add dynamic group mapping for AD provider

providers/active_directory.go

@@ -243,9 +243,13 @@ func (s *ADProvider) getUserData(username string, password string) (goth.User, e
 		if j.Name == s.config.LDAPLastNameAttribute {
 			thisUser.LastName = j.Values[0]
 		}
+		if j.Name == s.profile.CustomUserGroupField {
+			thisUser.RawData[j.Name] = j.Values
 
-		thisUser.RawData[j.Name] = j.Values[0]
+			continue
+		}
 
+		thisUser.RawData[j.Name] = j.Values[0]
 	}
 
 	if !emailFound {
@@ -262,7 +266,7 @@ func (s *ADProvider) getUserData(username string, password string) (goth.User, e
 
 // Handle is a delegate for the Http Handler used by the generic inbound handler, it will extract the username
 // and password from the request and atempt to bind tot he AD host.
-func (s *ADProvider) Handle(w http.ResponseWriter, r *http.Request, pathParams map[string]string,profile tap.Profile) {
+func (s *ADProvider) Handle(w http.ResponseWriter, r *http.Request, pathParams map[string]string, profile tap.Profile) {
 	s.connect()
 
 	username := r.FormValue("username")

tap/identity-handlers/tyk_handler.go

@@ -156,7 +156,7 @@ func (t *TykIdentityHandler) CreateIdentity(i interface{}) (string, error) {
 	displayName := ""
 	groupID := ""
 	if ok {
-		email = GetEmail(gUser,t.profile.CustomEmailField)
+		email = GetEmail(gUser, t.profile.CustomEmailField)
 
 		if gUser.FirstName != "" {
 			displayName = gUser.FirstName
@@ -171,7 +171,7 @@ func (t *TykIdentityHandler) CreateIdentity(i interface{}) (string, error) {
 			displayName = email
 		}
 
-		groupID = GetGroupId(gUser, t.profile.CustomUserGroupField,t.profile.DefaultUserGroupID,t.profile.UserGroupMapping)
+		groupID = GetGroupId(gUser, t.profile.CustomUserGroupField, t.profile.DefaultUserGroupID, t.profile.UserGroupMapping)
 	}
 
 	tykHandlerLogger.Debugf("The GroupID %s is used for SSO: ", groupID)
@@ -200,6 +200,12 @@ func (t *TykIdentityHandler) CreateIdentity(i interface{}) (string, error) {
 //this lets us deal with odd inputs from other IDPs in future
 func groupsStringer(i interface{}) []string {
 	switch v := i.(type) {
+	case []string:
+		groups := make([]string, 0)
+		for _, str := range v {
+			groups = append(groups, str)
+		}
+		return groups
 	case []interface{}:
 		groups := make([]string, 0)
 		for _, str := range v {
@@ -249,7 +255,7 @@ func (t *TykIdentityHandler) CompleteIdentityActionForPortal(w http.ResponseWrit
 	}
 
 	user := i.(goth.User)
-	user.UserID = GetUserID(user,t.profile.CustomUserIDField)
+	user.UserID = GetUserID(user, t.profile.CustomUserIDField)
 
 	// Check if user exists
 	sso_key := tap.GenerateSSOKey(user)
@@ -330,7 +336,7 @@ func (t *TykIdentityHandler) CompleteIdentityActionForOAuth(w http.ResponseWrite
 	tykHandlerLogger.Debug("ID IS: ", id_with_profile)
 
 	if !t.disableOneTokenPerAPI {
-		fErr := t.Store.GetKey(id_with_profile,"", &value)
+		fErr := t.Store.GetKey(id_with_profile, "", &value)
 		if fErr == nil {
 			// Key found
 			tykHandlerLogger.Warning("--> Token exists, invalidating")
@@ -372,7 +378,7 @@ func (t *TykIdentityHandler) CompleteIdentityActionForOAuth(w http.ResponseWrite
 
 	if resp.AccessToken != "" {
 		tykHandlerLogger.Warning("--> Storing token reference")
-		t.Store.SetKey(id_with_profile,"", resp.AccessToken)
+		t.Store.SetKey(id_with_profile, "", resp.AccessToken)
 	}
 
 	if t.oauth.NoRedirect {
@@ -410,7 +416,7 @@ func (t *TykIdentityHandler) CompleteIdentityActionForTokenAuth(w http.ResponseW
 	tykHandlerLogger.Debug("ID IS: ", id_with_profile)
 
 	if !t.disableOneTokenPerAPI {
-		fErr := t.Store.GetKey(id_with_profile,"", &value)
+		fErr := t.Store.GetKey(id_with_profile, "", &value)
 		if fErr == nil {
 			// Key found
 			tykHandlerLogger.Warning("--> Token exists, invalidating")
@@ -451,7 +457,7 @@ func (t *TykIdentityHandler) CompleteIdentityActionForTokenAuth(w http.ResponseW
 
 	if resp.KeyID != "" {
 		tykHandlerLogger.Warning("--> Storing token reference")
-		t.Store.SetKey(id_with_profile,"", resp.KeyID)
+		t.Store.SetKey(id_with_profile, "", resp.KeyID)
 	}
 
 	// After login, we need to redirect this user
@@ -493,7 +499,7 @@ func (t *TykIdentityHandler) CompleteIdentityAction(w http.ResponseWriter, r *ht
 }
 
 // GetEmail returns the email to be used for SSO
-func GetEmail(gUser goth.User, customEmailField string)string{
+func GetEmail(gUser goth.User, customEmailField string) string {
 	email := ""
 
 	if customEmailField != "" {
@@ -511,7 +517,7 @@ func GetEmail(gUser goth.User, customEmailField string)string{
 	return email
 }
 
-func GetUserID(gUser goth.User,CustomUserIDField string) string {
+func GetUserID(gUser goth.User, CustomUserIDField string) string {
 	if CustomUserIDField != "" {
 		if gUser.RawData[CustomUserIDField] != nil {
 			return gUser.RawData[CustomUserIDField].(string)
@@ -520,7 +526,7 @@ func GetUserID(gUser goth.User,CustomUserIDField string) string {
 	return gUser.UserID
 }
 
-func GetGroupId(gUser goth.User,CustomUserGroupField, DefaultUserGroup string, userGroupMapping map[string]string) string{
+func GetGroupId(gUser goth.User, CustomUserGroupField, DefaultUserGroup string, userGroupMapping map[string]string) string {
 	groupID := DefaultUserGroup
 	if CustomUserGroupField != "" {
 		groups := make([]string, 0)
@@ -536,4 +542,4 @@ func GetGroupId(gUser goth.User,CustomUserGroupField, DefaultUserGroup string, u
 		}
 	}
 	return groupID
-}
+}