chg: [config] Allow Oidc roles as string

2024-04-22 00:23:25 +02:00 · 2024-04-22 00:23:25 +02:00 · ce7ab72190
parent ddd0a0cd46
commit ce7ab72190
2 changed files with 6 additions and 5 deletions
--- a/app/Plugin/OidcAuth/Lib/Oidc.php
+++ b/app/Plugin/OidcAuth/Lib/Oidc.php
@ -74,7 +74,6 @@ class Oidc
            return false;
        }

-        $roles = is_string($roles) ? explode($this->getConfig('roles_delimiter', ','), $roles) : $roles;
        $roleId = $this->getUserRole($roles, $mispUsername);
        if ($roleId === null) {
            $this->log($mispUsername, 'No role was assigned, access prohibited.', LOG_WARNING);
@ -232,7 +231,6 @@ class Oidc
            return false;
        }

-        $roles = is_string($roles) ? explode($this->getConfig('roles_delimiter', ','), $roles) : $roles;
        $roleId = $this->getUserRole($roles, $user['email']);
        if ($roleId === null) {
            $this->log($user['email'], 'No role was assigned.', LOG_WARNING);
@ -304,9 +302,10 @@ class Oidc
        $providerUrl = $this->getConfig('provider_url');
        $clientId = $this->getConfig('client_id');
        $clientSecret = $this->getConfig('client_secret');
+        $issuer = $this->getConfig('issuer', $providerUrl);

        if (class_exists("\JakubOnderka\OpenIDConnectClient")) {
-            $oidc = new \JakubOnderka\OpenIDConnectClient($providerUrl, $clientId, $clientSecret);
+            $oidc = new \JakubOnderka\OpenIDConnectClient($providerUrl, $clientId, $clientSecret, $issuer);
        } else if (class_exists("\Jumbojett\OpenIDConnectClient")) {
            throw new Exception("Jumbojett OIDC implementation is not supported anymore, please use JakubOnderka's client");
        } else {
@ -444,12 +443,13 @@ class Oidc
    }

    /**
-     * @param array $roles Role list provided by OIDC
+     * @param array|string $roles Role list provided by OIDC
     * @param string $mispUsername
     * @return int|null Role ID or null if no role matches
     */
-    private function getUserRole(array $roles, $mispUsername)
+    private function getUserRole($roles, $mispUsername)
    {
+        $roles = is_string($roles) ? explode($this->getConfig('roles_delimiter', ','), $roles) : $roles;
        $this->log($mispUsername, 'Provided roles: ' . implode(', ', $roles));
        $roleMapper = $this->getConfig('role_mapper');
        if (!is_array($roleMapper)) {
--- a/app/Plugin/OidcAuth/README.md
+++ b/app/Plugin/OidcAuth/README.md
@ -32,6 +32,7 @@ $config = array(
    ...
    'OidcAuth' = [
        'provider_url' => '{{ OIDC_PROVIDER }}',
+        'issuer' => '{{ OIDC_ISSUER }}', // If omitted, it defaults to provider_url
        'client_id' => '{{ OIDC_CLIENT_ID }}',
        'client_secret' => '{{ OIDC_CLIENT_SECRET }}',
        'role_mapper' => [ // if user has multiple roles, first role that match will be assigned to user