chg: [oidc] Check user role when checking if user is valid

2022-02-18 15:51:00 +01:00 · 2022-02-18 15:51:00 +01:00 · 6cb30515e7
parent 9c357bec9c
commit 6cb30515e7
1 changed files with 42 additions and 20 deletions
--- a/app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php
+++ b/app/Plugin/OidcAuth/Controller/Component/Auth/OidcAuthenticate.php
@ -38,27 +38,14 @@ class OidcAuthenticate extends BaseAuthenticate
            throw new Exception("OIDC authentication was not successful.");
        }

-        $verifiedClaims = $oidc->getVerifiedClaims();
+        $claims = $oidc->getVerifiedClaims();

-        $mispUsername = isset($verifiedClaims->email) ? $verifiedClaims->email : $oidc->requestUserInfo('email');
+        $mispUsername = $claims->email ?? $oidc->requestUserInfo('email');
        $this->log($mispUsername, "Trying login.");

-        $sub = $verifiedClaims->sub;
+        $sub = $claims->sub; // sub is required
        $organisationProperty = $this->getConfig('organisation_property', 'organization');
-        if (property_exists($verifiedClaims, $organisationProperty)) {
-            $organisationName = $verifiedClaims->{$organisationProperty};
-        } else {
-            $organisationName = $this->getConfig('default_org');
-        }
-
-        $roles = [];
-        $roleProperty = $this->getConfig('roles_property', 'roles');
-        if (property_exists($verifiedClaims, $roleProperty)) {
-            $roles = $verifiedClaims->{$roleProperty};
-        }
-        if (empty($roles)) {
-            $roles = $oidc->requestUserInfo($roleProperty);
-        }
+        $organisationName = $claims->{$organisationProperty} ?? $this->getConfig('default_org');

        // Try to find user by `sub` field, that is unique
        $this->settings['fields'] = ['username' => 'sub'];
@ -81,6 +68,15 @@ class OidcAuthenticate extends BaseAuthenticate
            return false;
        }

+        $roles = [];
+        $roleProperty = $this->getConfig('roles_property', 'roles');
+        if (property_exists($claims, $roleProperty)) {
+            $roles = $claims->{$roleProperty};
+        }
+        if (empty($roles)) {
+            $roles = $oidc->requestUserInfo($roleProperty);
+        }
+
        $roleId = $this->getUserRole($roles, $mispUsername);
        if ($roleId === null) {
            $this->log($mispUsername, 'No role was assigned.');
@ -124,7 +120,7 @@ class OidcAuthenticate extends BaseAuthenticate
            }

            $refreshToken = $this->getConfig('offline_access', false) ? $oidc->getRefreshToken() : null;
-            $this->storeMetadata($user['id'], $verifiedClaims, $refreshToken);
+            $this->storeMetadata($user['id'], $claims, $refreshToken);

            $this->log($mispUsername, 'Logged in.');
            return $user;
@ -147,7 +143,7 @@ class OidcAuthenticate extends BaseAuthenticate
        }

        $refreshToken = $this->getConfig('offline_access', false) ? $oidc->getRefreshToken() : null;
-        $this->storeMetadata($this->userModel()->id, $verifiedClaims, $refreshToken);
+        $this->storeMetadata($this->userModel()->id, $claims, $refreshToken);

        $this->log($mispUsername, "Saved in database with ID {$this->userModel()->id}");
        $this->log($mispUsername, 'Logged in.');
@ -158,10 +154,11 @@ class OidcAuthenticate extends BaseAuthenticate
     * @param array $user
     * @param bool $blockInvalid Block invalid user
     * @param bool $ignoreValidityTime Ignore `check_user_validity` setting and always check if user is valid
+     * @param bool $update
     * @return bool
     * @throws Exception
     */
-    public function isUserValid(array $user, $blockInvalid = false, $ignoreValidityTime = false)
+    public function isUserValid(array $user, $blockInvalid = false, $ignoreValidityTime = false, $update = false)
    {
        if (!$this->getConfig('offline_access', false)) {
            return true; // offline access is not enabled, so it is not possible to verify user
@ -211,6 +208,31 @@ class OidcAuthenticate extends BaseAuthenticate
            return true;
        }

+        // Check user role
+        $roles = [];
+        $claims = $oidc->getVerifiedClaims();
+        $roleProperty = $this->getConfig('roles_property', 'roles');
+        if (property_exists($claims, $roleProperty)) {
+            $roles = $claims->{$roleProperty};
+        }
+        if (empty($roles)) {
+            $roles = $oidc->requestUserInfo($roleProperty);
+        }
+
+        $roleId = $this->getUserRole($roles, $user['email']);
+        if ($roleId === null) {
+            $this->log($user['email'], 'No role was assigned.');
+            if ($blockInvalid) {
+                $this->block($user);
+            }
+            return false;
+        }
+
+        if ($update && $user['role_id'] != $roleId) {
+            $this->userModel()->updateField($user, 'role_id', $roleId);
+            $this->log($user['email'], "User role changed from {$user['role_id']} to $roleId.");
+        }
+
        // Update refresh token if new token provided
        if ($oidc->getRefreshToken()) {
            $userInfo['validity_check_timestamp'] = time();