Skip to content

Commit

Permalink
Merge pull request #2696 from dexidp/backport-2694
Browse files Browse the repository at this point in the history
Backport #2694 to v2.35.x
  • Loading branch information
sagikazarmark authored Oct 4, 2022
2 parents e4bceef + 261adee commit 2027413
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 27 deletions.
22 changes: 13 additions & 9 deletions connector/google/google.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,13 +71,10 @@ func (c *Config) Open(id string, logger log.Logger) (conn connector.Connector, e
scopes = append(scopes, "profile", "email")
}

var srv *admin.Service
if len(c.Groups) > 0 {
srv, err = createDirectoryService(c.ServiceAccountFilePath, c.AdminEmail, logger)
if err != nil {
cancel()
return nil, fmt.Errorf("could not create directory service: %v", err)
}
srv, err := createDirectoryService(c.ServiceAccountFilePath, c.AdminEmail, logger)
if err != nil {
cancel()
return nil, fmt.Errorf("could not create directory service: %v", err)
}

clientID := c.ClientID
Expand Down Expand Up @@ -286,7 +283,9 @@ func (c *googleConnector) getGroups(email string, fetchTransitiveGroupMembership
// the google admin api. If no serviceAccountFilePath is defined, the application default credential
// is used.
func createDirectoryService(serviceAccountFilePath, email string, logger log.Logger) (*admin.Service, error) {
if email == "" {
// We know impersonation is required when using a service account credential
// TODO: or is it?
if email == "" && serviceAccountFilePath != "" {
return nil, fmt.Errorf("directory service requires adminEmail")
}

Expand All @@ -311,7 +310,12 @@ func createDirectoryService(serviceAccountFilePath, email string, logger log.Log
if err != nil {
return nil, fmt.Errorf("unable to parse credentials to config: %v", err)
}
config.Subject = email

// Only attempt impersonation when there is a user configured
if email != "" {
config.Subject = email
}

return admin.NewService(ctx, option.WithHTTPClient(config.Client(ctx)))
}

Expand Down
23 changes: 5 additions & 18 deletions connector/google/google_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -72,22 +72,13 @@ func TestOpen(t *testing.T) {
assert.Nil(t, err)

for name, reference := range map[string]testCase{
"not_requesting_groups": {
config: &Config{
ClientID: "testClient",
ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid"},
},
expectedErr: "",
},
"missing_admin_email": {
config: &Config{
ClientID: "testClient",
ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups"},
Groups: []string{"someGroup"},
ClientID: "testClient",
ClientSecret: "testSecret",
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups"},
ServiceAccountFilePath: serviceAccountFilePath,
},
expectedErr: "requires adminEmail",
},
Expand All @@ -99,7 +90,6 @@ func TestOpen(t *testing.T) {
Scopes: []string{"openid", "groups"},
AdminEmail: "[email protected]",
ServiceAccountFilePath: "not_found.json",
Groups: []string{"someGroup"},
},
expectedErr: "error reading credentials",
},
Expand All @@ -111,7 +101,6 @@ func TestOpen(t *testing.T) {
Scopes: []string{"openid", "groups"},
AdminEmail: "[email protected]",
ServiceAccountFilePath: serviceAccountFilePath,
Groups: []string{"someGroup"},
},
expectedErr: "",
},
Expand All @@ -122,7 +111,6 @@ func TestOpen(t *testing.T) {
RedirectURI: ts.URL + "/callback",
Scopes: []string{"openid", "groups"},
AdminEmail: "[email protected]",
Groups: []string{"someGroup"},
},
adc: serviceAccountFilePath,
expectedErr: "",
Expand All @@ -135,7 +123,6 @@ func TestOpen(t *testing.T) {
Scopes: []string{"openid", "groups"},
AdminEmail: "[email protected]",
ServiceAccountFilePath: serviceAccountFilePath,
Groups: []string{"someGroup"},
},
adc: "/dev/null",
expectedErr: "",
Expand Down

0 comments on commit 2027413

Please sign in to comment.