[feature] - restrict user if roles are missing in sso response

LalitDeore · LalitDeore · commit 605d3a657382 · 2025-04-07T15:47:29.000+05:30
diff --git a/shared.go b/shared.go
@@ -11764,7 +11764,7 @@ func HandleEditOrg(resp http.ResponseWriter, request *http.Request) {
 		org.SSOConfig = tmpData.SSOConfig
 	}
 
-	if (tmpData.SSOConfig.OpenIdClientId != org.SSOConfig.OpenIdClientId) || (tmpData.SSOConfig.OpenIdAuthorization != org.SSOConfig.OpenIdAuthorization) {
+	if (tmpData.SSOConfig.OpenIdClientId != org.SSOConfig.OpenIdClientId) || (tmpData.SSOConfig.OpenIdAuthorization != org.SSOConfig.OpenIdAuthorization) || (tmpData.SSOConfig.RoleRequired != org.SSOConfig.RoleRequired) {
 		org.SSOConfig = tmpData.SSOConfig
 	}
 
@@ -19923,6 +19923,25 @@ func HandleOpenId(resp http.ResponseWriter, request *http.Request) {
 					log.Printf("[AUDIT] Found user %s (%s) which matches SSO info for %s. Redirecting to login! - (1)", user.Username, user.Id, userName)
 				}
 
+				// check whether role is required for org
+
+				if org.SSOConfig.RoleRequired {
+					foundRole := false
+					for _, role := range openidUser.Roles {
+						// check whether role matches with shuffle-admin, shuffle-user or shuffle-org-reader
+						if role == "shuffle-admin" || role == "shuffle-user" || role == "shuffle-org-reader" {
+							foundRole = true
+						}
+					}
+
+					if !foundRole {
+						log.Printf("[WARNING] User %s (%s) role is missing in respone for org %s (%s). Please contact the administrator - (1)", user.Username, user.Id, org.Name, org.Id)
+						resp.WriteHeader(401)
+						resp.Write([]byte(fmt.Sprintf(`{"success": false, "reason": "Role detail is missing. Please contact the administrator of org."}`)))
+						return
+					}
+				}
+
 				//log.Printf("SESSION: %s", user.Session)
 				user.ActiveOrg = OrgMini{
 					Name: org.Name,
@@ -20066,6 +20085,25 @@ func HandleOpenId(resp http.ResponseWriter, request *http.Request) {
 					log.Printf("[AUDIT] Found user %s (%s) which matches SSO info for %s. Redirecting to login!- (2)", user.Username, user.Id, userName)
 				}
 				//log.Printf("SESSION: %s", user.Session)
+
+				// check whether role is required for org
+				if org.SSOConfig.RoleRequired {
+					foundRole := false
+					for _, role := range openidUser.Roles {
+						// check whether role matches with shuffle-admin, shuffle-user or shuffle-org-reader
+						if role == "shuffle-admin" || role == "shuffle-user" || role == "shuffle-org-reader" {
+							foundRole = true
+						}
+					}
+
+					if !foundRole {
+						log.Printf("[WARNING] User %s (%s) role is missing in respone for org %s (%s). Please contact the administrator - (1)", user.Username, user.Id, org.Name, org.Id)
+						resp.WriteHeader(401)
+						resp.Write([]byte(fmt.Sprintf(`{"success": false, "reason": "Role detail is missing. Please contact the administrator of org."}`)))
+						return
+					}
+				}
+
 				user.ActiveOrg = OrgMini{
 					Name: org.Name,
 					Id:   org.Id,
@@ -20198,6 +20236,23 @@ func HandleOpenId(resp http.ResponseWriter, request *http.Request) {
 		return
 	}
 
+	if org.SSOConfig.RoleRequired {
+		foundRole := false
+		for _, role := range openidUser.Roles {
+			// check whether role matches with shuffle-admin, shuffle-user or shuffle-org-reader
+			if role == "shuffle-admin" || role == "shuffle-user" || role == "shuffle-org-reader" {
+				foundRole = true
+			}
+		}
+
+		if !foundRole {
+			log.Printf("[WARNING] Role is missing in respone for  username %s. Please contact the administrator - (3)", userName)
+			resp.WriteHeader(401)
+			resp.Write([]byte(fmt.Sprintf(`{"success": false, "reason": "Role detail is missing. Please contact the administrator of org."}`)))
+			return
+		}
+	}
+
 	// Assign default role as "user" for generated user, else assign the role from openid if available
 	// Change active org role and user.role to assign role
 	role := "user"
diff --git a/structs.go b/structs.go
@@ -2777,6 +2777,7 @@ type SSOConfig struct {
 	OpenIdToken         string `json:"openid_token" datastore:"openid_token"`
 	SSORequired         bool   `json:"SSORequired" datastore:"SSORequired"`
 	AutoProvision       bool   `json:"auto_provision" datastore:"auto_provision"`
+	RoleRequired        bool   `json:"role_required" datastore:"role_required"`
 }
 
 type SamlRequest struct {

Original file line number	Diff line number	Diff line change
`@@ -2777,6 +2777,7 @@ type SSOConfig struct {`
`2777`	`2777`	OpenIdToken string `json:"openid_token" datastore:"openid_token"`
`2778`	`2778`	SSORequired bool `json:"SSORequired" datastore:"SSORequired"`
`2779`	`2779`	AutoProvision bool `json:"auto_provision" datastore:"auto_provision"`
	`2780`	+ RoleRequired bool `json:"role_required" datastore:"role_required"`
`2780`	`2781`	`}`
`2781`	`2782`
`2782`	`2783`	`type SamlRequest struct {`