pierre/BasicOIDC
1
0
Fork 0
Code Issues Pull Requests 1 Projects Releases Wiki Activity

Can grant a client to all users
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source
This commit is contained in:
Pierre HUBERT 2023-04-15 10:39:22 +02:00
parent 412eaf2bff
commit d27c542e1f
6 changed files with 31 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -18,6 +18,8 @@ You can configure a list of clients (Relying Parties) in a `clients.yaml` file w
redirect_uri: https://mygit.mywebsite.com/ redirect_uri: https://mygit.mywebsite.com/
# If you want new accounts to be granted access to this client by default # If you want new accounts to be granted access to this client by default
default: true default: true
# If you want the client to be granted to every users, regardless their account configuration
granted_to_all_users: true
``` ```
On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials. On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.

26
src/controllers/admin_controller.rs
View File

@ -42,8 +42,8 @@ pub async fn clients_route(user: CurrentUser, clients: web::Data<ClientManager>)
_p: BaseSettingsPage::get("Clients list", &user, None, None), _p: BaseSettingsPage::get("Clients list", &user, None, None),
clients: clients.cloned(), clients: clients.cloned(),
} }
.render() .render()
.unwrap(), .unwrap(),
) )
} }
@ -197,7 +197,7 @@ pub async fn users_route(
true => "Failed to create user!", true => "Failed to create user!",
false => "Failed to update user!", false => "Failed to update user!",
} }
.to_string(), .to_string(),
) )
} else { } else {
success = Some(match is_creating { success = Some(match is_creating {
@ -228,14 +228,20 @@ pub async fn users_route(
_p: BaseSettingsPage::get("Users list", &admin, danger, success), _p: BaseSettingsPage::get("Users list", &admin, danger, success),
users, users,
} }
.render() .render()
.unwrap(), .unwrap(),
) )
} }
pub async fn create_user(admin: CurrentUser, clients: web::Data<ClientManager>) -> impl Responder { pub async fn create_user(admin: CurrentUser, clients: web::Data<ClientManager>) -> impl Responder {
let mut user = User::default(); let mut user = User::default();
user.authorized_clients = Some(clients.get_default_clients().iter().map(|u| u.id.clone()).collect()); user.authorized_clients = Some(
clients
.get_default_clients()
.iter()
.map(|u| u.id.clone())
.collect(),
);
HttpResponse::Ok().body( HttpResponse::Ok().body(
EditUserTemplate { EditUserTemplate {
@ -243,8 +249,8 @@ pub async fn create_user(admin: CurrentUser, clients: web::Data<ClientManager>)
u: user, u: user,
clients: clients.cloned(), clients: clients.cloned(),
} }
.render() .render()
.unwrap(), .unwrap(),
) )
} }
@ -279,7 +285,7 @@ pub async fn edit_user(
u: edited_account.unwrap_or_default(), u: edited_account.unwrap_or_default(),
clients: clients.cloned(), clients: clients.cloned(),
} }
.render() .render()
.unwrap(), .unwrap(),
) )
} }

2
src/controllers/openid_controller.rs
View File

@ -164,7 +164,7 @@ pub async fn authorize(
}; };
// Check if user is authorized to access the application // Check if user is authorized to access the application
if !user.can_access_app(&client.id) { if !user.can_access_app(&client) {
return error_redirect( return error_redirect(
&query, &query,
"invalid_request", "invalid_request",

4
src/data/client.rs
View File

@ -24,6 +24,10 @@ pub struct Client {
/// Specify if the client must be allowed by default for new account /// Specify if the client must be allowed by default for new account
#[serde(default = "bool::default")] #[serde(default = "bool::default")]
pub default: bool, pub default: bool,
/// Specify whether a client is granted to all users
#[serde(default = "bool::default")]
pub granted_to_all_users: bool,
} }
impl PartialEq for Client { impl PartialEq for Client {

10
src/data/user.rs
View File

@ -2,7 +2,7 @@ use std::collections::HashMap;
use std::net::IpAddr; use std::net::IpAddr;
use crate::constants::SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN; use crate::constants::SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN;
use crate::data::client::ClientID; use crate::data::client::{Client, ClientID};
use crate::data::login_redirect::LoginRedirect; use crate::data::login_redirect::LoginRedirect;
use crate::data::totp_key::TotpKey; use crate::data::totp_key::TotpKey;
use crate::data::webauthn_manager::WebauthnPubKey; use crate::data::webauthn_manager::WebauthnPubKey;
@ -170,10 +170,14 @@ impl User {
} }
} }
pub fn can_access_app(&self, id: &ClientID) -> bool { pub fn can_access_app(&self, client: &Client) -> bool {
if client.granted_to_all_users {
return true;
}
match self.granted_clients() { match self.granted_clients() {
GrantedClients::AllClients => true, GrantedClients::AllClients => true,
GrantedClients::SomeClients(c) => c.contains(id), GrantedClients::SomeClients(c) => c.contains(&client.id),
GrantedClients::NoClient => false, GrantedClients::NoClient => false,
} }
} }

2
templates/settings/edit_user.html
View File

@ -144,7 +144,7 @@
<div class="form-check"> <div class="form-check">
<input id="client-{{ c.id.0 }}" class="form-check-input authorize_client_checkbox" type="checkbox" <input id="client-{{ c.id.0 }}" class="form-check-input authorize_client_checkbox" type="checkbox"
data-id="{{ c.id.0 }}" data-id="{{ c.id.0 }}"
{% if u.can_access_app(c.id) %} checked="" {% endif %}> {% if u.can_access_app(c) %} checked="" {% endif %}>
<label class="form-check-label" for="client-{{ c.id.0 }}"> <label class="form-check-label" for="client-{{ c.id.0 }}">
{{ c.name }} {{ c.name }}
</label> </label>