IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Auth: Fix US gov azure ad oauth URL parsing (#71254)

Browse Source 
Updates regex for tenant ID parsing to support .us domains in addition
to .com domains for Azure AD.

Fixes #71252
This commit is contained in:
Douglas Adams
2023-07-10 06:37:00 -04:00
committed by GitHub
parent 17b2240d52
commit 3a245e4945
2 changed files with 33 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
pkg/login/social/azuread_oauth.go
View File

@@ -334,7 +334,7 @@ func (s *SocialAzureAD) SupportBundleContent(bf *bytes.Buffer) error {
func (s *SocialAzureAD) extractTenantID(authURL string) (string, error) { func (s *SocialAzureAD) extractTenantID(authURL string) (string, error) {
if s.compiledTenantRegex == nil { if s.compiledTenantRegex == nil {
compiledTenantRegex, err := regexp.Compile(`https://login.microsoftonline.com/([^/]+)/oauth2`) compiledTenantRegex, err := regexp.Compile(`https://login.microsoftonline.(com|us)/([^/]+)/oauth2`)
if err != nil { if err != nil {
return "", err return "", err
} }
@@ -342,10 +342,10 @@ func (s *SocialAzureAD) extractTenantID(authURL string) (string, error) {
} }
matches := s.compiledTenantRegex.FindStringSubmatch(authURL) matches := s.compiledTenantRegex.FindStringSubmatch(authURL)
if len(matches) < 2 { if len(matches) < 3 {
return "", fmt.Errorf("unable to extract tenant ID from URL") return "", fmt.Errorf("unable to extract tenant ID from URL")
} }
return matches[1], nil return matches[2], nil
} }
func (s *SocialAzureAD) retrieveJWKS(client *http.Client) (*jose.JSONWebKeySet, error) { func (s *SocialAzureAD) retrieveJWKS(client *http.Client) (*jose.JSONWebKeySet, error) {

31
pkg/login/social/azuread_oauth_test.go
View File

@@ -36,6 +36,7 @@ func TestSocialAzureAD_UserInfo(t *testing.T) {
allowedGroups []string allowedGroups []string
allowedOrganizations []string allowedOrganizations []string
forceUseGraphAPI bool forceUseGraphAPI bool
usGovURL bool
} }
type args struct { type args struct {
client *http.Client client *http.Client
@@ -89,6 +90,28 @@ func TestSocialAzureAD_UserInfo(t *testing.T) {
want: nil, want: nil,
wantErr: true, wantErr: true,
}, },
{
name: "US Government domain",
claims: &azureClaims{
Email: "me@example.com",
PreferredUsername: "",
Roles: []string{},
Name: "My Name",
ID: "1234",
},
fields: fields{
SocialBase: newSocialBase("azuread", &oauth2.Config{}, &OAuthInfo{}, "Viewer", false, *featuremgmt.WithFeatures()),
usGovURL: true,
},
want: &BasicUserInfo{
Id: "1234",
Name: "My Name",
Email: "me@example.com",
Login: "me@example.com",
Role: "Viewer",
Groups: []string{},
},
},
{ {
name: "Email in preferred_username claim", name: "Email in preferred_username claim",
claims: &azureClaims{ claims: &azureClaims{
@@ -476,6 +499,8 @@ func TestSocialAzureAD_UserInfo(t *testing.T) {
} }
authURL := "https://login.microsoftonline.com/1234/oauth2/v2.0/authorize" authURL := "https://login.microsoftonline.com/1234/oauth2/v2.0/authorize"
usGovAuthURL := "https://login.microsoftonline.us/1234/oauth2/v2.0/authorize"
cache := remotecache.NewFakeCacheStorage() cache := remotecache.NewFakeCacheStorage()
// put JWKS in cache // put JWKS in cache
jwksDump, err := json.Marshal(jwks) jwksDump, err := json.Marshal(jwks)
@@ -498,7 +523,11 @@ func TestSocialAzureAD_UserInfo(t *testing.T) {
s.SocialBase = newSocialBase("azuread", &oauth2.Config{}, &OAuthInfo{}, "", false, *featuremgmt.WithFeatures()) s.SocialBase = newSocialBase("azuread", &oauth2.Config{}, &OAuthInfo{}, "", false, *featuremgmt.WithFeatures())
} }
s.SocialBase.Endpoint.AuthURL = authURL if tt.fields.usGovURL {
s.SocialBase.Endpoint.AuthURL = usGovAuthURL
} else {
s.SocialBase.Endpoint.AuthURL = authURL
}
cl := jwt.Claims{ cl := jwt.Claims{
Subject: "subject", Subject: "subject",