Penpot/penpot
0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-02-08 08:09:14 -05:00
Code Issues Activity

🐛 Fix OICD auth provider roles checking mechanism

Browse source
This commit is contained in:
Andrey Antukh 2023-04-24 15:13:24 +02:00
parent 3a57b436a4
commit c31eb2df42
3 changed files with 14 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGES.md
View file

@ -1,12 +1,13 @@
# CHANGELOG # CHANGELOG
## 1.18.3 ## 1.18.3 (Unreleased)
### :bug: Bugs fixed ### :bug: Bugs fixed
- Fix problem with rulers not placing correctly [Taiga #5093](https://tree.taiga.io/project/penpot/issue/5093) - Fix problem with rulers not placing correctly [Taiga #5093](https://tree.taiga.io/project/penpot/issue/5093)
- Fix page context menu [Taiga #5145](https://tree.taiga.io/project/penpot/issue/5145) - Fix page context menu [Taiga #5145](https://tree.taiga.io/project/penpot/issue/5145)
- Fix project file count [Taiga #5148](https://tree.taiga.io/project/penpot/issue/5148) - Fix project file count [Taiga #5148](https://tree.taiga.io/project/penpot/issue/5148)
- Fix OIDC roles checking mechanism [GH #3152](https://github.com/penpot/penpot/issues/3152)
### :arrow_up: Deps updates ### :arrow_up: Deps updates

17
backend/src/app/auth/oidc.clj
View file

@ -196,7 +196,7 @@
;; Additional hooks for provider specific way of ;; Additional hooks for provider specific way of
;; retrieve emails. ;; retrieve emails.
:get-email-fn (partial retrieve-github-email cfg)}] :get-email-fn (partial retrieve-github-email cfg)}]
(when (contains? cf/flags :login-with-github) (when (contains? cf/flags :login-with-github)
(if (and (string? (:client-id opts)) (if (and (string? (:client-id opts))
@ -377,21 +377,26 @@
(defn get-info (defn get-info
[{:keys [provider] :as cfg} {:keys [params] :as request}] [{:keys [provider] :as cfg} {:keys [params] :as request}]
(letfn [(validate-oidc [info] (letfn [(parse-oidc-attrs-path [path]
(let [[fitem & items] (str/split path "__")]
(into [(keyword "oidc" fitem)] (map keyword) items)))
(validate-oidc [info]
;; If the provider is OIDC, we can proceed to check ;; If the provider is OIDC, we can proceed to check
;; roles if they are defined. ;; roles if they are defined.
(when (and (= "oidc" (:name provider)) (when (and (= "oidc" (:name provider))
(seq (:roles provider))) (seq (:roles provider)))
(let [provider-roles (into #{} (:roles provider)) (let [expected-roles (into #{} (:roles provider))
profile-roles (let [attr (cf/get :oidc-roles-attr :roles) current-roles (let [roles (->> (cf/get :oidc-roles-attr "roles")
roles (get info attr)] (parse-oidc-attrs-path)
(get-in info))]
(cond (cond
(string? roles) (into #{} (str/words roles)) (string? roles) (into #{} (str/words roles))
(vector? roles) (into #{} roles) (vector? roles) (into #{} roles)
:else #{}))] :else #{}))]
;; check if profile has a configured set of roles ;; check if profile has a configured set of roles
(when-not (set/subset? provider-roles profile-roles) (when-not (set/subset? expected-roles current-roles)
(ex/raise :type :internal (ex/raise :type :internal
:code :unable-to-auth :code :unable-to-auth
:hint "not enough permissions")))) :hint "not enough permissions"))))

2
backend/src/app/config.clj
View file

@ -153,7 +153,7 @@
(s/def ::oidc-user-uri ::us/string) (s/def ::oidc-user-uri ::us/string)
(s/def ::oidc-scopes ::us/set-of-strings) (s/def ::oidc-scopes ::us/set-of-strings)
(s/def ::oidc-roles ::us/set-of-strings) (s/def ::oidc-roles ::us/set-of-strings)
(s/def ::oidc-roles-attr ::us/keyword) (s/def ::oidc-roles-attr ::us/string)
(s/def ::oidc-email-attr ::us/keyword) (s/def ::oidc-email-attr ::us/keyword)
(s/def ::oidc-name-attr ::us/keyword) (s/def ::oidc-name-attr ::us/keyword)
(s/def ::host ::us/string) (s/def ::host ::us/string)