Issue #1184 - Github connector now returns a full group list when no org is specified#1340
Conversation
…en no org is specified
|
PS: We are using Dex to get seamless SSO in https://github.com/argoproj/argo-cd . Dex saved us a lot of time. Thank you for maintaining it! |
😄 That's nice! The more, the merrier, so, if you or someone else wants to join maintaining Dex, please don't hesitate 😉 #1281 is still dangling, but that shouldn't block anyone. |
srenatus
left a comment
There was a problem hiding this comment.
Solid work, thank you! Some nitpicks and questions inline 👇 🙃
| return nil, nil | ||
| } | ||
|
|
||
| // formatTeamName return unique team name: prgs might have the same team names team name should be prefixed with org name to make team names unique across orgs. |
There was a problem hiding this comment.
[nit] Could you add a line break, and maybe some punctuation? 😉
| return groups, fmt.Errorf("github: user %q not in required orgs or teams", userName) | ||
| } | ||
|
|
||
| func (c *githubConnector) userGroups(ctx context.Context, client *http.Client) (groups []string, err error) { |
There was a problem hiding this comment.
[nit] I hate named returns. Do you cling to them? (It's a bit of a controversial thing, I guess, and it's difficult to get these matters smoothed across the code base...)
There was a problem hiding this comment.
I don't really like named returns as well. Fixed.
| func (c *githubConnector) userGroups(ctx context.Context, client *http.Client) (groups []string, err error) { | ||
| orgs, err := c.userOrgs(ctx, client) | ||
| if err != nil { | ||
| return groups, err |
There was a problem hiding this comment.
[nit] How about return nil, err? A lot less "huh, what's groups?" when reading this 😉
|
|
||
| orgTeams, err := c.userOrgTeams(ctx, client) | ||
| if err != nil { | ||
| return groups, err |
| } | ||
| } | ||
|
|
||
| return groups, err |
There was a problem hiding this comment.
[nit] return groups, nil, maybe? Just for clarity
|
|
||
| // userOrgs retrieves list of current user orgs | ||
| func (c *githubConnector) userOrgs(ctx context.Context, client *http.Client) ([]string, error) { | ||
| apiURL, groups := c.apiURL+"/user/orgs", []string{} |
There was a problem hiding this comment.
[nit] I guess it wouldn't hurt to use two lines here 😉
| return nil, fmt.Errorf("github: get orgs: %v", err) | ||
| } | ||
|
|
||
| for _, org := range orgs { |
There was a problem hiding this comment.
[nit] we're shadowing the type org here, can we use some other name? I suppose for _, o := range orgs { would't be too terrible, either
| return nil, fmt.Errorf("github: get teams: %v", err) | ||
| } | ||
|
|
||
| for _, team := range teams { |
There was a problem hiding this comment.
[nit] see above, team variable vs team struct type
| if !reflect.DeepEqual(a, b) { | ||
| t.Errorf("Expected %+v to equal %+v", a, b) | ||
| } | ||
| } |
There was a problem hiding this comment.
❓ Am I just not seeing it or is it missing: Can we have a test that ensures the pagination for {} loops work as they should? https://github.com/dexidp/dex/pull/1340/files#diff-de977d377b738d6060529d91926d264bR432 and https://github.com/dexidp/dex/pull/1340/files#diff-de977d377b738d6060529d91926d264bR406 -- right now, I think we're only doing one iteration of each. (Not sure where we stand with the existing code and this question, either.)
There was a problem hiding this comment.
You are right. Updated test to validate pagination.
There was a problem hiding this comment.
Thank you!
Would you mind fixing the comment on getPagination? It's a bit confusing (it's not returning a boolean at all, is it?) and you surely have all the context right now... 😃
|
Thank you for quick review @srenatus ! Addressed your comments. Please take another look. |
srenatus
left a comment
There was a problem hiding this comment.
Thanks. Just one tiny ask, and then let's get this merged 😄
| } | ||
|
|
||
| groups := make([]string, 0) | ||
| for _, org := range orgs { |
There was a problem hiding this comment.
[nit] we're still shadowing org and team here, but it really doesn't matter that much.
| if !reflect.DeepEqual(a, b) { | ||
| t.Errorf("Expected %+v to equal %+v", a, b) | ||
| } | ||
| } |
There was a problem hiding this comment.
Thank you!
Would you mind fixing the comment on getPagination? It's a bit confusing (it's not returning a boolean at all, is it?) and you surely have all the context right now... 😃
|
@alexmt Thanks for all the work. Could you make your changes reflect in the connector docs? It would really round this off, I'd think 😄 |
|
Thank you for reminding about docs! While updating it I've noticed a bug: PTAL |
|
I don't have permissions to merge. @srenatus please merge it if everything looks good to you. |
|
@alexmt I'll give this a final look and push the button first thing tomorrow morning. Hope that's OK |
|
Sure, there is no rush. Thank you ! |
|
Sweet, happy to see this alive again! I work with the original submitter of #1184 on Concourse. We're planning to submit PRs for our other changes soon. We don't intend to sit on our fork forever. 🙂 |
3f3f56d to
20bc6cd
Compare
|
@srenatus , I've added one more last-minute change: 20bc6cd I believe this proposal is correct: #1102 (comment) . Full claims list should include user teams (in org:team format) as well as org names. E.g. This make it possible for application which uses dex to match org as well as team. |
|
@alexmt @vito While code-wise, this looks good to merge, I'm a bit conflicted about attribution now. Can you help me clarify? It looks like some of the connector code is by @pivotal-jwinters, but given
I trust that @pivotal-jwinters is OK with that. Anyways, a quick thumbs-up would be appreciated, @pivotal-jwinters.
Also, I'm glad to hear that 😄 |
Issue dexidp#1184 - Github connector now returns a full group list when no org is specified
Fixes #1102
PR contains a subset of changes implemented in #1184. Original PR had been closed without merging since it accumulated too many changes and authors decided to maintain a fork.
This change unblocks an important use case: give read-only access to anyone and give extra privileges to users which belongs to the specified group.