From 729b387536d2bcf43a20b2ddead4bffdfd342d2a Mon Sep 17 00:00:00 2001
From: Joachim Mathes
Date: Sat, 21 Nov 2020 20:26:12 +0100
Subject: Add oauth2 authorization

Signed-off-by: Joachim Mathes <joachim_mathes@web.de>
---
 lib/web/auth/oauth2/index.js | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

(limited to 'lib/web/auth/oauth2/index.js')

diff --git a/lib/web/auth/oauth2/index.js b/lib/web/auth/oauth2/index.js
index 6e3e8373..b8e62dda 100644
--- a/lib/web/auth/oauth2/index.js
+++ b/lib/web/auth/oauth2/index.js
@@ -4,6 +4,7 @@ const Router = require('express').Router
 const passport = require('passport')
 const { Strategy, InternalOAuthError } = require('passport-oauth2')
 const config = require('../../../config')
+const logger = require('../../../logger')
 const { passportGeneralCallback } = require('../utils')
 
 let oauth2Auth = module.exports = Router()
@@ -31,6 +32,7 @@ class OAuth2CustomStrategy extends Strategy {
         return done(new Error('Failed to parse user profile'))
       }
 
+      checkAuthorization(json, done)
       let profile = parseProfile(json)
       profile.provider = 'oauth2'
 
@@ -50,18 +52,36 @@ function extractProfileAttribute (data, path) {
 }
 
 function parseProfile (data) {
+  const id = extractProfileAttribute(data, config.oauth2.userProfileIdAttr)
   const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
   const displayName = extractProfileAttribute(data, config.oauth2.userProfileDisplayNameAttr)
   const email = extractProfileAttribute(data, config.oauth2.userProfileEmailAttr)
 
   return {
-    id: username,
+    id: id || username,
     username: username,
     displayName: displayName,
     email: email
   }
 }
 
+function checkAuthorization (data, done) {
+  const roles = extractProfileAttribute(data, config.oauth2.rolesClaim)
+  const username = extractProfileAttribute(data, config.oauth2.userProfileUsernameAttr)
+
+  if (config.oauth2.accessRole) {
+    if (!roles) {
+      logger.error('oauth2: "accessRole" configured, but user profile doesn\'t contain roles attribute. Permission denied')
+      return done('Permission denied', null)
+    }
+
+    if (!roles.includes(config.oauth2.accessRole)) {
+      logger.debug(`oauth2: user "${username}" doesn't have the required role. Permission denied`)
+      return done('Permission denied', null)
+    }
+  }
+}
+
 OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
   this._oauth2.get(this._userProfileURL, accessToken, function (err, body, res) {
     var json
@@ -76,6 +96,7 @@ OAuth2CustomStrategy.prototype.userProfile = function (accessToken, done) {
       return done(new Error('Failed to parse user profile'))
     }
 
+    checkAuthorization(json, done)
     let profile = parseProfile(json)
     profile.provider = 'oauth2'
 
-- 
cgit v1.2.3