(_ context.Context, mergedClaims jwt.MapClaims)
| 72 | } |
| 73 | |
| 74 | func (s AGPLIDPSync) ParseGroupClaims(_ context.Context, mergedClaims jwt.MapClaims) (GroupParams, *HTTPError) { |
| 75 | if s.GroupField != "" && len(s.GroupAllowList) > 0 { |
| 76 | groupsRaw, ok := mergedClaims[s.GroupField] |
| 77 | if !ok { |
| 78 | return GroupParams{}, &HTTPError{ |
| 79 | Code: http.StatusForbidden, |
| 80 | Msg: "Not a member of an allowed group", |
| 81 | Detail: "You have no groups in your claims!", |
| 82 | RenderStaticPage: true, |
| 83 | } |
| 84 | } |
| 85 | parsedGroups, err := ParseStringSliceClaim(groupsRaw) |
| 86 | if err != nil { |
| 87 | return GroupParams{}, &HTTPError{ |
| 88 | Code: http.StatusBadRequest, |
| 89 | Msg: "Failed read groups from claims for allow list check. Ask an administrator for help.", |
| 90 | Detail: err.Error(), |
| 91 | RenderStaticPage: true, |
| 92 | } |
| 93 | } |
| 94 | |
| 95 | inAllowList := false |
| 96 | AllowListCheckLoop: |
| 97 | for _, group := range parsedGroups { |
| 98 | if _, ok := s.GroupAllowList[group]; ok { |
| 99 | inAllowList = true |
| 100 | break AllowListCheckLoop |
| 101 | } |
| 102 | } |
| 103 | |
| 104 | if !inAllowList { |
| 105 | return GroupParams{}, &HTTPError{ |
| 106 | Code: http.StatusForbidden, |
| 107 | Msg: "Not a member of an allowed group", |
| 108 | Detail: "Ask an administrator to add one of your groups to the allow list.", |
| 109 | RenderStaticPage: true, |
| 110 | } |
| 111 | } |
| 112 | } |
| 113 | |
| 114 | return GroupParams{ |
| 115 | SyncEntitled: s.GroupSyncEntitled(), |
| 116 | MergedClaims: mergedClaims, |
| 117 | }, nil |
| 118 | } |
| 119 | |
| 120 | func (s AGPLIDPSync) SyncGroups(ctx context.Context, db database.Store, user database.User, params GroupParams) error { |
| 121 | // Nothing happens if sync is not enabled |
nothing calls this directly
no test coverage detected