feat: read admin group from OIDC token claim (#445)

2025-06-19 00:27:11 +02:00 · 2025-04-02 13:38:11 +02:00
parent 7907c7bc1e
commit 8cfaceb303
5 changed files with 59 additions and 7 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -70,10 +70,12 @@ type config struct {
 	GiteaUrl       string `yaml:"gitea.url" env:"OG_GITEA_URL"`
 	GiteaName      string `yaml:"gitea.name" env:"OG_GITEA_NAME"`

-	OIDCProviderName string `yaml:"oidc.provider-name" env:"OG_OIDC_PROVIDER_NAME"`
-	OIDCClientKey    string `yaml:"oidc.client-key" env:"OG_OIDC_CLIENT_KEY"`
-	OIDCSecret       string `yaml:"oidc.secret" env:"OG_OIDC_SECRET"`
-	OIDCDiscoveryUrl string `yaml:"oidc.discovery-url" env:"OG_OIDC_DISCOVERY_URL"`
+	OIDCProviderName   string `yaml:"oidc.provider-name" env:"OG_OIDC_PROVIDER_NAME"`
+	OIDCClientKey      string `yaml:"oidc.client-key" env:"OG_OIDC_CLIENT_KEY"`
+	OIDCSecret         string `yaml:"oidc.secret" env:"OG_OIDC_SECRET"`
+	OIDCDiscoveryUrl   string `yaml:"oidc.discovery-url" env:"OG_OIDC_DISCOVERY_URL"`
+	OIDCGroupClaimName string `yaml:"oidc.group-claim-name" env:"OG_OIDC_GROUP_CLAIM_NAME"`
+	OIDCAdminGroup     string `yaml:"oidc.admin-group" env:"OG_OIDC_ADMIN_GROUP"`

 	MetricsEnabled bool `yaml:"metrics.enabled" env:"OG_METRICS_ENABLED"`

--- a/internal/web/handlers/auth/oauth.go
+++ b/internal/web/handlers/auth/oauth.go
@ -4,6 +4,9 @@ import (
 	"crypto/md5"
 	"errors"
 	"fmt"
+	"slices"
+	"strings"
+
 	"github.com/rs/zerolog/log"
 	"github.com/thomiceli/opengist/internal/auth/oauth"
 	"github.com/thomiceli/opengist/internal/config"
@ -12,7 +15,6 @@ import (
 	"golang.org/x/text/cases"
 	"golang.org/x/text/language"
 	"gorm.io/gorm"
-	"strings"
 )

 func Oauth(ctx *context.Context) error {
@ -110,7 +112,8 @@ func OauthCallback(ctx *context.Context) error {
 			return ctx.ErrorRes(500, "Cannot create user", err)
 		}

-		if userDB.ID == 1 {
+		// if oidc admin group is not configured set first user as admin
+		if config.C.OIDCAdminGroup == "" && userDB.ID == 1 {
 			if err = userDB.SetAdmin(); err != nil {
 				return ctx.ErrorRes(500, "Cannot set user admin", err)
 			}
@ -136,6 +139,32 @@ func OauthCallback(ctx *context.Context) error {
 		}
 	}

+	// update is admin status from oidc group
+	if config.C.OIDCAdminGroup != "" {
+		groupClaimName := config.C.OIDCGroupClaimName
+		if groupClaimName == "" {
+			log.Error().Msg("No OIDC group claim name configured")
+		} else if groups, ok := user.RawData[groupClaimName].([]interface{}); ok {
+			var groupNames []string
+			for _, group := range groups {
+				if groupName, ok := group.(string); ok {
+					groupNames = append(groupNames, groupName)
+				}
+			}
+			isOIDCAdmin := slices.Contains(groupNames, config.C.OIDCAdminGroup)
+			log.Debug().Bool("isOIDCAdmin", isOIDCAdmin).Str("user", user.Name).Msg("User is in admin group")
+
+			if userDB.IsAdmin != isOIDCAdmin {
+				userDB.IsAdmin = isOIDCAdmin
+				if err = userDB.Update(); err != nil {
+					return ctx.ErrorRes(500, "Cannot set user admin", err)
+				}
+			}
+		} else {
+			log.Error().Msg("No groups found in user data")
+		}
+	}
+
 	sess := ctx.GetSession()
 	sess.Values["user"] = userDB.ID
 	ctx.SaveSession(sess)