Fix idtyp issue with GetMemberGroupsUsingARCOboService (#392)

* fix idtyp issue

Signed-off-by: vithumma_microsoft <[email protected]>

* UT for idtyp user

Signed-off-by: vithumma_microsoft <[email protected]>

* Update graph.go

Signed-off-by: vithumma_microsoft <[email protected]>

* Update graph.go

Signed-off-by: vithumma_microsoft <[email protected]>

* fmt

Signed-off-by: vithumma_microsoft <[email protected]>

---------

Signed-off-by: vithumma_microsoft <[email protected]>
Co-authored-by: vithumma_microsoft <[email protected]>

auth/providers/azure/graph/graph.go

@@ -202,8 +202,17 @@ func (u *UserInfo) getMemberGroupsUsingARCOboService(ctx context.Context, access
 		return nil, errors.Wrap(err, "Error while parsing accessToken for validation")
 	}
 
-	// the arc obo service does not support getting groups for applications
-	if claims[idtypClaim] != nil {
+	// the arc obo service does not support getting groups for applications(SPN)
+	isAADUser := false
+	if claims[idtypClaim] == nil {
+		isAADUser = true
+	} else {
+		idtyp, ok := claims[idtypClaim].(string)
+		if ok && strings.EqualFold(idtyp, "user") {
+			isAADUser = true
+		}
+	}
+	if !isAADUser {
 		return nil, errors.New("Overage claim (users with more than 200 group membership) for SPN is currently not supported. For troubleshooting, please refer to aka.ms/overageclaimtroubleshoot")
 	}
 

auth/providers/azure/graph/graph_test.go

@@ -34,10 +34,11 @@ import (
 )
 
 const (
-	accessTokenWithOverageClaim       = `{ "aud": "client", "iss" : "%v", "exp" : "%v",  "upn": "arc", "_claim_names": {"groups": "src1"}, "_claim_sources": {"src1": {"endpoint": "https://foobar" }} }`
-	accessTokenWithOverageClaimForApp = `{ "aud": "client", "iss" : "%v", "exp" : "%v", "idtyp" : "app", "upn": "arc", "_claim_names": {"groups": "src1"}, "_claim_sources": {"src1": {"endpoint": "https://foobar" }} }`
-	location                          = "eastus"
-	tenant_id                         = "tenantId"
+	accessTokenWithOverageClaim        = `{ "aud": "client", "iss" : "%v", "exp" : "%v",  "upn": "arc", "_claim_names": {"groups": "src1"}, "_claim_sources": {"src1": {"endpoint": "https://foobar" }} }`
+	accessTokenWithOverageClaimForApp  = `{ "aud": "client", "iss" : "%v", "exp" : "%v", "idtyp" : "app", "upn": "arc", "_claim_names": {"groups": "src1"}, "_claim_sources": {"src1": {"endpoint": "https://foobar" }} }`
+	accessTokenWithOverageClaimForUser = `{ "aud": "client", "iss" : "%v", "exp" : "%v", "idtyp" : "user", "upn": "arc", "_claim_names": {"groups": "src1"}, "_claim_sources": {"src1": {"endpoint": "https://foobar" }} }`
+	location                           = "eastus"
+	tenant_id                          = "tenantId"
 )
 
 type swKey struct {
@@ -346,6 +347,39 @@ func TestGetMemberGroupsUsingARCOboService(t *testing.T) {
 			t.Errorf("Should have gotten a list of groups with 1 entry. Got: %d", len(groups))
 		}
 	})
+	t.Run("successful request for token with 'user' idtyp claim", func(t *testing.T) {
+		validBody := `{
+			"value": [
+				"f36ec2c5-fa5t-4f05-b87f-deadbeef"
+			]
+		  }`
+
+		ts, u := getAPIServerAndUserInfo(http.StatusOK, validBody)
+		u.region = location
+		u.authMode = arcAuthMode
+		u.resourceID = ts.URL
+		u.tenantID = tenant_id
+		defer ts.Close()
+
+		getOBORegionalEndpoint = func(location string, resourceID string) (string, error) {
+			return ts.URL, nil
+		}
+
+		u.headers.Set("Authorization", "Bearer msitoken")
+
+		tokenstring, err := key.GenerateToken([]byte(fmt.Sprintf(accessTokenWithOverageClaimForUser, ts.URL, time.Now().Add(time.Minute*5).Unix())))
+		if err != nil {
+			t.Fatalf("Error when generating token. Error:%+v", err)
+		}
+
+		groups, err := u.getMemberGroupsUsingARCOboService(ctx, tokenstring)
+		if err != nil {
+			t.Errorf("Should not have gotten error: %s", err)
+		}
+		if len(groups) != 1 {
+			t.Errorf("Should have gotten a list of groups with 1 entry. Got: %d", len(groups))
+		}
+	})
 	t.Run("bad server response", func(t *testing.T) {
 		ts, u := getAPIServerAndUserInfo(http.StatusInternalServerError, "shutdown")
 		u.region = location