Potentially use the same rule for all LDAP access control

[hmitsch]

@tristanweir commented on Wed Feb 15 2017

Replaces https://github.com/mozilla-iam/auth0-deploy/issues/79

Current we use one rule per LDAP application + LDAP group match for access control. This means that we potentially end up with many rules (depending on how many RPs actually want this, and want a special, different group that we hardcode on their behalf).

I don't expect this to come up often, but if it does, we should probably rewrite the rule logic to accommodate in a single rule for clarity and speed.

Ex:

rules = { 'vpn_mozdef': ['client name 1', 'client name 2', ...], 'moco': ['client name 1', ...], ...}

---

@tristanweir commented on Wed Feb 15 2017

@jdow @gdestuynder Did we resolve how we were going to do this in the future? Copying it over but I think we have an answer on this

---

@gdestuynder commented on Thu Feb 16 2017

I think the original rule was written this way - that said, ideally, it should load a json file that has the rules. The logic itself is fairly straightforward (arguably, as well as the code)

---

@gdestuynder commented on Wed Feb 22 2017

See also https://github.com/mozilla-iam/sso-dashboard/ - the list might be used by the dashboard in order to only show the apps the user has access to, thus might need to be consumable by both parties.

---

@andrewkrug commented on Wed Feb 22 2017

Meeting regarding this today. I think we might need to add an architecture component.

---

@gdestuynder commented on Thu Feb 23 2017

Brainstorm results: https://docs.google.com/document/d/1v2ceqo4rUIkhFzW4QszXSkOmjhGpjkgNy9-9jCN1bwA/edit#heading=h.88k9ttsb9ziu