handle 403 errors from google, if user is not part of the group (#554)

* handle 403 errors from google, if user is not part of the group

Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>

* handle 403 errors from google, if user is not part of the group

Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>

* handle 403 errors from google, if user is not part of the group

Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>

* handle 403 errors from google, if user is not part of the group

Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>

* handle 403 errors from google, if user is not part of the group

Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>

* handle 403 errors from google, if user is not part of the group

Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>

* handle 403 errors from google, if user is not part of the group

Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>

---------

Signed-off-by: Jan-Otto Kröpke <mail@jkroepke.de>

Author: jkroepke

.github/workflows/ci.yaml

@@ -27,10 +27,6 @@ jobs:
       - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
-        with:
-          name: dists
-          path: dist/
   goreleaser:
     runs-on: ubuntu-24.04
     name: Test goreleaser
@@ -59,6 +55,10 @@ jobs:
           GITHUB_TOKEN: ""
           GPG_KEY_PATH: ""
 
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: dists
+          path: dist/
   lint:
     name: lint
     runs-on: ubuntu-24.04

internal/oauth2/providers/google/api.go

@@ -8,6 +8,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"strings"
 
 	"github.com/jkroepke/openvpn-auth-oauth2/internal/oauth2/idtoken"
 	"github.com/jkroepke/openvpn-auth-oauth2/internal/oauth2/types"
@@ -93,6 +94,16 @@ func get[T any](ctx context.Context, httpClient *http.Client, accessToken string
 			_ = json.Unmarshal(respBody, &apiErr)
 		}
 
+		if strings.HasPrefix(apiErr.Error.Message, "Error(4001):") {
+			// This error indicates that the current user does not have the required permissions to access the group.
+			// Clear the data by setting it to zero value
+			var zero T
+
+			*data = zero
+
+			return nil
+		}
+
 		return fmt.Errorf("error from Google API %s: http status code: %d; message: %s", apiURL, resp.StatusCode, apiErr.Error.Message)
 	}
 

internal/oauth2/providers/google/check_test.go

@@ -6,8 +6,8 @@ import (
 	"strings"
 	"testing"
 
-	types2 "github.com/jkroepke/openvpn-auth-oauth2/internal/config"
-	oauth3 "github.com/jkroepke/openvpn-auth-oauth2/internal/oauth2"
+	"github.com/jkroepke/openvpn-auth-oauth2/internal/config"
+	"github.com/jkroepke/openvpn-auth-oauth2/internal/oauth2"
 	"github.com/jkroepke/openvpn-auth-oauth2/internal/oauth2/idtoken"
 	"github.com/jkroepke/openvpn-auth-oauth2/internal/oauth2/providers/google"
 	"github.com/jkroepke/openvpn-auth-oauth2/internal/oauth2/types"
@@ -16,7 +16,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"github.com/zitadel/oidc/v3/pkg/oidc"
-	"golang.org/x/oauth2"
+	gooauth2 "golang.org/x/oauth2"
 )
 
 func TestValidateGroups(t *testing.T) {
@@ -76,11 +76,17 @@ func TestValidateGroups(t *testing.T) {
 			[]string{"000000000000000"},
 			"error from Google API https://cloudidentity.googleapis.com/v1/groups/000000000000000/memberships: http status code: 500; message: error",
 		},
+		{
+			"permission denied",
+			`{"error": {"message": "Error(4001): Permission denied for membership resource 'groups/000000000000000' (or it may not exist)."}}`,
+			[]string{"000000000000000"},
+			oauth2.ErrMissingRequiredGroup.Error(),
+		},
 		{
 			"configure two group, none match",
 			`{"memberships": [{"name": "groups/000000000000002/memberships/123456789101112131416", "memberKey": {"id": "user@example.com"}, "roles": [{"name": "MEMBER"}], "preferredMemberKey": {"id": "user@example.com"}}], "nextPageToken": ""}`,
 			[]string{"000000000000000", "000000000000001"},
-			oauth3.ErrMissingRequiredGroup.Error(),
+			oauth2.ErrMissingRequiredGroup.Error(),
 		},
 		{
 			"configure two group, missing one",
@@ -99,7 +105,7 @@ func TestValidateGroups(t *testing.T) {
 			t.Parallel()
 
 			token := &oidc.Tokens[*idtoken.Claims]{
-				Token: &oauth2.Token{
+				Token: &gooauth2.Token{
 					AccessToken: "TOKEN",
 				},
 				IDTokenClaims: &idtoken.Claims{},
@@ -109,9 +115,9 @@ func TestValidateGroups(t *testing.T) {
 				token.AccessToken = ""
 			}
 
-			conf := types2.Config{
-				OAuth2: types2.OAuth2{
-					Validate: types2.OAuth2Validate{
+			conf := config.Config{
+				OAuth2: config.OAuth2{
+					Validate: config.OAuth2Validate{
 						Groups: tc.requiredGroups,
 					},
 				},