Auth: Added support to filter for parent teams in GitHub connector's team membership filter (#86754)

* added changes for parent teams in team_ids. see https://github.com/grafana/grafana/issues/85916

Signed-off-by: Syed Nihal <syed.nihal@nokia.com>

* added unit test

Signed-off-by: Syed Nihal <syed.nihal@nokia.com>

* addressed review comments to consider case where parent object can be null

Signed-off-by: Syed Nihal <syed.nihal@nokia.com>

* addressed review comment

Signed-off-by: Syed Nihal <syed.nihal@nokia.com>

---------

Signed-off-by: Syed Nihal <syed.nihal@nokia.com>
This commit is contained in:
Nihal 2024-05-07 21:49:20 +05:30 committed by GitHub
parent 2d8570e85e
commit 5fb87de321
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 40 additions and 7 deletions

View File

@ -45,6 +45,9 @@ type GithubTeam struct {
Organization struct {
Login string `json:"login"`
} `json:"organization"`
Parent *struct {
Id int `json:"id"`
} `json:"parent"`
}
var (
@ -144,7 +147,7 @@ func (s *SocialGithub) isTeamMember(ctx context.Context, client *http.Client) bo
for _, teamId := range s.teamIds {
for _, membership := range teamMemberships {
if teamId == membership.Id {
if teamId == membership.Id || (membership.Parent != nil && teamId == membership.Parent.Id) {
return true
}
}

View File

@ -34,7 +34,6 @@ const testGHUserTeamsJSON = `[
"permission": "admin",
"members_url": "https://api.github.com/teams/1/members{/member}",
"repositories_url": "https://api.github.com/teams/1/repos",
"parent": null,
"members_count": 3,
"repos_count": 10,
"created_at": "2017-07-14T16:53:42Z",
@ -68,7 +67,21 @@ const testGHUserTeamsJSON = `[
"created_at": "2008-01-14T04:33:35Z",
"updated_at": "2017-08-17T12:37:15Z",
"type": "Organization"
}
},
"parent": {
"name": "DC",
"id": 99,
"node_id": "bm9kZTIyCg==",
"slug": "dc",
"description": "",
"privacy": "closed",
"notification_setting": "notifications_enabled",
"url": "https://api.github.com/organizations/github/team/2",
"html_url": "https://github.com/orgs/github/teams/dc",
"members_url": "https://api.github.com/orgs/github/members{/member}",
"repositories_url": "https://api.github.com/teams/2/repos",
"permission": "pull"
}
}
]`
@ -132,6 +145,7 @@ func TestSocialGitHub_UserInfo(t *testing.T) {
autoAssignOrgRole string
want *social.BasicUserInfo
wantErr bool
oAuthExtraInfo map[string]string
}{
{
name: "Basic User info",
@ -225,6 +239,25 @@ func TestSocialGitHub_UserInfo(t *testing.T) {
Groups: []string{"https://github.com/orgs/github/teams/justice-league", "@github/justice-league"},
},
},
{
// see: https://github.com/grafana/grafana/issues/85916
name: "should check parent team id for team membership",
roleAttributePath: "",
userRawJSON: testGHUserJSON,
autoAssignOrgRole: "Editor",
userTeamsRawJSON: testGHUserTeamsJSON,
oAuthExtraInfo: map[string]string{
"team_ids": "99",
},
want: &social.BasicUserInfo{
Id: "1",
Name: "monalisa octocat",
Email: "octocat@github.com",
Login: "octocat",
Role: "Editor",
Groups: []string{"https://github.com/orgs/github/teams/justice-league", "@github/justice-league"},
},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
@ -250,10 +283,7 @@ func TestSocialGitHub_UserInfo(t *testing.T) {
ApiUrl: server.URL + "/user",
RoleAttributePath: tt.roleAttributePath,
SkipOrgRoleSync: tt.settingSkipOrgRoleSync,
Extra: map[string]string{
"allowed_organizations": "",
"team_ids": "",
},
Extra: tt.oAuthExtraInfo,
}, &setting.Cfg{
AutoAssignOrgRole: tt.autoAssignOrgRole,
}, &ssosettingstests.MockService{},