Disallow brokers from returning users without groups

The brokers used to be able to provide the userinfo without any group associated to it. This creates difficulties when trying to manage the user presence in the local groups. Now, the broker must provide at least one group for the user and the first group must be a remote one (with UGID).
ubuntu · Dec 7, 2023 · efbce02 · efbce02
1 parent ca985a4
commit efbce02
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/internal/brokers/broker.go b/internal/brokers/broker.go
@@ -336,6 +336,14 @@ func validateUserInfoAndGenerateIDs(brokerName string, rawMsg json.RawMessage) (
 	}
 	uInfo.UID = generateID(brokerName + uInfo.UUID)
 
+	// User must be a part of at least one group.
+	if len(uInfo.Groups) == 0 {
+		return users.UserInfo{}, fmt.Errorf("empty groups")
+	}
+	// The default group for the user is the default and it must have a UGID.
+	if uInfo.Groups[0].UGID == "" {
+		return users.UserInfo{}, fmt.Errorf("default group has empty UGID")
+	}
 	// Validate UGIDs and generate GIDs
 	for _, g := range uInfo.Groups {
 		if g.Name == "" {