Azure: Fix for username assertion (#87853)

Fix for username assertion - Allow setting username assertion in INI - Correctly set the azsettings value - Update tests
2025-02-25 18:55:37 -06:00 · 2024-05-16 17:50:02 +01:00
parent 1957cfe6af
commit edae5fc791
4 changed files with 47 additions and 0 deletions
--- a/pkg/setting/setting_azure.go
+++ b/pkg/setting/setting_azure.go
@@ -64,6 +64,9 @@ func (cfg *Cfg) readAzureSettings() {
 		if val := azureSection.Key("user_identity_client_secret").String(); val != "" {
 			tokenEndpointSettings.ClientSecret = val
 		}
+		if val := azureSection.Key("username_assertion").String(); val != "" && val == "username" {
+			tokenEndpointSettings.UsernameAssertion = true
+		}

 		azureSettings.UserIdentityTokenEndpoint = tokenEndpointSettings
 		azureSettings.UserIdentityFallbackCredentialsEnabled = azureSection.Key("user_identity_fallback_credentials_enabled").MustBool(true)
--- a/pkg/setting/setting_azure_test.go
+++ b/pkg/setting/setting_azure_test.go
@@ -261,6 +261,40 @@ func TestAzureSettings(t *testing.T) {
 			assert.Equal(t, "ID_2", cfg.Azure.UserIdentityTokenEndpoint.ClientId)
 			assert.Empty(t, cfg.Azure.UserIdentityTokenEndpoint.ClientSecret)
 		})
+
+		t.Run("does not enable username assertion by default", func(t *testing.T) {
+			cfg := NewCfg()
+
+			azureSection, err := cfg.Raw.NewSection("azure")
+			require.NoError(t, err)
+			_, err = azureSection.NewKey("user_identity_enabled", "true")
+			require.NoError(t, err)
+
+			cfg.readAzureSettings()
+			require.NotNil(t, cfg.Azure)
+			require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
+
+			assert.True(t, cfg.Azure.UserIdentityEnabled)
+			assert.False(t, cfg.Azure.UserIdentityTokenEndpoint.UsernameAssertion)
+		})
+
+		t.Run("should appropriately set username assertion", func(t *testing.T) {
+			cfg := NewCfg()
+
+			azureSection, err := cfg.Raw.NewSection("azure")
+			require.NoError(t, err)
+			_, err = azureSection.NewKey("user_identity_enabled", "true")
+			require.NoError(t, err)
+			_, err = azureSection.NewKey("username_assertion", "username")
+			require.NoError(t, err)
+
+			cfg.readAzureSettings()
+			require.NotNil(t, cfg.Azure)
+			require.NotNil(t, cfg.Azure.UserIdentityTokenEndpoint)
+
+			assert.True(t, cfg.Azure.UserIdentityEnabled)
+			assert.True(t, cfg.Azure.UserIdentityTokenEndpoint.UsernameAssertion)
+		})
 	})

 	t.Run("forward settings to plugins", func(t *testing.T) {