Can grant a client to all users
Some checks failed
continuous-integration/drone/push Build is failing
Some checks failed
continuous-integration/drone/push Build is failing
This commit is contained in:
parent
412eaf2bff
commit
d27c542e1f
@ -18,6 +18,8 @@ You can configure a list of clients (Relying Parties) in a `clients.yaml` file w
|
|||||||
redirect_uri: https://mygit.mywebsite.com/
|
redirect_uri: https://mygit.mywebsite.com/
|
||||||
# If you want new accounts to be granted access to this client by default
|
# If you want new accounts to be granted access to this client by default
|
||||||
default: true
|
default: true
|
||||||
|
# If you want the client to be granted to every users, regardless their account configuration
|
||||||
|
granted_to_all_users: true
|
||||||
```
|
```
|
||||||
|
|
||||||
On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.
|
On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.
|
||||||
|
@ -42,8 +42,8 @@ pub async fn clients_route(user: CurrentUser, clients: web::Data<ClientManager>)
|
|||||||
_p: BaseSettingsPage::get("Clients list", &user, None, None),
|
_p: BaseSettingsPage::get("Clients list", &user, None, None),
|
||||||
clients: clients.cloned(),
|
clients: clients.cloned(),
|
||||||
}
|
}
|
||||||
.render()
|
.render()
|
||||||
.unwrap(),
|
.unwrap(),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -197,7 +197,7 @@ pub async fn users_route(
|
|||||||
true => "Failed to create user!",
|
true => "Failed to create user!",
|
||||||
false => "Failed to update user!",
|
false => "Failed to update user!",
|
||||||
}
|
}
|
||||||
.to_string(),
|
.to_string(),
|
||||||
)
|
)
|
||||||
} else {
|
} else {
|
||||||
success = Some(match is_creating {
|
success = Some(match is_creating {
|
||||||
@ -228,14 +228,20 @@ pub async fn users_route(
|
|||||||
_p: BaseSettingsPage::get("Users list", &admin, danger, success),
|
_p: BaseSettingsPage::get("Users list", &admin, danger, success),
|
||||||
users,
|
users,
|
||||||
}
|
}
|
||||||
.render()
|
.render()
|
||||||
.unwrap(),
|
.unwrap(),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
pub async fn create_user(admin: CurrentUser, clients: web::Data<ClientManager>) -> impl Responder {
|
pub async fn create_user(admin: CurrentUser, clients: web::Data<ClientManager>) -> impl Responder {
|
||||||
let mut user = User::default();
|
let mut user = User::default();
|
||||||
user.authorized_clients = Some(clients.get_default_clients().iter().map(|u| u.id.clone()).collect());
|
user.authorized_clients = Some(
|
||||||
|
clients
|
||||||
|
.get_default_clients()
|
||||||
|
.iter()
|
||||||
|
.map(|u| u.id.clone())
|
||||||
|
.collect(),
|
||||||
|
);
|
||||||
|
|
||||||
HttpResponse::Ok().body(
|
HttpResponse::Ok().body(
|
||||||
EditUserTemplate {
|
EditUserTemplate {
|
||||||
@ -243,8 +249,8 @@ pub async fn create_user(admin: CurrentUser, clients: web::Data<ClientManager>)
|
|||||||
u: user,
|
u: user,
|
||||||
clients: clients.cloned(),
|
clients: clients.cloned(),
|
||||||
}
|
}
|
||||||
.render()
|
.render()
|
||||||
.unwrap(),
|
.unwrap(),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -279,7 +285,7 @@ pub async fn edit_user(
|
|||||||
u: edited_account.unwrap_or_default(),
|
u: edited_account.unwrap_or_default(),
|
||||||
clients: clients.cloned(),
|
clients: clients.cloned(),
|
||||||
}
|
}
|
||||||
.render()
|
.render()
|
||||||
.unwrap(),
|
.unwrap(),
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
|
@ -164,7 +164,7 @@ pub async fn authorize(
|
|||||||
};
|
};
|
||||||
|
|
||||||
// Check if user is authorized to access the application
|
// Check if user is authorized to access the application
|
||||||
if !user.can_access_app(&client.id) {
|
if !user.can_access_app(&client) {
|
||||||
return error_redirect(
|
return error_redirect(
|
||||||
&query,
|
&query,
|
||||||
"invalid_request",
|
"invalid_request",
|
||||||
|
@ -24,6 +24,10 @@ pub struct Client {
|
|||||||
/// Specify if the client must be allowed by default for new account
|
/// Specify if the client must be allowed by default for new account
|
||||||
#[serde(default = "bool::default")]
|
#[serde(default = "bool::default")]
|
||||||
pub default: bool,
|
pub default: bool,
|
||||||
|
|
||||||
|
/// Specify whether a client is granted to all users
|
||||||
|
#[serde(default = "bool::default")]
|
||||||
|
pub granted_to_all_users: bool,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl PartialEq for Client {
|
impl PartialEq for Client {
|
||||||
|
@ -2,7 +2,7 @@ use std::collections::HashMap;
|
|||||||
use std::net::IpAddr;
|
use std::net::IpAddr;
|
||||||
|
|
||||||
use crate::constants::SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN;
|
use crate::constants::SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN;
|
||||||
use crate::data::client::ClientID;
|
use crate::data::client::{Client, ClientID};
|
||||||
use crate::data::login_redirect::LoginRedirect;
|
use crate::data::login_redirect::LoginRedirect;
|
||||||
use crate::data::totp_key::TotpKey;
|
use crate::data::totp_key::TotpKey;
|
||||||
use crate::data::webauthn_manager::WebauthnPubKey;
|
use crate::data::webauthn_manager::WebauthnPubKey;
|
||||||
@ -170,10 +170,14 @@ impl User {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
pub fn can_access_app(&self, id: &ClientID) -> bool {
|
pub fn can_access_app(&self, client: &Client) -> bool {
|
||||||
|
if client.granted_to_all_users {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
match self.granted_clients() {
|
match self.granted_clients() {
|
||||||
GrantedClients::AllClients => true,
|
GrantedClients::AllClients => true,
|
||||||
GrantedClients::SomeClients(c) => c.contains(id),
|
GrantedClients::SomeClients(c) => c.contains(&client.id),
|
||||||
GrantedClients::NoClient => false,
|
GrantedClients::NoClient => false,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -144,7 +144,7 @@
|
|||||||
<div class="form-check">
|
<div class="form-check">
|
||||||
<input id="client-{{ c.id.0 }}" class="form-check-input authorize_client_checkbox" type="checkbox"
|
<input id="client-{{ c.id.0 }}" class="form-check-input authorize_client_checkbox" type="checkbox"
|
||||||
data-id="{{ c.id.0 }}"
|
data-id="{{ c.id.0 }}"
|
||||||
{% if u.can_access_app(c.id) %} checked="" {% endif %}>
|
{% if u.can_access_app(c) %} checked="" {% endif %}>
|
||||||
<label class="form-check-label" for="client-{{ c.id.0 }}">
|
<label class="form-check-label" for="client-{{ c.id.0 }}">
|
||||||
{{ c.name }}
|
{{ c.name }}
|
||||||
</label>
|
</label>
|
||||||
|
Loading…
Reference in New Issue
Block a user