- if default_user is set and openid_url, only accept users

who have the role stored in openid_default_user_role - when not authenticated, directly send users to keycloak - do not start of the keycloak config can not be retreived
oetiker · Mar 7, 2023 · d15d1dc · d15d1dc
1 parent c146b6b
commit d15d1dc
Show file tree

Hide file tree

Showing 8 changed files with 60 additions and 34 deletions.
diff --git a/CHANGES b/CHANGES
@@ -1,3 +1,12 @@
+0.10.3 2023-03-07 11:15:27 +0100 Tobias Oetiker <tobi@oetiker.ch>
+
+ - if default_user is set and openid_url, only accept users
+   who have the role stored in openid_default_user_role
+
+ - when not authenticated, directly send users to keycloak
+
+ - do not start of the keycloak config can not be retreived
+
 0.10.2 2023-02-28 16:13:17 +0100 Tobias Oetiker <tobi@oetiker.ch>
 
  - block rpc calls if there is no session

diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-0.10.2
+0.10.3
diff --git a/etc/extopus.cfg.dist b/etc/extopus.cfg.dist
@@ -11,6 +11,7 @@ openid_client_id = extopus-client
 openid_client_secret = 1234567890
 openid_callback = http://extopus.example.com/openid/callback
 openid_epuser_attribute = ep_user
+openid_default_user_role = EP-USERS
 
 *** FRONTEND ***
 #logo_large = http://www.upc-cablecom.biz/en/cablecom_logo_b2b.jpg

diff --git a/lib/EP.pm b/lib/EP.pm
@@ -27,7 +27,7 @@ use warnings;
 # load the two modules to have perl check them
 use Mojolicious::Plugin::Qooxdoo;
 use Mojo::URL;
-use Mojo::Util qw(hmac_sha1_sum);
+use Mojo::Util qw(hmac_sha1_sum dumper);
 use Mojo::File;
 
 use EP::RpcService;
@@ -36,7 +36,7 @@ use EP::DocPlugin;
 use EP::Visualizer;
 use EP::Controller::OpenId;
 
-use Mojo::Base 'Mojolicious';
+use Mojo::Base 'Mojolicious', -signatures;
 
 =head2 cfg
 
@@ -99,13 +99,7 @@ sub startup {
     # is for later )
     $app->visualizer(EP::Visualizer->new(app=>$app));
 
-    $app->hook( before_dispatch => sub {
-        my $self = shift;
-        my $uri = $self->req->env->{SCRIPT_URI} || $self->req->env->{REQUEST_URI};
-        my $path_info = $self->req->env->{PATH_INFO};
-        $uri =~ s|/?${path_info}$|/| if $path_info and $uri;
-        $self->req->url->base(Mojo::URL->new($uri)) if $uri;
-    });
+
 
 
     # session is valid for 1 day
@@ -114,8 +108,26 @@ sub startup {
     $app->sessions->cookie_name('EP_'.hmac_sha1_sum(Mojo::File->new($app->cfg_file)->slurp));
 
     my $routes = $app->routes;
-
-    if ($gcfg->{default_user}){
+    if ($gcfg->{openid_url}) {
+        $app->log->debug("OpenID enabled");
+        EP::Controller::OpenId::loadConfig($app) 
+            or die "Could not load OpenID configuration";
+        $app->hook( before_dispatch => sub ($c) {
+            $c->redirect_to('openid/auth') 
+                if not $c->session->{epUser} 
+                    and not $c->req->url->path->contains('/openid');
+        });
+        # load openid config
+        $routes->get('/openid/auth')->to(
+            controller => 'OpenId',
+            action => 'auth',
+        );
+        $routes->get('/openid/callback')->to(
+            controller => 'OpenId',
+            action => 'callback',
+        );
+    }
+    elsif ($gcfg->{default_user}){
         # since the user is fix, just set the login for the dashboards
         # if no login is given, the word 'base' is assumed;
         $routes->get('/setLogin/#login' => sub {
@@ -136,23 +148,9 @@ sub startup {
             $self->redirect_to('/'.$app->prefix);
         });
     }
-    if ($gcfg->{openid_url}) {
-        # load openid config
-        EP::Controller::OpenId::loadConfig($app);
-        $routes->get('/openid/auth')->to(
-            controller => 'OpenId',
-            action => 'auth',
-        );
-        $routes->get('/openid/callback')->to(
-            controller => 'OpenId',
-            action => 'callback',
-        );
-    }
+
     $routes->get('/' => sub { 
         my $self = shift;
-        if ($gcfg->{openid_url} and not $self->session->{epUser}){
-            return $self->redirect_to('openid/auth');
-        }        
         return $self->redirect_to('/'.$app->prefix); 
     });
 

diff --git a/lib/EP/Config.pm b/lib/EP/Config.pm
@@ -126,6 +126,7 @@ ${E}head1 SYNOPSIS
  openid_client_secret = 1234567890
  openid_callback = http://extopus.example.com/openid/callback
  openid_epuser_attribute = ep_user
+ # openid_default_user_role = EP-USERS
 
