JWT Authentication: Add support for specifying groups in auth.jwt for teamsync (#82175)

* merge JSON search logic * document public methods * improve test coverage * use separate JWT setting struct * correct use of cfg.JWTAuth * add group tests * fix DynMap typing * add settings to default ini * add groups option to devenv path * fix test * lint * revert jwt-proxy change * remove redundant check * fix parallel test
2025-02-25 18:55:37 -06:00 · 2024-02-09 16:35:58 +01:00
parent 32a1f3955a
commit 6f62d970e3
28 changed files with 601 additions and 509 deletions
--- a/pkg/util/json_test.go
+++ b/pkg/util/json_test.go
@@ -0,0 +1,155 @@
+package util_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/grafana/grafana/pkg/util"
+)
+
+func TestSearchJSONForGroups(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		Name                string
+		searchObject        any
+		GroupsAttributePath string
+		ExpectedResult      []string
+		ExpectedError       error
+	}{
+		{
+			Name:                "Given an invalid user info JSON response",
+			searchObject:        []byte("{"),
+			GroupsAttributePath: "attributes.groups",
+			ExpectedResult:      []string{},
+			ExpectedError:       util.ErrFailedToUnmarshalJSON,
+		},
+		{
+			Name:                "Given an empty user info JSON response and empty JMES path",
+			searchObject:        []byte{},
+			GroupsAttributePath: "",
+			ExpectedResult:      []string{},
+			ExpectedError:       util.ErrNoAttributePathSpecified,
+		},
+		{
+			Name:                "Given an empty user info JSON response and valid JMES path",
+			searchObject:        []byte{},
+			GroupsAttributePath: "attributes.groups",
+			ExpectedResult:      []string{},
+			ExpectedError:       util.ErrEmptyJSON,
+		},
+		{
+			Name:                "Given a nil JSON and valid JMES path",
+			searchObject:        []byte{},
+			GroupsAttributePath: "attributes.groups",
+			ExpectedResult:      []string{},
+			ExpectedError:       util.ErrEmptyJSON,
+		},
+		{
+			Name: "Given a simple user info JSON response and valid JMES path",
+			searchObject: []byte(`{
+		"attributes": {
+			"groups": ["foo", "bar"]
+		}
+}`),
+			GroupsAttributePath: "attributes.groups[]",
+			ExpectedResult:      []string{"foo", "bar"},
+		},
+		{
+			Name: "Given a simple object and valid JMES path",
+			searchObject: map[string]any{
+				"attributes": map[string]any{
+					"groups": []string{"foo", "bar"},
+				},
+			},
+			GroupsAttributePath: "attributes.groups[]",
+			ExpectedResult:      []string{"foo", "bar"},
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+			actualResult, err := util.SearchJSONForStringSliceAttr(
+				test.GroupsAttributePath, test.searchObject)
+			if test.ExpectedError == nil {
+				require.NoError(t, err)
+			} else {
+				require.ErrorIs(t, err, test.ExpectedError)
+			}
+			require.Equal(t, test.ExpectedResult, actualResult)
+		})
+	}
+}
+
+func TestSearchJSONForEmail(t *testing.T) {
+	t.Parallel()
+	tests := []struct {
+		Name                 string
+		UserInfoJSONResponse any
+		EmailAttributePath   string
+		ExpectedResult       string
+		ExpectedError        error
+	}{
+		{
+			Name: "Given a simple user info JSON response and valid JMES path",
+			UserInfoJSONResponse: []byte(`{
+	"attributes": {
+		"email": "grafana@localhost"
+	}
+}`),
+			EmailAttributePath: "attributes.email",
+			ExpectedResult:     "grafana@localhost",
+		},
+		{
+			Name: "Given a simple object and valid JMES path",
+			UserInfoJSONResponse: map[string]any{
+				"attributes": map[string]any{
+					"email": "grafana@localhost",
+				},
+			},
+			EmailAttributePath: "attributes.email",
+			ExpectedResult:     "grafana@localhost",
+		},
+		{
+			Name: "Given a user info JSON response with e-mails array and valid JMES path",
+			UserInfoJSONResponse: []byte(`{
+	"attributes": {
+		"emails": ["grafana@localhost", "admin@localhost"]
+	}
+}`),
+			EmailAttributePath: "attributes.emails[0]",
+			ExpectedResult:     "grafana@localhost",
+		},
+		{
+			Name: "Given a nested user info JSON response and valid JMES path",
+			UserInfoJSONResponse: []byte(`{
+	"identities": [
+		{
+			"userId": "grafana@localhost"
+		},
+		{
+			"userId": "admin@localhost"
+		}
+	]
+}`),
+			EmailAttributePath: "identities[0].userId",
+			ExpectedResult:     "grafana@localhost",
+		},
+	}
+
+	for _, test := range tests {
+		test := test
+		t.Run(test.Name, func(t *testing.T) {
+			t.Parallel()
+			actualResult, err := util.SearchJSONForStringAttr(test.EmailAttributePath, test.UserInfoJSONResponse)
+			if test.ExpectedError != nil {
+				require.NoError(t, err)
+			} else {
+				require.ErrorIs(t, err, test.ExpectedError)
+			}
+			require.Equal(t, test.ExpectedResult, actualResult)
+		})
+	}
+}