Google provider: use groups.list with userKey param for group check

instead of group members.list should support nested groups, and is shorter/simpler code too
ploxiln · Nov 26, 2018 · 3b85ef2 · 3b85ef2
1 parent dbe4613
commit 3b85ef2
Showing 1 changed file with 15 additions and 52 deletions.
diff --git a/providers/google.go b/providers/google.go
@@ -17,7 +17,6 @@ import (
 	"golang.org/x/oauth2"
 	"golang.org/x/oauth2/google"
 	"google.golang.org/api/admin/directory/v1"
-	"google.golang.org/api/googleapi"
 )
 
 type GoogleProvider struct {
@@ -180,67 +179,31 @@ func getAdminService(adminEmail string, credentialsReader io.Reader) *admin.Serv
 }
 
 func userInGroup(service *admin.Service, groups []string, email string) bool {
-	user, err := fetchUser(service, email)
-	if err != nil {
-		log.Printf("error fetching user: %v", err)
-		return false
-	}
-	id := user.Id
-	custID := user.CustomerId
-
-	for _, group := range groups {
-		members, err := fetchGroupMembers(service, group)
-		if err != nil {
-			if err, ok := err.(*googleapi.Error); ok && err.Code == 404 {
-				log.Printf("error fetching members for group %s: group does not exist", group)
-			} else {
-				log.Printf("error fetching group members: %v", err)
-				return false
-			}
-		}
-
-		for _, member := range members {
-			switch member.Type {
-			case "CUSTOMER":
-				if member.Id == custID {
-					return true
-				}
-			case "USER":
-				if member.Id == id {
-					return true
-				}
-			}
-		}
-	}
-	return false
-}
-
-func fetchUser(service *admin.Service, email string) (*admin.User, error) {
-	user, err := service.Users.Get(email).Do()
-	return user, err
-}
-
-func fetchGroupMembers(service *admin.Service, group string) ([]*admin.Member, error) {
-	members := []*admin.Member{}
 	pageToken := ""
 	for {
-		req := service.Members.List(group)
+		req := service.Groups.List().UserKey(email)
 		if pageToken != "" {
 			req.PageToken(pageToken)
 		}
-		r, err := req.Do()
+		resp, err := req.Do()
 		if err != nil {
-			return nil, err
+			log.Printf("Error calling service.Groups.List().userKey(%s)", email)
+			return false
 		}
-		for _, member := range r.Members {
-			members = append(members, member)
+		for _, group := range resp.Groups {
+			for _, allowedgroup := range groups {
+				if group.Email == allowedgroup {
+					log.Printf("%s is a member of %s, authorized", email, allowedgroup)
+					return true
+				}
+			}
 		}
-		if r.NextPageToken == "" {
-			break
+		if resp.NextPageToken == "" {
+			log.Printf("%s not found in any allowed groups", email)
+			return false
 		}
-		pageToken = r.NextPageToken
+		pageToken = resp.NextPageToken
 	}
-	return members, nil
 }
 
 // ValidateGroup validates that the provided email exists in the configured Google