Can grant a client to all users
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
Pierre HUBERT 2023-04-15 10:39:22 +02:00
parent 412eaf2bff
commit d27c542e1f
6 changed files with 31 additions and 15 deletions

View File

@ -18,6 +18,8 @@ You can configure a list of clients (Relying Parties) in a `clients.yaml` file w
redirect_uri: https://mygit.mywebsite.com/
# If you want new accounts to be granted access to this client by default
default: true
# If you want the client to be granted to every users, regardless their account configuration
granted_to_all_users: true
```
On the first run, BasicOIDC will create a new administrator with credentials `admin` / `admin`. On first login you will have to change these default credentials.

View File

@ -235,7 +235,13 @@ pub async fn users_route(
pub async fn create_user(admin: CurrentUser, clients: web::Data<ClientManager>) -> impl Responder {
let mut user = User::default();
user.authorized_clients = Some(clients.get_default_clients().iter().map(|u| u.id.clone()).collect());
user.authorized_clients = Some(
clients
.get_default_clients()
.iter()
.map(|u| u.id.clone())
.collect(),
);
HttpResponse::Ok().body(
EditUserTemplate {

View File

@ -164,7 +164,7 @@ pub async fn authorize(
};
// Check if user is authorized to access the application
if !user.can_access_app(&client.id) {
if !user.can_access_app(&client) {
return error_redirect(
&query,
"invalid_request",

View File

@ -24,6 +24,10 @@ pub struct Client {
/// Specify if the client must be allowed by default for new account
#[serde(default = "bool::default")]
pub default: bool,
/// Specify whether a client is granted to all users
#[serde(default = "bool::default")]
pub granted_to_all_users: bool,
}
impl PartialEq for Client {

View File

@ -2,7 +2,7 @@ use std::collections::HashMap;
use std::net::IpAddr;
use crate::constants::SECOND_FACTOR_EXEMPTION_AFTER_SUCCESSFUL_LOGIN;
use crate::data::client::ClientID;
use crate::data::client::{Client, ClientID};
use crate::data::login_redirect::LoginRedirect;
use crate::data::totp_key::TotpKey;
use crate::data::webauthn_manager::WebauthnPubKey;
@ -170,10 +170,14 @@ impl User {
}
}
pub fn can_access_app(&self, id: &ClientID) -> bool {
pub fn can_access_app(&self, client: &Client) -> bool {
if client.granted_to_all_users {
return true;
}
match self.granted_clients() {
GrantedClients::AllClients => true,
GrantedClients::SomeClients(c) => c.contains(id),
GrantedClients::SomeClients(c) => c.contains(&client.id),
GrantedClients::NoClient => false,
}
}

View File

@ -144,7 +144,7 @@
<div class="form-check">
<input id="client-{{ c.id.0 }}" class="form-check-input authorize_client_checkbox" type="checkbox"
data-id="{{ c.id.0 }}"
{% if u.can_access_app(c.id) %} checked="" {% endif %}>
{% if u.can_access_app(c) %} checked="" {% endif %}>
<label class="form-check-label" for="client-{{ c.id.0 }}">
{{ c.name }}
</label>