From bfa3efd23a6ca6ab5f22e657b97bc3d433c03e17 Mon Sep 17 00:00:00 2001
From: Serhii Ponomarenko <116438358+tiptophelmet@users.noreply.github.com>
Date: Thu, 25 Jan 2024 08:05:37 +0800
Subject: [PATCH] =?UTF-8?q?=E2=9C=A8=20SAML=20authorization=20(#1487)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* 🔨 Add `AUTH_SAML_ROLE_ATTRIBUTE` field to `ConfigMap`

* 📝 Document `tap.auth.saml.roleAttribute/roles` values

* 🔧 Re-generate `complete.yaml`

* 🔥 Remove `default` tag from `SamlConfig.RoleAttribute`

---------

Co-authored-by: Alon Girmonsky <1990761+alongir@users.noreply.github.com>
---
 config/configStruct.go                  | 1 +
 config/configStructs/tapConfig.go       | 1 +
 helm-chart/README.md                    | 2 ++
 helm-chart/templates/12-config-map.yaml | 1 +
 helm-chart/values.yaml                  | 1 +
 manifests/complete.yaml                 | 3 ++-
 6 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/config/configStruct.go b/config/configStruct.go
index 62fb81355..b2ba0c861 100644
--- a/config/configStruct.go
+++ b/config/configStruct.go
@@ -61,6 +61,7 @@ func CreateDefaultConfig() ConfigStruct {
 			},
 			Auth: configStructs.AuthConfig{
 				Saml: configStructs.SamlConfig{
+					RoleAttribute: "role",
 					Roles: map[string]configStructs.Role{
 						"admin": {
 							Filter:                "",
diff --git a/config/configStructs/tapConfig.go b/config/configStructs/tapConfig.go
index c2ec517a8..ba2adfd3b 100644
--- a/config/configStructs/tapConfig.go
+++ b/config/configStructs/tapConfig.go
@@ -94,6 +94,7 @@ type SamlConfig struct {
 	IdpMetadataUrl string          `yaml:"idpMetadataUrl" json:"idpMetadataUrl"`
 	X509crt        string          `yaml:"x509crt" json:"x509crt"`
 	X509key        string          `yaml:"x509key" json:"x509key"`
+	RoleAttribute  string          `yaml:"roleAttribute" json:"roleAttribute"`
 	Roles          map[string]Role `yaml:"roles" json:"roles"`
 }
 
diff --git a/helm-chart/README.md b/helm-chart/README.md
index a62cf07b8..fd72de530 100644
--- a/helm-chart/README.md
+++ b/helm-chart/README.md
@@ -216,6 +216,8 @@ Please refer to [metrics](./metrics.md) documentation for details.
 | `tap.auth.saml.idpMetadataUrl`                    | SAML IDP metadata URL <br/>(effective, if `tap.auth.type = saml`)                                  | ``                                                      |
 | `tap.auth.saml.x509crt`                   | A self-signed X.509 `.cert` contents <br/>(effective, if `tap.auth.type = saml`)          | ``                                                      |
 | `tap.auth.saml.x509key`                   | A self-signed X.509 `.key` contents <br/>(effective, if `tap.auth.type = saml`)           | ``                                                      |
+| `tap.auth.saml.roleAttribute`             | A SAML attribute name corresponding to user's authorization role <br/>(effective, if `tap.auth.type = saml`)  | `role` |
+| `tap.auth.saml.roles`                     | A list of SAML authorization roles and their permissions <br/>(effective, if `tap.auth.type = saml`)  | `{"admin":{"canDownloadPCAP":true,"canReplayTraffic":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":""}}` |
 | `tap.ingress.enabled`                     | Enable `Ingress`                                | `false`                                                 |
 | `tap.ingress.className`                   | Ingress class name                            | `""`                                                    |
 | `tap.ingress.host`                        | Host of the `Ingress`                          | `ks.svc.cluster.local`                                  |
diff --git a/helm-chart/templates/12-config-map.yaml b/helm-chart/templates/12-config-map.yaml
index cd769e857..0a4dfa286 100644
--- a/helm-chart/templates/12-config-map.yaml
+++ b/helm-chart/templates/12-config-map.yaml
@@ -19,6 +19,7 @@ data:
     AUTH_APPROVED_DOMAINS: '{{ gt (len .Values.tap.auth.approvedDomains) 0 | ternary (join "," .Values.tap.auth.approvedDomains) "" }}'
     AUTH_APPROVED_TENANTS: '{{ gt (len .Values.tap.auth.approvedTenants) 0 | ternary (join "," .Values.tap.auth.approvedTenants) "" }}'
     AUTH_SAML_IDP_METADATA_URL: '{{ .Values.tap.auth.saml.idpMetadataUrl }}'
+    AUTH_SAML_ROLE_ATTRIBUTE: '{{ .Values.tap.auth.saml.roleAttribute }}'
     AUTH_SAML_ROLES: '{{ .Values.tap.auth.saml.roles | toJson }}'
     TELEMETRY_DISABLED: '{{ not .Values.tap.telemetry.enabled | ternary "true" "" }}'
     REPLAY_DISABLED: '{{ .Values.tap.replayDisabled | ternary "true" "" }}'
diff --git a/helm-chart/values.yaml b/helm-chart/values.yaml
index ced7a7ca6..4f23def32 100644
--- a/helm-chart/values.yaml
+++ b/helm-chart/values.yaml
@@ -67,6 +67,7 @@ tap:
       idpMetadataUrl: ""
       x509crt: ""
       x509key: ""
+      roleAttribute: role
       roles:
         admin:
           filter: ""
diff --git a/manifests/complete.yaml b/manifests/complete.yaml
index 6fa066f1c..80415cec0 100644
--- a/manifests/complete.yaml
+++ b/manifests/complete.yaml
@@ -151,6 +151,7 @@ data:
     AUTH_APPROVED_DOMAINS: ''
     AUTH_APPROVED_TENANTS: ''
     AUTH_SAML_IDP_METADATA_URL: ''
+    AUTH_SAML_ROLE_ATTRIBUTE: 'role'
     AUTH_SAML_ROLES: '{"admin":{"canDownloadPCAP":true,"canReplayTraffic":true,"canUpdateTargetedPods":true,"canUseScripting":true,"filter":""}}'
     TELEMETRY_DISABLED: ''
     REPLAY_DISABLED: ''
@@ -654,7 +655,7 @@ spec:
             - name: REACT_APP_AUTH_TYPE
               value: 'saml'
             - name: REACT_APP_AUTH_SAML_IDP_METADATA_URL
-              value: ''
+              value: ' '
             - name: REACT_APP_REPLAY_DISABLED
               value: 'false'
           image: 'docker.io/kubeshark/front:v52.1.0'