Skip to content

[feature] - restrict user if roles are missing in sso response #164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 7, 2025
Merged

[feature] - restrict user if roles are missing in sso response #164

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 56 additions & 1 deletion shared.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11764,7 +11764,7 @@ func HandleEditOrg(resp http.ResponseWriter, request *http.Request) {
org.SSOConfig = tmpData.SSOConfig
}

if (tmpData.SSOConfig.OpenIdClientId != org.SSOConfig.OpenIdClientId) || (tmpData.SSOConfig.OpenIdAuthorization != org.SSOConfig.OpenIdAuthorization) {
if (tmpData.SSOConfig.OpenIdClientId != org.SSOConfig.OpenIdClientId) || (tmpData.SSOConfig.OpenIdAuthorization != org.SSOConfig.OpenIdAuthorization) || (tmpData.SSOConfig.RoleRequired != org.SSOConfig.RoleRequired) {
org.SSOConfig = tmpData.SSOConfig
}

Expand Down Expand Up @@ -19923,6 +19923,25 @@ func HandleOpenId(resp http.ResponseWriter, request *http.Request) {
log.Printf("[AUDIT] Found user %s (%s) which matches SSO info for %s. Redirecting to login! - (1)", user.Username, user.Id, userName)
}

// check whether role is required for org

if org.SSOConfig.RoleRequired {
foundRole := false
for _, role := range openidUser.Roles {
// check whether role matches with shuffle-admin, shuffle-user or shuffle-org-reader
if role == "shuffle-admin" || role == "shuffle-user" || role == "shuffle-org-reader" {
foundRole = true
}
}

if !foundRole {
log.Printf("[WARNING] User %s (%s) role is missing in respone for org %s (%s). Please contact the administrator - (1)", user.Username, user.Id, org.Name, org.Id)
resp.WriteHeader(401)
resp.Write([]byte(fmt.Sprintf(`{"success": false, "reason": "Role detail is missing. Please contact the administrator of org."}`)))
return
}
}

//log.Printf("SESSION: %s", user.Session)
user.ActiveOrg = OrgMini{
Name: org.Name,
Expand Down Expand Up @@ -20066,6 +20085,25 @@ func HandleOpenId(resp http.ResponseWriter, request *http.Request) {
log.Printf("[AUDIT] Found user %s (%s) which matches SSO info for %s. Redirecting to login!- (2)", user.Username, user.Id, userName)
}
//log.Printf("SESSION: %s", user.Session)

// check whether role is required for org
if org.SSOConfig.RoleRequired {
foundRole := false
for _, role := range openidUser.Roles {
// check whether role matches with shuffle-admin, shuffle-user or shuffle-org-reader
if role == "shuffle-admin" || role == "shuffle-user" || role == "shuffle-org-reader" {
foundRole = true
}
}

if !foundRole {
log.Printf("[WARNING] User %s (%s) role is missing in respone for org %s (%s). Please contact the administrator - (1)", user.Username, user.Id, org.Name, org.Id)
resp.WriteHeader(401)
resp.Write([]byte(fmt.Sprintf(`{"success": false, "reason": "Role detail is missing. Please contact the administrator of org."}`)))
return
}
}

user.ActiveOrg = OrgMini{
Name: org.Name,
Id: org.Id,
Expand Down Expand Up @@ -20198,6 +20236,23 @@ func HandleOpenId(resp http.ResponseWriter, request *http.Request) {
return
}

if org.SSOConfig.RoleRequired {
foundRole := false
for _, role := range openidUser.Roles {
// check whether role matches with shuffle-admin, shuffle-user or shuffle-org-reader
if role == "shuffle-admin" || role == "shuffle-user" || role == "shuffle-org-reader" {
foundRole = true
}
}

if !foundRole {
log.Printf("[WARNING] Role is missing in respone for username %s. Please contact the administrator - (3)", userName)
resp.WriteHeader(401)
resp.Write([]byte(fmt.Sprintf(`{"success": false, "reason": "Role detail is missing. Please contact the administrator of org."}`)))
return
}
}

// Assign default role as "user" for generated user, else assign the role from openid if available
// Change active org role and user.role to assign role
role := "user"
Expand Down
1 change: 1 addition & 0 deletions structs.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2777,6 +2777,7 @@ type SSOConfig struct {
OpenIdToken string `json:"openid_token" datastore:"openid_token"`
SSORequired bool `json:"SSORequired" datastore:"SSORequired"`
AutoProvision bool `json:"auto_provision" datastore:"auto_provision"`
RoleRequired bool `json:"role_required" datastore:"role_required"`
}

type SamlRequest struct {
Expand Down
Loading