From d27c542e1f452bba803c427844c866346dd105bf Mon Sep 17 00:00:00 2001 From: Pierre Hubert Date: Sat, 15 Apr 2023 10:39:22 +0200 Subject: [PATCH] Can grant a client to all users --- README.md | 2 ++ src/controllers/admin_controller.rs | 26 ++++++++++++++++---------- src/controllers/openid_controller.rs | 2 +- src/data/client.rs | 4 ++++ src/data/user.rs | 10 +++++++--- templates/settings/edit_user.html | 2 +- 6 files changed, 31 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 387ff8b..0081336 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,8 @@ You can configure a list of clients (Relying Parties) in a `clients.yaml` file w redirect_uri: https://mygit.mywebsite.com/ # If you want new accounts to be granted access to this client by default default: true + # If you want the client to be granted to every users, regardless their account configuration + granted_to_all_users: true ``` On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials. diff --git a/src/controllers/admin_controller.rs b/src/controllers/admin_controller.rs index 81ca9a0..d4a934e 100644 --- a/src/controllers/admin_controller.rs +++ b/src/controllers/admin_controller.rs @@ -42,8 +42,8 @@ pub async fn clients_route(user: CurrentUser, clients: web::Data) _p: BaseSettingsPage::get("Clients list", &user, None, None), clients: clients.cloned(), } - .render() - .unwrap(), + .render() + .unwrap(), ) } @@ -197,7 +197,7 @@ pub async fn users_route( true => "Failed to create user!", false => "Failed to update user!", } - .to_string(), + .to_string(), ) } else { success = Some(match is_creating { @@ -228,14 +228,20 @@ pub async fn users_route( _p: BaseSettingsPage::get("Users list", &admin, danger, success), users, } - .render() - .unwrap(), + .render() + .unwrap(), ) } pub async fn create_user(admin: CurrentUser, clients: web::Data) -> impl Responder { let mut user = User::default(); - user.authorized_clients = Some(clients.get_default_clients().iter().map(|u| u.id.clone()).collect()); + user.authorized_clients = Some( + clients + .get_default_clients() + .iter() + .map(|u| u.id.clone()) + .collect(), + ); HttpResponse::Ok().body( EditUserTemplate { @@ -243,8 +249,8 @@ pub async fn create_user(admin: CurrentUser, clients: web::Data) u: user, clients: clients.cloned(), } - .render() - .unwrap(), + .render() + .unwrap(), ) } @@ -279,7 +285,7 @@ pub async fn edit_user( u: edited_account.unwrap_or_default(), clients: clients.cloned(), } - .render() - .unwrap(), + .render() + .unwrap(), ) } diff --git a/src/controllers/openid_controller.rs b/src/controllers/openid_controller.rs index a9137de..9588e1a 100644 --- a/src/controllers/openid_controller.rs +++ b/src/controllers/openid_controller.rs @@ -164,7 +164,7 @@ pub async fn authorize( }; // Check if user is authorized to access the application - if !user.can_access_app(&client.id) { + if !user.can_access_app(&client) { return error_redirect( &query, "invalid_request", diff --git a/src/data/client.rs b/src/data/client.rs index 35ec1fc..7097580 100644 --- a/src/data/client.rs +++ b/src/data/client.rs @@ -24,6 +24,10 @@ pub struct Client { /// Specify if the client must be allowed by default for new account #[serde(default = "bool::default")] pub default: bool, + + /// Specify whether a client is granted to all users + #[serde(default = "bool::default")] + pub granted_to_all_users: bool, } impl PartialEq for Client { diff --git a/src/data/user.rs b/src/data/user.rs index 5ac8009..1eb4ba7 100644 --- a/src/data/user.rs +++ b/src/data/user.rs @@ -2,7 +2,7 @@ use std::collections::HashMap; use std::net::IpAddr; use crate::constants::SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN; -use crate::data::client::ClientID; +use crate::data::client::{Client, ClientID}; use crate::data::login_redirect::LoginRedirect; use crate::data::totp_key::TotpKey; use crate::data::webauthn_manager::WebauthnPubKey; @@ -170,10 +170,14 @@ impl User { } } - pub fn can_access_app(&self, id: &ClientID) -> bool { + pub fn can_access_app(&self, client: &Client) -> bool { + if client.granted_to_all_users { + return true; + } + match self.granted_clients() { GrantedClients::AllClients => true, - GrantedClients::SomeClients(c) => c.contains(id), + GrantedClients::SomeClients(c) => c.contains(&client.id), GrantedClients::NoClient => false, } } diff --git a/templates/settings/edit_user.html b/templates/settings/edit_user.html index 8ed89bc..be18ed5 100644 --- a/templates/settings/edit_user.html +++ b/templates/settings/edit_user.html @@ -144,7 +144,7 @@
+ {% if u.can_access_app(c) %} checked="" {% endif %}>