You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Cedric Kienzler b34a2bdb22 cmd/tsidp: add groups claim to tsidp (#15127) ... * cmd/tsidp: add groups claim to tsidp This feature adds support for a `groups` claim in tsidp using the grants syntax: ```json { "grants": [ { "src": ["group:admins"], "dst": ["*"], "ip": ["*"], "app": { "tailscale.com/cap/tsidp": [ { "groups": ["admin"] } ] } }, { "src": ["group:reader"], "dst": ["*"], "ip": ["*"], "app": { "tailscale.com/cap/tsidp": [ { "groups": ["reader"] } ] } } ] } ``` For #10263 Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * cmd/tsidp: refactor cap/tsidp to allow extraClaims This commit refactors the `capRule` struct to allow specifying arbitrary extra claims: ```json { "src": ["group:reader"], "dst": ["*"], "ip": ["*"], "app": { "tailscale.com/cap/tsidp": [ { "extraClaims": { "groups": ["reader"], "entitlements": ["read-stuff"], }, } ] } } ``` Overwriting pre-existing claims cannot be modified/overwritten. Also adding more unit-testing Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * Update cmd/tsidp/tsidp.go Signed-off-by: cedi <cedi@users.noreply.github.com> * Update cmd/tsidp/tsidp_test.go Co-authored-by: Patrick O'Doherty <hello@patrickod.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> * Update cmd/tsidp/tsidp_test.go Co-authored-by: Patrick O'Doherty <hello@patrickod.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> * Fix logical error in test case Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * fix error printing for failed to unmarshal capability in tsidp Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * clarify doc string for withExtraClaims Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> --------- Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> Signed-off-by: cedi <cedi@users.noreply.github.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> Co-authored-by: Patrick O'Doherty <hello@patrickod.com>		1 year ago
..
c2ntypes.go	ipn/ipnlocal: add VIPServices hash to return body of vip-services c2n endpoint	1 year ago
derpmap.go	tailcfg: add DERPRegion.NoMeasureNoHome, deprecate+document Avoid [cap 115]	1 year ago
proto_port_range.go	tailcfg: implement text encoding for ProtoPortRange	3 years ago
proto_port_range_test.go	tailcfg: implement text encoding for ProtoPortRange	3 years ago
tailcfg.go	cmd/tsidp: add groups claim to tsidp (#15127)	1 year ago
tailcfg_clone.go	tailcfg: add VIPServiceView	1 year ago
tailcfg_test.go	tailcfg: remove ancient UserProfiles.Roles field	1 year ago
tailcfg_view.go	tailcfg: add VIPServiceView	1 year ago
tka.go	tailcfg: add RPC structs for /tka/affected-sigs	3 years ago