SSO: Fix team_ids validation for Generic OAuth (#100732)

fix team_ids validation in the API
2025-02-25 18:55:37 -06:00 · 2025-02-14 17:57:28 +02:00 · 2025-02-14 17:57:28 +02:00 · dc5602bad9
commit dc5602bad9
parent cbae35c28b
2 changed files with 58 additions and 1 deletions
--- a/pkg/login/social/connectors/generic_oauth.go
+++ b/pkg/login/social/connectors/generic_oauth.go
@ -111,7 +111,8 @@ func (s *SocialGenericOAuth) Validate(ctx context.Context, newSettings ssoModels
 		return err
 	}

-	if info.Extra[teamIdsKey] != "" && (info.TeamIdsAttributePath == "" || info.TeamsUrl == "") {
+	teamIds := util.SplitString(info.Extra[teamIdsKey])
+	if len(teamIds) > 0 && (info.TeamIdsAttributePath == "" || info.TeamsUrl == "") {
 		return ssosettings.ErrInvalidOAuthConfig("If Team Ids are configured then Team Ids attribute path and Teams URL must be configured.")
 	}

--- a/pkg/login/social/connectors/generic_oauth_test.go
+++ b/pkg/login/social/connectors/generic_oauth_test.go
@ -1000,6 +1000,34 @@ func TestSocialGenericOAuth_Validate(t *testing.T) {
 			},
 			wantErr: nil,
 		},
+		{
+			name: "passes when team_ids is an empty array and teams_id_attribute_path and teams_url are empty",
+			settings: ssoModels.SSOSettings{
+				Settings: map[string]any{
+					"client_id":               "client-id",
+					"team_ids_attribute_path": "",
+					"teams_url":               "",
+					"auth_url":                "https://example.com/auth",
+					"token_url":               "https://example.com/token",
+					"team_ids":                "[]",
+				},
+			},
+			wantErr: nil,
+		},
+		{
+			name: "passes when team_ids is set and teams_id_attribute_path and teams_url are not empty",
+			settings: ssoModels.SSOSettings{
+				Settings: map[string]any{
+					"client_id":               "client-id",
+					"team_ids_attribute_path": "teams",
+					"teams_url":               "https://example.com/teams",
+					"auth_url":                "https://example.com/auth",
+					"token_url":               "https://example.com/token",
+					"team_ids":                "[\"123\"]",
+				},
+			},
+			wantErr: nil,
+		},
 		{
 			name: "fails if settings map contains an invalid field",
 			settings: ssoModels.SSOSettings{
@ -1116,6 +1144,34 @@ func TestSocialGenericOAuth_Validate(t *testing.T) {
 			},
 			wantErr: ssosettings.ErrBaseInvalidOAuthConfig,
 		},
+		{
+			name: "fails when team_ids is a valid string and teams_id_attribute_path and teams_url are empty",
+			settings: ssoModels.SSOSettings{
+				Settings: map[string]any{
+					"client_id":               "client-id",
+					"team_ids_attribute_path": "",
+					"teams_url":               "",
+					"auth_url":                "https://example.com/auth",
+					"token_url":               "https://example.com/token",
+					"team_ids":                "123",
+				},
+			},
+			wantErr: ssosettings.ErrBaseInvalidOAuthConfig,
+		},
+		{
+			name: "fails when team_ids is a valid array and teams_id_attribute_path and teams_url are empty",
+			settings: ssoModels.SSOSettings{
+				Settings: map[string]any{
+					"client_id":               "client-id",
+					"team_ids_attribute_path": "",
+					"teams_url":               "",
+					"auth_url":                "https://example.com/auth",
+					"token_url":               "https://example.com/token",
+					"team_ids":                "[\"123\",\"456\",\"789\"]",
+				},
+			},
+			wantErr: ssosettings.ErrBaseInvalidOAuthConfig,
+		},
 	}

 	for _, tc := range testCases {