add cf org:space:role group claim to token

Signed-off-by: Joshua Winters <[email protected]> Co-authored-by: Rui Yang <[email protected]>
dexidp · Dec 15, 2020 · 369ea71 · 369ea71
1 parent f5924ea
commit 369ea71
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 13 deletions.
diff --git a/connector/cf/cf.go b/connector/cf/cf.go
@@ -291,6 +291,7 @@ func getGroupsClaims(orgs []Org, spaces []Space) []string {
 	for orgName, spaces := range orgSpaces {
 		for _, space := range spaces {
 			groupsClaims[fmt.Sprintf("%s:%s", orgName, space.Name)] = true
+			groupsClaims[fmt.Sprintf("%s:%s:%s", orgName, space.Name, space.Role)] = true
 		}
 	}
 

diff --git a/connector/cf/cf_test.go b/connector/cf/cf_test.go
@@ -48,25 +48,31 @@ func TestHandleCallback(t *testing.T) {
 		identity, err := cfConn.HandleCallback(connector.Scopes{Groups: true}, req)
 		expectEqual(t, err, nil)
 
-		expectEqual(t, len(identity.Groups), 18)
+		expectEqual(t, len(identity.Groups), 24)
 		expectEqual(t, identity.Groups[0], "some-org-guid-1")
 		expectEqual(t, identity.Groups[1], "some-org-guid-2")
 		expectEqual(t, identity.Groups[2], "some-org-guid-3")
 		expectEqual(t, identity.Groups[3], "some-org-guid-4")
 		expectEqual(t, identity.Groups[4], "some-org-name-1")
 		expectEqual(t, identity.Groups[5], "some-org-name-1:some-space-name-1")
-		expectEqual(t, identity.Groups[6], "some-org-name-2")
-		expectEqual(t, identity.Groups[7], "some-org-name-2:some-space-name-2")
-		expectEqual(t, identity.Groups[8], "some-org-name-3")
-		expectEqual(t, identity.Groups[9], "some-org-name-4")
-		expectEqual(t, identity.Groups[10], "some-space-guid-1")
-		expectEqual(t, identity.Groups[11], "some-space-guid-1:auditor")
-		expectEqual(t, identity.Groups[12], "some-space-guid-1:developer")
-		expectEqual(t, identity.Groups[13], "some-space-guid-1:manager")
-		expectEqual(t, identity.Groups[14], "some-space-guid-2")
-		expectEqual(t, identity.Groups[15], "some-space-guid-2:auditor")
-		expectEqual(t, identity.Groups[16], "some-space-guid-2:developer")
-		expectEqual(t, identity.Groups[17], "some-space-guid-2:manager")
+		expectEqual(t, identity.Groups[6], "some-org-name-1:some-space-name-1:auditor")
+		expectEqual(t, identity.Groups[7], "some-org-name-1:some-space-name-1:developer")
+		expectEqual(t, identity.Groups[8], "some-org-name-1:some-space-name-1:manager")
+		expectEqual(t, identity.Groups[9], "some-org-name-2")
+		expectEqual(t, identity.Groups[10], "some-org-name-2:some-space-name-2")
+		expectEqual(t, identity.Groups[11], "some-org-name-2:some-space-name-2:auditor")
+		expectEqual(t, identity.Groups[12], "some-org-name-2:some-space-name-2:developer")
+		expectEqual(t, identity.Groups[13], "some-org-name-2:some-space-name-2:manager")
+		expectEqual(t, identity.Groups[14], "some-org-name-3")
+		expectEqual(t, identity.Groups[15], "some-org-name-4")
+		expectEqual(t, identity.Groups[16], "some-space-guid-1")
+		expectEqual(t, identity.Groups[17], "some-space-guid-1:auditor")
+		expectEqual(t, identity.Groups[18], "some-space-guid-1:developer")
+		expectEqual(t, identity.Groups[19], "some-space-guid-1:manager")
+		expectEqual(t, identity.Groups[20], "some-space-guid-2")
+		expectEqual(t, identity.Groups[21], "some-space-guid-2:auditor")
+		expectEqual(t, identity.Groups[22], "some-space-guid-2:developer")
+		expectEqual(t, identity.Groups[23], "some-space-guid-2:manager")
 	})
 
 	t.Run("CallbackWithoutGroupsScope", func(t *testing.T) {