enforce ACR, allow specifying more than one

Author: karlhungus

README.md

@@ -62,6 +62,12 @@ Default: (no value)
 
 If specified, the required value of the `acr` claim in the token for authentication to pass.
 
+#### require\_acrs
+
+Default: (no value)
+
+If specified, a comma-separated list of acrs one of which must match the `acr` claim in the token for authentication to pass.
+
 #### http\_proxy
 
 Default: (no value)

authenticator.go

@@ -40,11 +40,11 @@ type authenticator struct {
 	// to pass.
 	AuthorizedGroups []string
 
-	// RequireACR is the required value of the acr claim in the token for
-	// authentication to pass.
+	// RequireACRs is a list of required values of the acr claim in the token for
+	// authentication to pass. At least one of the acrs must be present if specified
 	//
-	// If empty, the ACR value is not checked.
-	RequireACR string
+	// If the list is empty, the ACR value is not checked.
+	RequireACRs []string
 
 	verifier *oidc.Verifier
 	aud      string
@@ -131,9 +131,11 @@ func (a *authenticator) Authenticate(ctx context.Context, user string, token str
 		}
 	}
 
-	// Validate RequireACR
-	if len(a.RequireACR) > 0 && a.RequireACR != claims.ACR {
-		return fmt.Errorf("acr is %q, but %q is required", claims.ACR, a.RequireACR)
+	// Validate RequireACRs
+	if len(a.RequireACRs) > 0 {
+		if !isACRPresent(a.RequireACRs, claims.ACR) {
+			return fmt.Errorf("acr is %q, but one of %v is required", claims.ACR, a.RequireACRs)
+		}
 	}
 
 	return nil
@@ -150,3 +152,13 @@ func isMemberOfAtLeastOneGroup(authorizedGroups []string, groups []string) bool
 
 	return false
 }
+
+func isACRPresent(authorizedACRs []string, acr string) bool {
+	for _, wantACR := range authorizedACRs {
+		if wantACR == acr {
+			return true
+		}
+	}
+
+	return false
+}

authenticator_test.go

@@ -49,7 +49,7 @@ func TestAuthenticate(t *testing.T) {
 		userTemplate     string
 		groupsClaimKey   string
 		authorizedGroups []string
-		requireACR       string
+		requireACRs      []string
 		wantErr          string
 	}{
 		{
@@ -147,9 +147,27 @@ func TestAuthenticate(t *testing.T) {
 					"acr": "foo",
 				},
 			}),
-			requireACR: "foo",
-			wantErr:    "",
+			requireACRs: []string{"foo"},
+			wantErr:     "",
 		},
+		{
+			name: "valid user, valid token, matching one of required ACRs",
+			user: "jdoe",
+			token: mustJWT(t, signer, oidc.Claims{
+				Issuer:    "https://example.com",
+				Subject:   "jdoe",
+				Audience:  []string{"valid-aud"},
+				Expiry:    oidc.UnixTime(now.Add(10 * time.Minute).Unix()),
+				NotBefore: oidc.UnixTime(now.Add(-10 * time.Minute).Unix()),
+				IssuedAt:  oidc.UnixTime(now.Unix()),
+				Extra: map[string]interface{}{
+					"acr": "biz",
+				},
+			}),
+			requireACRs: []string{"foo", "biz"},
+			wantErr:     "",
+		},
+
 		{
 			name: "valid user, valid token, not matching required ACR",
 			user: "jdoe",
@@ -164,9 +182,27 @@ func TestAuthenticate(t *testing.T) {
 					"acr": "foo2",
 				},
 			}),
-			requireACR: "foo",
-			wantErr:    "acr is \"foo2\", but \"foo\" is required",
+			requireACRs: []string{"foo"},
+			wantErr:     "acr is \"foo2\", but one of [foo] is required",
 		},
+		{
+			name: "valid user, valid token, not matching one of required ACR",
+			user: "jdoe",
+			token: mustJWT(t, signer, oidc.Claims{
+				Issuer:    "https://example.com",
+				Subject:   "jdoe",
+				Audience:  []string{"valid-aud"},
+				Expiry:    oidc.UnixTime(now.Add(10 * time.Minute).Unix()),
+				NotBefore: oidc.UnixTime(now.Add(-10 * time.Minute).Unix()),
+				IssuedAt:  oidc.UnixTime(now.Unix()),
+				Extra: map[string]interface{}{
+					"acr": "foo2",
+				},
+			}),
+			requireACRs: []string{"foo", "bar", "biz"},
+			wantErr:     "acr is \"foo2\", but one of [foo bar biz] is required",
+		},
+
 		{
 			name: "valid user, valid token, invalid custom user template",
 			user: "jdoe",
@@ -235,7 +271,7 @@ func TestAuthenticate(t *testing.T) {
 			auth.UserTemplate = tc.userTemplate
 			auth.GroupsClaimKey = tc.groupsClaimKey
 			auth.AuthorizedGroups = tc.authorizedGroups
-			auth.RequireACR = tc.requireACR
+			auth.RequireACRs = tc.requireACRs
 
