From b6cffb03d5593bf47f868b0b126c2d8a1cf74cd1 Mon Sep 17 00:00:00 2001 From: Nick Meves Date: Wed, 17 Mar 2021 18:35:07 -0700 Subject: [PATCH] Rename KeycloakRoles to AllowedRoles Also don't support backwards compatibility for legacy flags in new provider. --- pkg/apis/options/options.go | 4 ++-- pkg/validation/options.go | 11 +---------- 2 files changed, 3 insertions(+), 12 deletions(-) diff --git a/pkg/apis/options/options.go b/pkg/apis/options/options.go index 0c0a2be0..705a8e1a 100644 --- a/pkg/apis/options/options.go +++ b/pkg/apis/options/options.go @@ -33,7 +33,6 @@ type Options struct { AuthenticatedEmailsFile string `flag:"authenticated-emails-file" cfg:"authenticated_emails_file"` KeycloakGroups []string `flag:"keycloak-group" cfg:"keycloak_groups"` - KeycloakRoles []string `flag:"keycloak-role" cfg:"keycloak_roles"` AzureTenant string `flag:"azure-tenant" cfg:"azure_tenant"` BitbucketTeam string `flag:"bitbucket-team" cfg:"bitbucket_team"` BitbucketRepository string `flag:"bitbucket-repository" cfg:"bitbucket_repository"` @@ -97,6 +96,7 @@ type Options struct { ApprovalPrompt string `flag:"approval-prompt" cfg:"approval_prompt"` // Deprecated by OIDC 1.0 UserIDClaim string `flag:"user-id-claim" cfg:"user_id_claim"` AllowedGroups []string `flag:"allowed-group" cfg:"allowed_groups"` + AllowedRoles []string `flag:"allowed-role" cfg:"allowed_roles"` SignatureKey string `flag:"signature-key" cfg:"signature_key"` AcrValues string `flag:"acr-values" cfg:"acr_values"` @@ -174,7 +174,6 @@ func NewFlagSet() *pflag.FlagSet { flagSet.StringSlice("email-domain", []string{}, "authenticate emails with the specified domain (may be given multiple times). Use * to authenticate any email") flagSet.StringSlice("whitelist-domain", []string{}, "allowed domains for redirection after authentication. Prefix domain with a . to allow subdomains (eg .example.com)") flagSet.StringSlice("keycloak-group", []string{}, "restrict logins to members of these groups (may be given multiple times)") - flagSet.StringSlice("keycloak-role", []string{}, "restrict logins to members of these roles (may be given multiple times)") flagSet.String("azure-tenant", "common", "go to a tenant-specific or common (tenant-independent) endpoint.") flagSet.String("bitbucket-team", "", "restrict logins to members of this team") flagSet.String("bitbucket-repository", "", "restrict logins to user with access to this repository") @@ -238,6 +237,7 @@ func NewFlagSet() *pflag.FlagSet { flagSet.String("user-id-claim", providers.OIDCEmailClaim, "(DEPRECATED for `oidc-email-claim`) which claim contains the user ID") flagSet.StringSlice("allowed-group", []string{}, "restrict logins to members of this group (may be given multiple times)") + flagSet.StringSlice("allowed-role", []string{}, "(keycloak-oidc) restrict logins to members of these roles (may be given multiple times)") flagSet.AddFlagSet(cookieFlagSet()) flagSet.AddFlagSet(loggingFlagSet()) diff --git a/pkg/validation/options.go b/pkg/validation/options.go index 916d54de..72c34135 100644 --- a/pkg/validation/options.go +++ b/pkg/validation/options.go @@ -272,16 +272,7 @@ func parseProviderInfo(o *options.Options, msgs []string) []string { if p.Verifier == nil { msgs = append(msgs, "keycloak-oidc provider requires an oidc issuer URL") } - - // Backwards compatibility with `--keycloak-group` option - if len(o.KeycloakGroups) > 0 { - // Maybe already added with `--allowed-group` flag - if !strings.Contains(o.Scope, " groups") { - o.Scope += " groups" - } - p.SetAllowedGroups(o.KeycloakGroups) - } - p.AddAllowedRoles(o.KeycloakRoles) + p.AddAllowedRoles(o.AllowedRoles) case *providers.GoogleProvider: if o.GoogleServiceAccountJSON != "" { file, err := os.Open(o.GoogleServiceAccountJSON)