Added auto group detection for SSO login using OIDC

Author: akclace

internal/server/app_apis.go

@@ -469,6 +469,7 @@ func (s *Server) authenticateAndServeApp(w http.ResponseWriter, r *http.Request,
 	// Remove the RBAC_AUTH_PREFIX rbac: prefix
 	strippedAuthStr := strings.TrimPrefix(string(appAuth), RBAC_AUTH_PREFIX)
 	strippedAuth := types.AppAuthnType(strippedAuthStr)
+	groups := make([]string, 0)
 
 	if strippedAuth == types.AppAuthnNone {
 		// No authentication required
@@ -502,7 +503,7 @@ func (s *Server) authenticateAndServeApp(w http.ResponseWriter, r *http.Request,
 		}
 
 		// Redirect to the auth provider if not logged in
-		userId, err = s.ssoAuth.CheckAuth(w, r, strippedAuthStr, true)
+		userId, groups, err = s.ssoAuth.CheckAuth(w, r, strippedAuthStr, true)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 		}
@@ -512,7 +513,7 @@ func (s *Server) authenticateAndServeApp(w http.ResponseWriter, r *http.Request,
 	}
 
 	s.Trace().Msgf("Authenticated user %s, doing authorization check", userId)
-	authorized, err := s.rbacManager.Authorize(userId, app.AppEntry.AppPathDomain(), string(appAuth), types.PermissionAccess)
+	authorized, err := s.rbacManager.Authorize(userId, app.AppEntry.AppPathDomain(), string(appAuth), types.PermissionAccess, groups)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -526,6 +527,7 @@ func (s *Server) authenticateAndServeApp(w http.ResponseWriter, r *http.Request,
 	// Create a new context with the user ID
 	ctx := context.WithValue(r.Context(), types.USER_ID, userId)
 	ctx = context.WithValue(ctx, types.APP_ID, string(app.Id))
+	ctx = context.WithValue(ctx, types.GROUPS, groups)
 
 	contextShared := ctx.Value(types.SHARED)
 	if contextShared != nil {
@@ -917,9 +919,10 @@ func (s *Server) GetApps(ctx context.Context, appPathGlob string, internal bool)
 	}
 
 	userId := system.GetContextUserId(ctx)
+	groups := system.GetContextGroups(ctx)
 	ret := make([]types.AppResponse, 0, len(filteredApps))
 	for _, app := range filteredApps {
-		authorized, err := s.AuthorizeList(userId, &app)
+		authorized, err := s.AuthorizeList(userId, &app, groups)
 		if err != nil {
 			return nil, types.CreateRequestError(err.Error(), http.StatusInternalServerError)
 		}

internal/server/openrun_plugin.go

@@ -76,6 +76,7 @@ func (c *openrunPlugin) listAppsImpl(thread *starlark.Thread, _ *starlark.Builti
 	}
 
 	userId := system.GetRequestUserId(thread)
+	groups := system.GetRequestGroups(thread)
 	ret := starlark.List{}
 	for _, app := range apps {
 		// Filter out internal apps
@@ -116,7 +117,7 @@ func (c *openrunPlugin) listAppsImpl(thread *starlark.Thread, _ *starlark.Builti
 		}
 
 		if permCheck {
-			hasAccess, err := c.server.AuthorizeList(userId, &app)
+			hasAccess, err := c.server.AuthorizeList(userId, &app, groups)
 			if err != nil {
 				return nil, err
 			}

internal/server/rbac.go

@@ -40,7 +40,8 @@ func NewRBACHandler(logger *types.Logger, rbacConfig *types.RBACConfig, serverCo
 	return rbacManager, nil
 }
 
-func (h *RBACManager) Authorize(user string, appPathDomain types.AppPathDomain, appAuthSetting string, permission types.RBACPermission) (bool, error) {
+func (h *RBACManager) Authorize(user string, appPathDomain types.AppPathDomain,
+	appAuthSetting string, permission types.RBACPermission, groups []string) (bool, error) {
 	h.mu.RLock()
 	defer h.mu.RUnlock()
 
@@ -64,12 +65,13 @@ func (h *RBACManager) Authorize(user string, appPathDomain types.AppPathDomain,
 	appPathDomain.Path = strings.TrimSuffix(appPathDomain.Path, types.STAGE_SUFFIX)
 	appPathDomain.Path = strings.TrimSuffix(appPathDomain.Path, types.PREVIEW_SUFFIX)
 
-	return h.checkGrants(user, appPathDomain, permission)
+	return h.checkGrants(user, appPathDomain, permission, groups)
 }
 
