oidc: make email verification configurable

Co-authored-by: Kristoffer Dalby <kristoffer@tailscale.com>

hscontrol/oidc_test.go

@@ -0,0 +1,173 @@
+package hscontrol
+
+import (
+	"testing"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+)
+
+func TestDoOIDCAuthorization(t *testing.T) {
+	testCases := []struct {
+		name    string
+		cfg     *types.OIDCConfig
+		claims  *types.OIDCClaims
+		wantErr bool
+	}{
+		{
+			name:    "verified email domain",
+			wantErr: false,
+			cfg: &types.OIDCConfig{
+				EmailVerifiedRequired: true,
+				AllowedDomains:        []string{"test.com"},
+				AllowedUsers:          []string{},
+				AllowedGroups:         []string{},
+			},
+			claims: &types.OIDCClaims{
+				Email:         "user@test.com",
+				EmailVerified: true,
+			},
+		},
+		{
+			name:    "verified email user",
+			wantErr: false,
+			cfg: &types.OIDCConfig{
+				EmailVerifiedRequired: true,
+				AllowedDomains:        []string{},
+				AllowedUsers:          []string{"user@test.com"},
+				AllowedGroups:         []string{},
+			},
+			claims: &types.OIDCClaims{
+				Email:         "user@test.com",
+				EmailVerified: true,
+			},
+		},
+		{
+			name:    "unverified email domain",
+			wantErr: true,
+			cfg: &types.OIDCConfig{
+				EmailVerifiedRequired: true,
+				AllowedDomains:        []string{"test.com"},
+				AllowedUsers:          []string{},
+				AllowedGroups:         []string{},
+			},
+			claims: &types.OIDCClaims{
+				Email:         "user@test.com",
+				EmailVerified: false,
+			},
+		},
+		{
+			name:    "group member",
+			wantErr: false,
+			cfg: &types.OIDCConfig{
+				EmailVerifiedRequired: true,
+				AllowedDomains:        []string{},
+				AllowedUsers:          []string{},
+				AllowedGroups:         []string{"test"},
+			},
+			claims: &types.OIDCClaims{Groups: []string{"test"}},
+		},
+		{
+			name:    "non group member",
+			wantErr: true,
+			cfg: &types.OIDCConfig{
+				EmailVerifiedRequired: true,
+				AllowedDomains:        []string{},
+				AllowedUsers:          []string{},
+				AllowedGroups:         []string{"nope"},
+			},
+			claims: &types.OIDCClaims{Groups: []string{"testo"}},
+		},
+		{
+			name:    "group member but bad domain",
+			wantErr: true,
+			cfg: &types.OIDCConfig{
+				EmailVerifiedRequired: true,
+				AllowedDomains:        []string{"user@good.com"},
+				AllowedUsers:          []string{},
+				AllowedGroups:         []string{"test group"},
+			},
+			claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "bad@bad.com", EmailVerified: true},
+		},
+		{
+			name:    "all checks pass",
+			wantErr: false,
+			cfg: &types.OIDCConfig{
+				EmailVerifiedRequired: true,
+				AllowedDomains:        []string{"test.com"},
+				AllowedUsers:          []string{"user@test.com"},
+				AllowedGroups:         []string{"test group"},
+			},
+			claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "user@test.com", EmailVerified: true},
+		},
+		{
+			name:    "all checks pass with unverified email",
+			wantErr: false,
+			cfg: &types.OIDCConfig{
+				EmailVerifiedRequired: false,
+				AllowedDomains:        []string{"test.com"},
+				AllowedUsers:          []string{"user@test.com"},
+				AllowedGroups:         []string{"test group"},
+			},
+			claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "user@test.com", EmailVerified: false},
+		},
+		{
+			name:    "fail on unverified email",
+			wantErr: true,
+			cfg: &types.OIDCConfig{
+				EmailVerifiedRequired: true,
+				AllowedDomains:        []string{"test.com"},
+				AllowedUsers:          []string{"user@test.com"},
+				AllowedGroups:         []string{"test group"},
+			},
+			claims: &types.OIDCClaims{Groups: []string{"test group"}, Email: "user@test.com", EmailVerified: false},
+		},
+		{
+			name:    "unverified email user only",
+			wantErr: true,
+			cfg: &types.OIDCConfig{
+				EmailVerifiedRequired: true,
+				AllowedDomains:        []string{},
+				AllowedUsers:          []string{"user@test.com"},
+				AllowedGroups:         []string{},
+			},
+			claims: &types.OIDCClaims{
+				Email:         "user@test.com",
+				EmailVerified: false,
+			},
+		},
+		{
+			name:    "no filters configured",
+			wantErr: false,
+			cfg: &types.OIDCConfig{
+				EmailVerifiedRequired: true,
+				AllowedDomains:        []string{},
+				AllowedUsers:          []string{},
+				AllowedGroups:         []string{},
+			},
+			claims: &types.OIDCClaims{
+				Email:         "anyone@anywhere.com",
+				EmailVerified: false,
+			},
+		},
+		{
+			name:    "multiple allowed groups second matches",
+			wantErr: false,
+			cfg: &types.OIDCConfig{
+				EmailVerifiedRequired: true,
+				AllowedDomains:        []string{},
+				AllowedUsers:          []string{},
+				AllowedGroups:         []string{"group1", "group2", "group3"},
+			},
+			claims: &types.OIDCClaims{Groups: []string{"group2"}},
+		},
+	}
+
+	for _, tC := range testCases {
+		t.Run(tC.name, func(t *testing.T) {
+			err := doOIDCAuthorization(tC.cfg, tC.claims)
+			if ((err != nil) && !tC.wantErr) || ((err == nil) && tC.wantErr) {
+				t.Errorf("bad authorization: %s > want=%v | got=%v", tC.name, tC.wantErr, err)
+			}
+		})
+	}
+}