dexidp · SanchosPancho · Oct 31, 2024
diff --git a/connector/gitlab/gitlab.go b/connector/gitlab/gitlab.go
@@ -11,7 +11,7 @@ import (
 	"net/http"
 	"strconv"
 	"time"
-
+	"regexp"
 	"golang.org/x/oauth2"
 
 	"github.com/dexidp/dex/connector"
@@ -35,6 +35,7 @@ type Config struct {
 	Groups              []string `json:"groups"`
 	UseLoginAsID        bool     `json:"useLoginAsID"`
 	GetGroupsPermission bool     `json:"getGroupsPermission"`
+	GroupsFilter		string 	 `json:"groupsFilter"`
 }
 
 type gitlabUser struct {
@@ -51,6 +52,15 @@ func (c *Config) Open(id string, logger *slog.Logger) (connector.Connector, erro
 	if c.BaseURL == "" {
 		c.BaseURL = "https://gitlab.com"
 	}
+	var groupsFilter *regexp.Regexp
+	var err error
+
+	if c.GroupsFilter != "" {
+		groupsFilter, err = regexp.Compile(c.GroupsFilter)
+		if err != nil {
+			logger.Warn("ignoring invalid", "invalid_regex", c.GroupsFilter, "connector_id", id)
+		}
+	}
 	return &gitlabConnector{
 		baseURL:             c.BaseURL,
 		redirectURI:         c.RedirectURI,
@@ -60,6 +70,7 @@ func (c *Config) Open(id string, logger *slog.Logger) (connector.Connector, erro
 		groups:              c.Groups,
 		useLoginAsID:        c.UseLoginAsID,
 		getGroupsPermission: c.GetGroupsPermission,
+		groupsFilter: 		 groupsFilter,
 	}, nil
 }
 
@@ -87,6 +98,8 @@ type gitlabConnector struct {
 
 	// if set to true permissions will be added to list of groups
 	getGroupsPermission bool
+	// group regex filter
+	groupsFilter *regexp.Regexp
 }
 
 func (c *gitlabConnector) oauth2Config(scopes connector.Scopes) *oauth2.Config {
@@ -305,50 +318,51 @@ func (c *gitlabConnector) userGroups(ctx context.Context, client *http.Client) (
 
 func (c *gitlabConnector) setGroupsPermission(u userInfo) []string {
 	groups := u.Groups
+	var gropusPermission []string
 
 L1:
 	for _, g := range groups {
 		for _, op := range u.OwnerPermission {
 			if g == op {
-				groups = append(groups, fmt.Sprintf("%s:owner", g))
+				gropusPermission = append(gropusPermission, fmt.Sprintf("%s:owner", g))
 				continue L1
 			}
 			if len(g) > len(op) {
 				if g[0:len(op)] == op && string(g[len(op)]) == "/" {
-					groups = append(groups, fmt.Sprintf("%s:owner", g))
+					gropusPermission = append(gropusPermission, fmt.Sprintf("%s:owner", g))
 					continue L1
 				}
 			}
 		}
 
 		for _, mp := range u.MaintainerPermission {
 			if g == mp {
-				groups = append(groups, fmt.Sprintf("%s:maintainer", g))
+				gropusPermission = append(gropusPermission, fmt.Sprintf("%s:maintainer", g))
 				continue L1
 			}
 			if len(g) > len(mp) {
 				if g[0:len(mp)] == mp && string(g[len(mp)]) == "/" {
-					groups = append(groups, fmt.Sprintf("%s:maintainer", g))
+					gropusPermission = append(gropusPermission, fmt.Sprintf("%s:maintainer", g))
 					continue L1
 				}
 			}
 		}
 
 		for _, dp := range u.DeveloperPermission {
 			if g == dp {
-				groups = append(groups, fmt.Sprintf("%s:developer", g))
+				gropusPermission = append(gropusPermission, fmt.Sprintf("%s:developer", g))
 				continue L1
 			}
 			if len(g) > len(dp) {
 				if g[0:len(dp)] == dp && string(g[len(dp)]) == "/" {
-					groups = append(groups, fmt.Sprintf("%s:developer", g))
+					gropusPermission = append(gropusPermission, fmt.Sprintf("%s:developer", g))
 					continue L1
 				}
 			}
 		}
 	}
 
