Skip to content

Commit

Permalink
Merge pull request #70 from ConductorOne/ggreer/member
Browse files Browse the repository at this point in the history 
Support member attr for groups.
  • Loading branch information
@ggreer
ggreer authored Oct 10, 2024
2 parents b6fd5b6 + 17cfad4 commit d74a1b2
Showing 1 changed file with 10 additions and 8 deletions.
18 changes: 10 additions & 8 deletions pkg/connector/group.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,12 @@ const (
groupIdFilter = "(&(gidNumber=%s)(|" + groupObjectClasses + "))"
groupMemberFilter = "(&(objectClass=posixAccount)(uid=%s))"

attrGroupCommonName = "cn"
attrGroupIdPosix = "gidNumber"
attrGroupMember = "uniqueMember"
attrGroupMemberPosix = "memberUid"
attrGroupDescription = "description"
attrGroupCommonName = "cn"
attrGroupIdPosix = "gidNumber"
attrGroupMember = "member"
attrGroupUniqueMember = "uniqueMember"
attrGroupMemberPosix = "memberUid"
attrGroupDescription = "description"

// TODO: use user "memberOf" attribute to get group membership?
groupMemberEntitlement = "member"
Expand Down Expand Up @@ -208,7 +209,7 @@ func (g *groupResourceType) Grants(ctx context.Context, resource *v2.Resource, t
return nil, "", nil, err
}

memberIDs := parseValues(ldapGroup[0], []string{attrGroupMember, attrGroupMemberPosix})
memberIDs := parseValues(ldapGroup[0], []string{attrGroupUniqueMember, attrGroupMember, attrGroupMemberPosix})

// create membership grants
var rv []*v2.Grant
Expand Down Expand Up @@ -297,7 +298,7 @@ func (g *groupResourceType) Grant(ctx context.Context, principal *v2.Resource, e
modifyRequest.Add(attrGroupMemberPosix, username)
} else {
principalDNArr := []string{principal.Id.Resource}
modifyRequest.Add(attrGroupMember, principalDNArr)
modifyRequest.Add(attrGroupUniqueMember, principalDNArr)
}

// grant group membership to the principal
Expand Down Expand Up @@ -329,6 +330,7 @@ func (g *groupResourceType) Revoke(ctx context.Context, grant *v2.Grant) (annota
return nil, err
}

// TODO: check whether membership is via memberUid, uniqueMember, or member, and modify accordingly
if slices.Contains(group.GetAttributeValues("objectClass"), "posixGroup") {
dn, err := ldap3.ParseDN(principal.Id.Resource)
if err != nil {
Expand All @@ -338,7 +340,7 @@ func (g *groupResourceType) Revoke(ctx context.Context, grant *v2.Grant) (annota
modifyRequest.Delete(attrGroupMemberPosix, username)
} else {
principalDNArr := []string{principal.Id.Resource}
modifyRequest.Delete(attrGroupMember, principalDNArr)
modifyRequest.Delete(attrGroupUniqueMember, principalDNArr)
}

// revoke group membership from the principal
Expand Down

0 comments on commit d74a1b2

Please sign in to comment.