setAllowedACR(tc.acr)

 			authorized, err := p.Authorize(context.Background(), session)
 			g.Expect(err).ToNot(HaveOccurred())