-func (h *RBACManager) checkGrants(inputUser string, appPathDomain types.AppPathDomain, inputPermission types.RBACPermission) (bool, error) {
+func (h *RBACManager) checkGrants(inputUser string, appPathDomain types.AppPathDomain,
+	inputPermission types.RBACPermission, groups []string) (bool, error) {
 	for _, grant := range h.rbacConfig.Grants {
-		match, err := h.checkGrant(grant, inputUser, appPathDomain, inputPermission)
+		match, err := h.checkGrant(grant, inputUser, appPathDomain, inputPermission, groups)
 		if err != nil {
 			return false, err
 		}
@@ -84,12 +86,19 @@ func (h *RBACManager) checkGrants(inputUser string, appPathDomain types.AppPathD
 	return false, nil
 }
 
-func (h *RBACManager) checkGrant(grant types.RBACGrant, inputUser string, appPathDomain types.AppPathDomain, inputPermission types.RBACPermission) (bool, error) {
+func (h *RBACManager) checkGrant(grant types.RBACGrant, inputUser string, appPathDomain types.AppPathDomain,
+	inputPermission types.RBACPermission, groups []string) (bool, error) {
 	userMatched := false
 	for _, user := range grant.Users {
 		if strings.HasPrefix(user, RBAC_GROUP_PREFIX) {
 			refGroupName := user[len(RBAC_GROUP_PREFIX):]
-			if slices.Contains(h.groups[refGroupName], inputUser) {
+			if slices.Contains(groups, refGroupName) {
+				// granted group name matched group as found from SSO login
+				userMatched = true
+				break
+			}
+			refGroup, ok := h.groups[refGroupName]
+			if ok && slices.Contains(refGroup, inputUser) {
 				userMatched = true
 				break
 			}
@@ -247,16 +256,7 @@ func (h *RBACManager) validateGrants(rbacConfig *types.RBACConfig) error {
 	}
 
 	for i, grant := range rbacConfig.Grants {
-		// Validate group references in Users
-		for _, user := range grant.Users {
-			if strings.HasPrefix(user, RBAC_GROUP_PREFIX) {
-				groupName := user[len(RBAC_GROUP_PREFIX):]
-				if _, exists := rbacConfig.Groups[groupName]; !exists {
-					return fmt.Errorf("grant %d ('%s'): Users references undefined group '%s'", i, grant.Description, groupName)
-				}
-			}
-		}
-
+		// groups can be passed dynamically (for SSO login), so we don't need to validate them
 		// Validate role references in Roles
 		for _, role := range grant.Roles {
 			if _, exists := rbacConfig.Roles[role]; !exists {

internal/server/rbac_test.go

@@ -500,7 +500,7 @@ func TestAuthorizeAccess(t *testing.T) {
 				t.Fatalf("failed to create RBACManager: %v", err)
 			}
 
-			result, err := rbacManager.Authorize(tt.user, tt.appPathDomain, tt.appAuthSetting, tt.permission)
+			result, err := rbacManager.Authorize(tt.user, tt.appPathDomain, tt.appAuthSetting, tt.permission, []string{})
 
 			if tt.expectError {
 				if err == nil {
@@ -600,7 +600,7 @@ func TestAuthorizeAccessWithGroupHierarchy(t *testing.T) {
 				t.Fatalf("failed to create RBACManager: %v", err)
 			}
 
-			result, err := rbacManager.Authorize(tt.user, tt.appPathDomain, "rbac:test", tt.permission)
+			result, err := rbacManager.Authorize(tt.user, tt.appPathDomain, "rbac:test", tt.permission, []string{})
 			if err != nil {
 				t.Errorf("unexpected error: %v", err)
 				return
@@ -710,7 +710,7 @@ func TestAuthorizeAccessWithRoleHierarchy(t *testing.T) {
 				t.Fatalf("failed to create RBACManager: %v", err)
 			}
 
-			result, err := rbacManager.Authorize(tt.user, tt.appPathDomain, "rbac:test", tt.permission)
+			result, err := rbacManager.Authorize(tt.user, tt.appPathDomain, "rbac:test", tt.permission, []string{})
 			if err != nil {
 				t.Errorf("unexpected error: %v", err)
 				return
@@ -833,7 +833,7 @@ func TestUpdateRBACConfig(t *testing.T) {
 			}
 
 			// Test that the update worked by checking authorization
-			result, err := rbacManager.Authorize("user1", types.AppPathDomain{Path: "/new", Domain: ""}, "rbac:test", types.PermissionList)
+			result, err := rbacManager.Authorize("user1", types.AppPathDomain{Path: "/new", Domain: ""}, "rbac:test", types.PermissionList, []string{})
 			if err != nil {
 				t.Errorf("unexpected error during authorization test: %v", err)
 				return
@@ -884,7 +884,7 @@ func TestAuthorizeAccessConcurrency(t *testing.T) {
 		go func(user string) {
 			defer func() { done <- true }()
 
