group validation should fail if group no longer exists

buzzfeed / sso

sso, aka S.S.Octopus, aka octoboi, is a single sign-on solution for securing internal services

MIT License

3.09k stars 186 forks source link

group validation should fail if group no longer exists #281

Closed tl-adrian-bridgett closed 4 years ago

tl-adrian-bridgett commented 4 years ago

If group validation is enabled (with my fix for #125) then if the group is deleted, the user is still allowed in as the cache is not updated.

I think we should be playing very safe here and failing. This also applies for nested groups.

There is a log message:

 {"error":"GROUP_NOT_FOUND","level":"error","msg":"error updating fill cache","service":"sso-authenticator",...

Version: master with PR 275 and PR 280 applied

Jusshersmith commented 4 years ago

Hey @tl-adrian-bridgett! Thanks for submitting this!

I'm working on this PR which should help here -- when the cache refreshes (based on a TTL) and it can't find a group, that group is removed from the cache.