  *** FRONTEND ***
  logo_large = http://www.upc-cablecom.biz/en/cablecom_logo_b2b.jpg
@@ -247,7 +248,7 @@ sub _make_parser {
         _mandatory => [qw(GENERAL FRONTEND ATTRIBUTES TABLES)],
         GENERAL => {
             _doc => 'Global configuration settings for Extopus',
-            _vars => [ qw(cache_dir mojo_secret log_file log_level default_user update_interval localguide auto_update openid_url openid_realm openid_client_id openid_client_secret openid_callback openid_epuser_attribute) ],
+            _vars => [ qw(cache_dir mojo_secret log_file log_level default_user update_interval localguide auto_update openid_url openid_realm openid_client_id openid_client_secret openid_callback openid_epuser_attribute openid_default_user_role) ],
             _mandatory => [ qw(cache_dir mojo_secret log_file) ],
             cache_dir => { _doc => 'directory to cache information gathered via the inventory plugins',
                 _sub => sub {
@@ -272,6 +273,7 @@ sub _make_parser {
             openid_client_secret => { _doc => 'client secret for openid authentication' },
             openid_callback => { _doc => 'callback url for openid authentication' },
             openid_epuser_attribute => { _doc => 'attribute to use for the user name' },
+            openid_default_user_role => { _doc => 'role required for default_user setups when authenticated via openid' },
             auto_update => { _doc => 'automatically update the inventory when the app starts' },
         },
         FRONTEND => {

diff --git a/lib/EP/Controller/OpenId.pm b/lib/EP/Controller/OpenId.pm
@@ -74,6 +74,7 @@ sub loadConfig ($app) {
     }
     # $self->log->debug($cfg->to_string);
     $openIdCfg = $cfg->json;
+    return 1;
 };
 
 =head2 auth
@@ -122,15 +123,30 @@ sub callback ($self) {
         $self->log->error($userInfo->to_string);
         return $self->render(text => 'userinfo error', code => 403);
     }
-    $self->log->debug(dumper $userInfo->json);
-    my ($user,$login) = split /:/, ($userInfo->json->{$gcfg->{openid_epuser_attribute}} // '');
+    my $ui = $userInfo->json;
+
+    $self->log->debug(dumper $ui);
+
+
+    if (my $du = $gcfg->{default_user}){
+        my $role = $gcfg->{openid_default_user_role};
+        my $user = $ui->{preferred_username};
+        return $self->render(text => qq{$user does not have $role assigned}, code => 403)
+            if not grep { $_ eq $role } $ui->{roles}->@*;
+        $self->session->{epUser} = $du;
+        $self->session->{epLogin} = $user;
+        $self->redirect_to('../'.$self->app->prefix);
+        return;
+    }
+
+    my ($user,$login) = split /:/, ($ui->{$gcfg->{openid_epuser_attribute}} // '');
     if (not $user) {
         $self->log->error("no $gcfg->{openid_epuser_attribute} attribute found in userinfo (".dumper($userInfo->json).")");
         return $self->render(text => 'userinfo not found', code => 403);
     }
     $self->session->{epUser} = $user;
     $self->session->{epLogin} =$login;
-    $self->redirect_to('../../'.$self->app->prefix);
+    $self->redirect_to('../'.$self->app->prefix);
 }
 
 1;

diff --git a/share/messages.pot b/share/messages.pot
@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: ep 0.10.2\n"
+"Project-Id-Version: ep 0.10.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-02-28 16:16+0100\n"
+"POT-Creation-Date: 2023-03-07 11:24+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"

diff --git a/t/00-load-and-ping.t b/t/00-load-and-ping.t
@@ -19,6 +19,6 @@ $t->post_ok('/app/jsonrpc', json => {
 })
   ->status_is(200)
   ->content_type_is('application/json; charset=utf-8')
-  ->json_is('/error/message' => 'Your session has expired. Please re-connect.');
+  ->json_is('/error/message' => 'rpc access to method ping denied');
 
 done_testing();