-	return groups
+	return gropusPermission
 }
 
 func (c *gitlabConnector) getGroups(ctx context.Context, client *http.Client, groupScope bool, userLogin string) ([]string, error) {
@@ -357,8 +371,21 @@ func (c *gitlabConnector) getGroups(ctx context.Context, client *http.Client, gr
 		return nil, err
 	}
 
+	var filteredGroups []string
+
 	if len(c.groups) > 0 {
-		filteredGroups := groups.Filter(gitlabGroups, c.groups)
+		filteredGroups = groups.Filter(filteredGroups, c.groups)
+		if len(filteredGroups) == 0 {
+			return nil, fmt.Errorf("gitlab: user %q is not in any of the required groups", userLogin)
+		}
+		return filteredGroups, nil
+	} else if len(gitlabGroups) > 0 && c.groupsFilter != nil {
+		for _, group := range gitlabGroups {
+			if !c.groupsFilter.MatchString(group) {
+				continue
+			}
+			filteredGroups = append(filteredGroups, group)
+		}
 		if len(filteredGroups) == 0 {
 			return nil, fmt.Errorf("gitlab: user %q is not in any of the required groups", userLogin)
 		}

diff --git a/connector/gitlab/gitlab_test.go b/connector/gitlab/gitlab_test.go
@@ -276,12 +276,6 @@ func TestGroupsWithPermission(t *testing.T) {
 	expectNil(t, err)
 
 	expectEquals(t, identity.Groups, []string{
-		"ops",
-		"dev",
-		"ops-test",
-		"ops/project",
-		"dev/project1",
-		"dev/project2",
 		"ops:owner",
 		"dev:developer",
 		"ops/project:owner",
@@ -290,6 +284,56 @@ func TestGroupsWithPermission(t *testing.T) {
 	})
 }
 
+func TestGroupsWithGroupFilter(t *testing.T) {
+	s := newTestServer(map[string]interface{}{
+		"/oauth/userinfo": userInfo{
+			Groups: []string{"team-1", "team-2", "project-1", "project-2"},
+		},
+	})
+	defer s.Close()
+
+	c := gitlabConnector{baseURL: s.URL, groups: []string{"team-1", "project-1"}, groupsFilter: "^project.+$"}
+	groups, err := c.getGroups(context.Background(), newClient(), true, "joebloggs")
+
+	expectNil(t, err)
+	expectEquals(t, groups, []string{
+		"project-1",
+	})
+}
+
+func TestGroupsWithGroupFilterWithPermission(t *testing.T) {
+	s := newTestServer(map[string]interface{}{
+		"/api/v4/user": gitlabUser{Email: "some@email.com", ID: 12345678, Name: "Joe Bloggs", Username: "joebloggs"},
+		"/oauth/token": map[string]interface{}{
+			"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9",
+			"expires_in":   "30",
+		},
+		"/oauth/userinfo": userInfo{
+			Groups:               []string{"ops", "dev", "ops-test", "ops/project", "dev/project1", "dev/project2"},
+			OwnerPermission:      []string{"ops"},
+			DeveloperPermission:  []string{"dev"},
+			MaintainerPermission: []string{"dev/project1"},
+		},
+	})
+	defer s.Close()
+
+	hostURL, err := url.Parse(s.URL)
+	expectNil(t, err)
+
+	req, err := http.NewRequest("GET", hostURL.String(), nil)
+	expectNil(t, err)
+
+	c := gitlabConnector{baseURL: s.URL, httpClient: newClient(), getGroupsPermission: true, groupsFilter: ".+project.+"}
+	identity, err := c.HandleCallback(connector.Scopes{Groups: true}, req)
+	expectNil(t, err)
+
+	expectEquals(t, identity.Groups, []string{
+		"ops/project:owner",
+		"dev/project1:maintainer",
+		"dev/project2:developer",
+	})
+}
+
 func newTestServer(responses map[string]interface{}) *httptest.Server {
 	return httptest.NewTLSServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		response := responses[r.RequestURI]