 			err := auth.Authenticate(ctx, tc.user, tc.token)
 			if err != nil && tc.wantErr == "" {

config.go

@@ -25,8 +25,9 @@ type config struct {
 	// A user must be a member of at least one of the groups in the list, if
 	// specified.
 	AuthorizedGroups []string
-	// RequireACR is the required ACR value that must be present in the claims.
-	RequireACR string
+	// RequireACRs is a list of required ACRs required for authentication to pass.
+	// one of the acr values must be present in the claims.
+	RequireACRs []string
 	// HTTPProxy is the HTTP proxy server used to connect to HTTP services.
 	HTTPProxy string
 }
@@ -52,7 +53,9 @@ func configFromArgs(args []string) (*config, error) {
 		case "authorized_groups":
 			c.AuthorizedGroups = strings.Split(parts[1], ",")
 		case "require_acr":
-			c.RequireACR = parts[1]
+			c.RequireACRs = []string{parts[1]}
+		case "require_acrs":
+			c.RequireACRs = strings.Split(parts[1], ",")
 		case "http_proxy":
 			c.HTTPProxy = parts[1]
 		default:

config_test.go

@@ -36,10 +36,24 @@ func TestParseConfigFromArgs(t *testing.T) {
 				UserTemplate:     `{{.Email}}`,
 				GroupsClaimKey:   "roles",
 				AuthorizedGroups: []string{"foo", "bar", "baz"},
-				RequireACR:       "foo",
+				RequireACRs:      []string{"foo"},
 				HTTPProxy:        "http://example.com:8080",
 			},
 		},
+		{
+			name: "overriding defaults required_acrs",
+			args: []string{"issuer=https://example.com", "aud=example-aud", "user_template={{.Email}}", "groups_claim_key=roles", "authorized_groups=foo,bar,baz", "require_acrs=acr1,acr2,acr3", "http_proxy=http://example.com:8080"},
+			want: &config{
+				Issuer:           "https://example.com",
+				Aud:              "example-aud",
+				UserTemplate:     `{{.Email}}`,
+				GroupsClaimKey:   "roles",
+				AuthorizedGroups: []string{"foo", "bar", "baz"},
+				RequireACRs:      []string{"acr1", "acr2", "acr3"},
+				HTTPProxy:        "http://example.com:8080",
+			},
+		},
+
 		{
 			name:    "invalid option",
 			args:    []string{"issuer=https://example.com", "invalid=foo"},

pam_oidc.go

@@ -87,6 +87,7 @@ func pam_sm_authenticate_go(pamh *C.pam_handle_t, flags C.int, argc C.int, argv
 	auth.UserTemplate = cfg.UserTemplate
 	auth.GroupsClaimKey = cfg.GroupsClaimKey
 	auth.AuthorizedGroups = cfg.AuthorizedGroups
+	auth.RequireACRs = cfg.RequireACRs
 
 	if err := auth.Authenticate(ctx, user, token); err != nil {
 		pamSyslog(pamh, syslog.LOG_WARNING, "failed to authenticate: %v", err)