-			result, err := rbacManager.Authorize(user, types.AppPathDomain{Path: "/test", Domain: ""}, "rbac:test", types.PermissionList)
+			result, err := rbacManager.Authorize(user, types.AppPathDomain{Path: "/test", Domain: ""}, "rbac:test", types.PermissionList, []string{})
 			if err != nil {
 				t.Errorf("unexpected error: %v", err)
 				return
@@ -987,7 +987,7 @@ func TestValidateGrants(t *testing.T) {
 			expectError: false,
 		},
 		{
-			name: "invalid grant - undefined group reference",
+			name: "valid grant - undefined group reference (no longer validated)",
 			rbacConfig: &types.RBACConfig{
 				Enabled: true,
 				Groups: map[string][]string{
@@ -998,15 +998,14 @@ func TestValidateGrants(t *testing.T) {
 				},
 				Grants: []types.RBACGrant{
 					{
-						Description: "invalid grant",
+						Description: "valid grant with undefined group",
 						Users:       []string{"group:nonexistent"},
 						Roles:       []string{"read"},
 						Targets:     []string{"/test"},
 					},
 				},
 			},
-			expectError: true,
-			errorMsg:    "grant 0 ('invalid grant'): Users references undefined group 'nonexistent'",
+			expectError: false,
 		},
 		{
 			name: "invalid grant - undefined role reference",
@@ -1031,7 +1030,7 @@ func TestValidateGrants(t *testing.T) {
 			errorMsg:    "grant 0 ('invalid grant'): Roles references undefined role 'nonexistent'",
 		},
 		{
-			name: "invalid grant - multiple undefined group references",
+			name: "valid grant - multiple undefined group references (no longer validated)",
 			rbacConfig: &types.RBACConfig{
 				Enabled: true,
 				Groups: map[string][]string{
@@ -1042,15 +1041,14 @@ func TestValidateGrants(t *testing.T) {
 				},
 				Grants: []types.RBACGrant{
 					{
-						Description: "invalid grant",
+						Description: "valid grant with multiple undefined groups",
 						Users:       []string{"group:nonexistent1", "group:nonexistent2"},
 						Roles:       []string{"read"},
 						Targets:     []string{"/test"},
 					},
 				},
 			},
-			expectError: true,
-			errorMsg:    "grant 0 ('invalid grant'): Users references undefined group 'nonexistent1'",
+			expectError: false,
 		},
 		{
 			name: "invalid grant - multiple undefined role references",
@@ -1075,7 +1073,7 @@ func TestValidateGrants(t *testing.T) {
 			errorMsg:    "grant 0 ('invalid grant'): Roles references undefined role 'nonexistent1'",
 		},
 		{
-			name: "invalid grant - multiple grants with errors",
+			name: "valid grants - multiple grants with undefined group (no longer validated)",
 			rbacConfig: &types.RBACConfig{
 				Enabled: true,
 				Groups: map[string][]string{
@@ -1092,15 +1090,14 @@ func TestValidateGrants(t *testing.T) {
 						Targets:     []string{"/test"},
 					},
 					{
-						Description: "invalid grant",
+						Description: "valid grant with undefined group",
 						Users:       []string{"group:nonexistent"},
 						Roles:       []string{"read"},
 						Targets:     []string{"/test"},
 					},
 				},
 			},
-			expectError: true,
-			errorMsg:    "grant 1 ('invalid grant'): Users references undefined group 'nonexistent'",
+			expectError: false,
 		},
 		{
 			name: "empty grants - should be valid",

internal/server/server.go

@@ -845,11 +845,11 @@ func (s *Server) ParseGlob(appGlob string) ([]types.AppInfo, error) {
 // AuthorizeList checks if the user has access to perform list operation on the specified app
 // For RBAC mode, uses RBAC permissions. For non-RBAC mode, look at whether app is using
 // same authentication types as used by the caller
-func (s *Server) AuthorizeList(userId string, app *types.AppInfo) (bool, error) {
+func (s *Server) AuthorizeList(userId string, app *types.AppInfo, groups []string) (bool, error) {
 	appAuthStr := string(app.Auth)
 	if s.rbacManager.rbacConfig.Enabled {
 		// RBAC auth is enabled, verify access
-		return s.rbacManager.Authorize(userId, app.AppPathDomain, appAuthStr, types.PermissionList)
+		return s.rbacManager.Authorize(userId, app.AppPathDomain, appAuthStr, types.PermissionList, groups)
 	}
 
 	if userId != "" && userId == types.ADMIN_USER {