Can grant a client to all users
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
Pierre HUBERT 2023-04-15 10:39:22 +02:00
parent 412eaf2bff
commit d27c542e1f
6 changed files with 31 additions and 15 deletions

View File

@ -18,6 +18,8 @@ You can configure a list of clients (Relying Parties) in a `clients.yaml` file w
redirect_uri: https://mygit.mywebsite.com/ redirect_uri: https://mygit.mywebsite.com/
# If you want new accounts to be granted access to this client by default # If you want new accounts to be granted access to this client by default
default: true default: true
# If you want the client to be granted to every users, regardless their account configuration
granted_to_all_users: true
``` ```
On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials. On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.

View File

@ -235,7 +235,13 @@ pub async fn users_route(
pub async fn create_user(admin: CurrentUser, clients: web::Data<ClientManager>) -> impl Responder { pub async fn create_user(admin: CurrentUser, clients: web::Data<ClientManager>) -> impl Responder {
let mut user = User::default(); let mut user = User::default();
user.authorized_clients = Some(clients.get_default_clients().iter().map(|u| u.id.clone()).collect()); user.authorized_clients = Some(
clients
.get_default_clients()
.iter()
.map(|u| u.id.clone())
.collect(),
);
HttpResponse::Ok().body( HttpResponse::Ok().body(
EditUserTemplate { EditUserTemplate {

View File

@ -164,7 +164,7 @@ pub async fn authorize(
}; };
// Check if user is authorized to access the application // Check if user is authorized to access the application
if !user.can_access_app(&client.id) { if !user.can_access_app(&client) {
return error_redirect( return error_redirect(
&query, &query,
"invalid_request", "invalid_request",

View File

@ -24,6 +24,10 @@ pub struct Client {
/// Specify if the client must be allowed by default for new account /// Specify if the client must be allowed by default for new account
#[serde(default = "bool::default")] #[serde(default = "bool::default")]
pub default: bool, pub default: bool,
/// Specify whether a client is granted to all users
#[serde(default = "bool::default")]
pub granted_to_all_users: bool,
} }
impl PartialEq for Client { impl PartialEq for Client {

View File

@ -2,7 +2,7 @@ use std::collections::HashMap;
use std::net::IpAddr; use std::net::IpAddr;
use crate::constants::SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN; use crate::constants::SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN;
use crate::data::client::ClientID; use crate::data::client::{Client, ClientID};
use crate::data::login_redirect::LoginRedirect; use crate::data::login_redirect::LoginRedirect;
use crate::data::totp_key::TotpKey; use crate::data::totp_key::TotpKey;
use crate::data::webauthn_manager::WebauthnPubKey; use crate::data::webauthn_manager::WebauthnPubKey;
@ -170,10 +170,14 @@ impl User {
} }
} }
pub fn can_access_app(&self, id: &ClientID) -> bool { pub fn can_access_app(&self, client: &Client) -> bool {
if client.granted_to_all_users {
return true;
}
match self.granted_clients() { match self.granted_clients() {
GrantedClients::AllClients => true, GrantedClients::AllClients => true,
GrantedClients::SomeClients(c) => c.contains(id), GrantedClients::SomeClients(c) => c.contains(&client.id),
GrantedClients::NoClient => false, GrantedClients::NoClient => false,
} }
} }

View File

@ -144,7 +144,7 @@
<div class="form-check"> <div class="form-check">
<input id="client-{{ c.id.0 }}" class="form-check-input authorize_client_checkbox" type="checkbox" <input id="client-{{ c.id.0 }}" class="form-check-input authorize_client_checkbox" type="checkbox"
data-id="{{ c.id.0 }}" data-id="{{ c.id.0 }}"
{% if u.can_access_app(c.id) %} checked="" {% endif %}> {% if u.can_access_app(c) %} checked="" {% endif %}>
<label class="form-check-label" for="client-{{ c.id.0 }}"> <label class="form-check-label" for="client-{{ c.id.0 }}">
{{ c.name }} {{ c.name }}
</label> </label>