add casbin user test (#2474)

* add casbin user test Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> * Delete double slash * types/users: use join url on iss that are ursl Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> --------- Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com> Co-authored-by: Juan Font <juanfontalonso@gmail.com>
2025-05-05 15:10:52 +00:00 · 2025-04-23 13:21:51 +02:00 · 2025-04-23 13:21:51 +02:00 · 098ab0357c
commit 098ab0357c
parent 56d085bd08
2 changed files with 38 additions and 1 deletions
--- a/hscontrol/types/users.go
+++ b/hscontrol/types/users.go
@ -6,6 +6,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/mail"
+	"net/url"
 	"strconv"
 	"strings"

@ -194,6 +195,11 @@ type OIDCClaims struct {
 }

 func (c *OIDCClaims) Identifier() string {
+	if strings.HasPrefix(c.Iss, "http") {
+		if i, err := url.JoinPath(c.Iss, c.Sub); err == nil {
+			return i
+		}
+	}
 	return c.Iss + "/" + c.Sub
 }

--- a/hscontrol/types/users_test.go
+++ b/hscontrol/types/users_test.go
@ -197,11 +197,42 @@ func TestOIDCClaimsJSONToUser(t *testing.T) {
 				DisplayName: "XXXXXX XXXX",
 				Name:        "user@domain.com",
 				ProviderIdentifier: sql.NullString{
-					String: "https://login.microsoftonline.com//v2.0/I-70OQnj3TogrNSfkZQqB3f7dGwyBWSm1dolHNKrMzQ",
+					String: "https://login.microsoftonline.com/v2.0/I-70OQnj3TogrNSfkZQqB3f7dGwyBWSm1dolHNKrMzQ",
 					Valid:  true,
 				},
 			},
 		},
+		{
+			// From https://github.com/juanfont/headscale/issues/2333
+			name: "casby-oidc-claim-20250513",
+			jsonstr: `
+			{
+  "sub": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+  "iss": "https://oidc.example.com/",
+  "aud": "xxxxxxxxxxxx",
+  "preferred_username": "user001",
+  "name": "User001",
+  "email": "user001@example.com",
+  "email_verified": true,
+  "picture": "https://cdn.casbin.org/img/casbin.svg",
+  "groups": [
+    "org1/department1",
+    "org1/department2"
+  ]
+}
+			`,
+			want: User{
+				Provider:    util.RegisterMethodOIDC,
+				Name:        "user001",
+				DisplayName: "User001",
+				Email:       "user001@example.com",
+				ProviderIdentifier: sql.NullString{
+					String: "https://oidc.example.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+					Valid:  true,
+				},
+				ProfilePicURL: "https://cdn.casbin.org/img/casbin.svg",
+			},
+		},
 	}

 	for _, tt := range tests {