mirror of https://github.com/MISP/MISP
chg: [config] Allow Oidc roles as string
parent
ddd0a0cd46
commit
ce7ab72190
|
@ -74,7 +74,6 @@ class Oidc
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
$roles = is_string($roles) ? explode($this->getConfig('roles_delimiter', ','), $roles) : $roles;
|
|
||||||
$roleId = $this->getUserRole($roles, $mispUsername);
|
$roleId = $this->getUserRole($roles, $mispUsername);
|
||||||
if ($roleId === null) {
|
if ($roleId === null) {
|
||||||
$this->log($mispUsername, 'No role was assigned, access prohibited.', LOG_WARNING);
|
$this->log($mispUsername, 'No role was assigned, access prohibited.', LOG_WARNING);
|
||||||
|
@ -232,7 +231,6 @@ class Oidc
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
$roles = is_string($roles) ? explode($this->getConfig('roles_delimiter', ','), $roles) : $roles;
|
|
||||||
$roleId = $this->getUserRole($roles, $user['email']);
|
$roleId = $this->getUserRole($roles, $user['email']);
|
||||||
if ($roleId === null) {
|
if ($roleId === null) {
|
||||||
$this->log($user['email'], 'No role was assigned.', LOG_WARNING);
|
$this->log($user['email'], 'No role was assigned.', LOG_WARNING);
|
||||||
|
@ -304,9 +302,10 @@ class Oidc
|
||||||
$providerUrl = $this->getConfig('provider_url');
|
$providerUrl = $this->getConfig('provider_url');
|
||||||
$clientId = $this->getConfig('client_id');
|
$clientId = $this->getConfig('client_id');
|
||||||
$clientSecret = $this->getConfig('client_secret');
|
$clientSecret = $this->getConfig('client_secret');
|
||||||
|
$issuer = $this->getConfig('issuer', $providerUrl);
|
||||||
|
|
||||||
if (class_exists("\JakubOnderka\OpenIDConnectClient")) {
|
if (class_exists("\JakubOnderka\OpenIDConnectClient")) {
|
||||||
$oidc = new \JakubOnderka\OpenIDConnectClient($providerUrl, $clientId, $clientSecret);
|
$oidc = new \JakubOnderka\OpenIDConnectClient($providerUrl, $clientId, $clientSecret, $issuer);
|
||||||
} else if (class_exists("\Jumbojett\OpenIDConnectClient")) {
|
} else if (class_exists("\Jumbojett\OpenIDConnectClient")) {
|
||||||
throw new Exception("Jumbojett OIDC implementation is not supported anymore, please use JakubOnderka's client");
|
throw new Exception("Jumbojett OIDC implementation is not supported anymore, please use JakubOnderka's client");
|
||||||
} else {
|
} else {
|
||||||
|
@ -444,12 +443,13 @@ class Oidc
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param array $roles Role list provided by OIDC
|
* @param array|string $roles Role list provided by OIDC
|
||||||
* @param string $mispUsername
|
* @param string $mispUsername
|
||||||
* @return int|null Role ID or null if no role matches
|
* @return int|null Role ID or null if no role matches
|
||||||
*/
|
*/
|
||||||
private function getUserRole(array $roles, $mispUsername)
|
private function getUserRole($roles, $mispUsername)
|
||||||
{
|
{
|
||||||
|
$roles = is_string($roles) ? explode($this->getConfig('roles_delimiter', ','), $roles) : $roles;
|
||||||
$this->log($mispUsername, 'Provided roles: ' . implode(', ', $roles));
|
$this->log($mispUsername, 'Provided roles: ' . implode(', ', $roles));
|
||||||
$roleMapper = $this->getConfig('role_mapper');
|
$roleMapper = $this->getConfig('role_mapper');
|
||||||
if (!is_array($roleMapper)) {
|
if (!is_array($roleMapper)) {
|
||||||
|
|
|
@ -32,6 +32,7 @@ $config = array(
|
||||||
...
|
...
|
||||||
'OidcAuth' = [
|
'OidcAuth' = [
|
||||||
'provider_url' => '{{ OIDC_PROVIDER }}',
|
'provider_url' => '{{ OIDC_PROVIDER }}',
|
||||||
|
'issuer' => '{{ OIDC_ISSUER }}', // If omitted, it defaults to provider_url
|
||||||
'client_id' => '{{ OIDC_CLIENT_ID }}',
|
'client_id' => '{{ OIDC_CLIENT_ID }}',
|
||||||
'client_secret' => '{{ OIDC_CLIENT_SECRET }}',
|
'client_secret' => '{{ OIDC_CLIENT_SECRET }}',
|
||||||
'role_mapper' => [ // if user has multiple roles, first role that match will be assigned to user
|
'role_mapper' => [ // if user has multiple roles, first role that match will be assigned to user
|
||||||
|
|
Loading…
Reference in New Issue