mirror of
https://github.com/h44z/wg-portal.git
synced 2025-09-14 15:01:14 +00:00
Improve admin privilege handling for OAuth. Update documentation.
This commit is contained in:
Christoph Haas
@@ -1,9 +1,11 @@
|
||||
package config
|
||||
|
||||
import (
|
||||
"regexp"
|
||||
"time"
|
||||
|
||||
"github.com/go-ldap/ldap/v3"
|
||||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
type Auth struct {
|
||||
@@ -23,7 +25,67 @@ type BaseFields struct {
|
||||
|
||||
type OauthFields struct {
|
||||
BaseFields `yaml:",inline"`
|
||||
IsAdmin string `yaml:"is_admin"` // If the value is "true", the user is an admin.
|
||||
IsAdmin string `yaml:"is_admin"` // If the value is "true", the user is an admin.
|
||||
UserGroups string `yaml:"user_groups"` // This value specifies the claim name that contains the users groups.
|
||||
}
|
||||
|
||||
// OauthAdminMapping contains all necessary information to extract information about administrative privileges
|
||||
// from the user info fields.
|
||||
//
|
||||
// WgPortal can grant a user admin rights by matching the value of the `is_admin` claim against a regular expression.
|
||||
// Alternatively, a regular expression can be used to check if a user is member of a specific group listed in the
|
||||
// `user_group` claim.
|
||||
// If one of the cases evaluates to true, the user is granted admin rights.
|
||||
type OauthAdminMapping struct {
|
||||
// If the regex specified in that field matches the contents of the is_admin field, the user is an admin.
|
||||
AdminValueRegex string `yaml:"admin_value_regex"`
|
||||
|
||||
// If any of the groups listed in the groups field matches the group specified in the admin_group_regex field, ]
|
||||
// the user is an admin.
|
||||
AdminGroupRegex string `yaml:"admin_group_regex"`
|
||||
|
||||
// internal cache fields
|
||||
|
||||
adminValueRegex *regexp.Regexp
|
||||
adminGroupRegex *regexp.Regexp
|
||||
}
|
||||
|
||||
func (o *OauthAdminMapping) GetAdminValueRegex() *regexp.Regexp {
|
||||
if o.adminValueRegex != nil {
|
||||
return o.adminValueRegex // return cached value
|
||||
}
|
||||
|
||||
if o.AdminValueRegex == "" {
|
||||
o.adminValueRegex = regexp.MustCompile("^true$") // default value is "true"
|
||||
return o.adminValueRegex
|
||||
}
|
||||
|
||||
adminRegex, err := regexp.Compile(o.AdminValueRegex)
|
||||
if err != nil {
|
||||
logrus.Fatalf("failed to compile admin_value_regex: %v", err)
|
||||
}
|
||||
o.adminValueRegex = adminRegex
|
||||
|
||||
return o.adminValueRegex
|
||||
}
|
||||
|
||||
func (o *OauthAdminMapping) GetAdminGroupRegex() *regexp.Regexp {
|
||||
if o.adminGroupRegex != nil {
|
||||
return o.adminGroupRegex // return cached value
|
||||
}
|
||||
|
||||
if o.AdminGroupRegex == "" {
|
||||
o.adminGroupRegex = regexp.MustCompile("^wg_portal_default_admin_group$") // default value is "wg_portal_default_admin_group"
|
||||
return o.adminGroupRegex
|
||||
}
|
||||
|
||||
groupRegex, err := regexp.Compile(o.AdminGroupRegex)
|
||||
if err != nil {
|
||||
logrus.Fatalf("failed to compile admin_group_regex: %v", err)
|
||||
}
|
||||
o.adminGroupRegex = groupRegex
|
||||
|
||||
return o.adminGroupRegex
|
||||
}
|
||||
|
||||
type LdapFields struct {
|
||||
@@ -58,6 +120,9 @@ type LdapProvider struct {
|
||||
|
||||
// If RegistrationEnabled is set to true, wg-portal will create new users that do not exist in the database.
|
||||
RegistrationEnabled bool `yaml:"registration_enabled"`
|
||||
|
||||
// If LogUserInfo is set to true, the user info retrieved from the LDAP provider will be logged in trace level.
|
||||
LogUserInfo bool `yaml:"log_user_info"`
|
||||
}
|
||||
|
||||
type OpenIDConnectProvider struct {
|
||||
@@ -81,8 +146,15 @@ type OpenIDConnectProvider struct {
|
||||
// FieldMap is used to map the names of the user-info endpoint fields to wg-portal fields
|
||||
FieldMap OauthFields `yaml:"field_map"`
|
||||
|
||||
// AdminMapping contains all necessary information to extract information about administrative privileges
|
||||
// from the user info fields.
|
||||
AdminMapping OauthAdminMapping `yaml:"admin_mapping"`
|
||||
|
||||
// If RegistrationEnabled is set to true, missing users will be created in the database
|
||||
RegistrationEnabled bool `yaml:"registration_enabled"`
|
||||
|
||||
// If LogUserInfo is set to true, the user info retrieved from the OIDC provider will be logged in trace level.
|
||||
LogUserInfo bool `yaml:"log_user_info"`
|
||||
}
|
||||
|
||||
type OAuthProvider struct {
|
||||
@@ -108,6 +180,13 @@ type OAuthProvider struct {
|
||||
// FieldMap is used to map the names of the user-info endpoint fields to wg-portal fields
|
||||
FieldMap OauthFields `yaml:"field_map"`
|
||||
|
||||
// AdminMapping contains all necessary information to extract information about administrative privileges
|
||||
// from the user info fields.
|
||||
AdminMapping OauthAdminMapping `yaml:"admin_mapping"`
|
||||
|
||||
// If RegistrationEnabled is set to true, wg-portal will create new users that do not exist in the database.
|
||||
RegistrationEnabled bool `yaml:"registration_enabled"`
|
||||
|
||||
// If LogUserInfo is set to true, the user info retrieved from the OAuth provider will be logged in trace level.
|
||||
LogUserInfo bool `yaml:"log_user_info"`
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user