From d27c542e1f452bba803c427844c866346dd105bf Mon Sep 17 00:00:00 2001
From: Pierre Hubert <pierre.git@communiquons.org>
Date: Sat, 15 Apr 2023 10:39:22 +0200
Subject: [PATCH] Can grant a client to all users

---
 README.md                            |  2 ++
 src/controllers/admin_controller.rs  | 26 ++++++++++++++++----------
 src/controllers/openid_controller.rs |  2 +-
 src/data/client.rs                   |  4 ++++
 src/data/user.rs                     | 10 +++++++---
 templates/settings/edit_user.html    |  2 +-
 6 files changed, 31 insertions(+), 15 deletions(-)

diff --git a/README.md b/README.md
index 387ff8b..0081336 100644
--- a/README.md
+++ b/README.md
@@ -18,6 +18,8 @@ You can configure a list of clients (Relying Parties) in a `clients.yaml` file w
   redirect_uri: https://mygit.mywebsite.com/
   # If you want new accounts to be granted access to this client by default
   default: true
+  # If you want the client to be granted to every users, regardless their account configuration
+  granted_to_all_users: true
 ```
 
 On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.
diff --git a/src/controllers/admin_controller.rs b/src/controllers/admin_controller.rs
index 81ca9a0..d4a934e 100644
--- a/src/controllers/admin_controller.rs
+++ b/src/controllers/admin_controller.rs
@@ -42,8 +42,8 @@ pub async fn clients_route(user: CurrentUser, clients: web::Data<ClientManager>)
             _p: BaseSettingsPage::get("Clients list", &user, None, None),
             clients: clients.cloned(),
         }
-            .render()
-            .unwrap(),
+        .render()
+        .unwrap(),
     )
 }
 
@@ -197,7 +197,7 @@ pub async fn users_route(
                     true => "Failed to create user!",
                     false => "Failed to update user!",
                 }
-                    .to_string(),
+                .to_string(),
             )
         } else {
             success = Some(match is_creating {
@@ -228,14 +228,20 @@ pub async fn users_route(
             _p: BaseSettingsPage::get("Users list", &admin, danger, success),
             users,
         }
-            .render()
-            .unwrap(),
+        .render()
+        .unwrap(),
     )
 }
 
 pub async fn create_user(admin: CurrentUser, clients: web::Data<ClientManager>) -> impl Responder {
     let mut user = User::default();
-    user.authorized_clients = Some(clients.get_default_clients().iter().map(|u| u.id.clone()).collect());
+    user.authorized_clients = Some(
+        clients
+            .get_default_clients()
+            .iter()
+            .map(|u| u.id.clone())
+            .collect(),
+    );
 
     HttpResponse::Ok().body(
         EditUserTemplate {
@@ -243,8 +249,8 @@ pub async fn create_user(admin: CurrentUser, clients: web::Data<ClientManager>)
             u: user,
             clients: clients.cloned(),
         }
-            .render()
-            .unwrap(),
+        .render()
+        .unwrap(),
     )
 }
 
@@ -279,7 +285,7 @@ pub async fn edit_user(
             u: edited_account.unwrap_or_default(),
             clients: clients.cloned(),
         }
-            .render()
-            .unwrap(),
+        .render()
+        .unwrap(),
     )
 }
diff --git a/src/controllers/openid_controller.rs b/src/controllers/openid_controller.rs
index a9137de..9588e1a 100644
--- a/src/controllers/openid_controller.rs
+++ b/src/controllers/openid_controller.rs
@@ -164,7 +164,7 @@ pub async fn authorize(
     };
 
     // Check if user is authorized to access the application
-    if !user.can_access_app(&client.id) {
+    if !user.can_access_app(&client) {
         return error_redirect(
             &query,
             "invalid_request",
diff --git a/src/data/client.rs b/src/data/client.rs
index 35ec1fc..7097580 100644
--- a/src/data/client.rs
+++ b/src/data/client.rs
@@ -24,6 +24,10 @@ pub struct Client {
     /// Specify if the client must be allowed by default for new account
     #[serde(default = "bool::default")]
     pub default: bool,
+
+    /// Specify whether a client is granted to all users
+    #[serde(default = "bool::default")]
+    pub granted_to_all_users: bool,
 }
 
 impl PartialEq for Client {
diff --git a/src/data/user.rs b/src/data/user.rs
index 5ac8009..1eb4ba7 100644
--- a/src/data/user.rs
+++ b/src/data/user.rs
@@ -2,7 +2,7 @@ use std::collections::HashMap;
 use std::net::IpAddr;
 
 use crate::constants::SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN;
-use crate::data::client::ClientID;
+use crate::data::client::{Client, ClientID};
 use crate::data::login_redirect::LoginRedirect;
 use crate::data::totp_key::TotpKey;
 use crate::data::webauthn_manager::WebauthnPubKey;
@@ -170,10 +170,14 @@ impl User {
         }
     }
 
-    pub fn can_access_app(&self, id: &ClientID) -> bool {
+    pub fn can_access_app(&self, client: &Client) -> bool {
+        if client.granted_to_all_users {
+            return true;
+        }
+
         match self.granted_clients() {
             GrantedClients::AllClients => true,
-            GrantedClients::SomeClients(c) => c.contains(id),
+            GrantedClients::SomeClients(c) => c.contains(&client.id),
             GrantedClients::NoClient => false,
         }
     }
diff --git a/templates/settings/edit_user.html b/templates/settings/edit_user.html
index 8ed89bc..be18ed5 100644
--- a/templates/settings/edit_user.html
+++ b/templates/settings/edit_user.html
@@ -144,7 +144,7 @@
             <div class="form-check">
                 <input id="client-{{ c.id.0 }}" class="form-check-input authorize_client_checkbox" type="checkbox"
                        data-id="{{ c.id.0 }}"
-                       {% if u.can_access_app(c.id) %} checked="" {% endif %}>
+                       {% if u.can_access_app(c) %} checked="" {% endif %}>
                 <label class="form-check-label" for="client-{{ c.id.0 }}">
                     {{ c.name }}
                 </label>