Mirrors/wg-portal
1
0
Fork 0
mirror of https://github.com/h44z/wg-portal.git synced 2026-02-22 18:36:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

only override isAdmin flag if it is provided by the authentication source

Browse Source
This commit is contained in:
Christoph Haas
2026-01-19 23:17:56 +01:00
parent 70832bfb52
commit 79eaedb9ca
4 changed files with 44 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
internal/app/auth/auth.go
View File

@@ -605,7 +605,7 @@ func (a *Authenticator) registerNewUser(
user := &domain.User{
Identifier: userInfo.Identifier,
Email: userInfo.Email,
IsAdmin: userInfo.IsAdmin,
IsAdmin: false,
Firstname: userInfo.Firstname,
Lastname: userInfo.Lastname,
Phone: userInfo.Phone,
@@ -624,6 +624,9 @@ func (a *Authenticator) registerNewUser(
},
},
}
if userInfo.AdminInfoAvailable && userInfo.IsAdmin {
user.IsAdmin = true
}
err := a.users.RegisterUser(ctx, user)
if err != nil {
@@ -632,6 +635,7 @@ func (a *Authenticator) registerNewUser(
slog.Debug("registered user from external authentication provider",
"user", user.Identifier,
"adminInfoAvailable", userInfo.AdminInfoAvailable,
"isAdmin", user.IsAdmin,
"provider", source)
@@ -719,7 +723,7 @@ func (a *Authenticator) updateExternalUser(
existingUser.Department = userInfo.Department
isChanged = true
}
if existingUser.IsAdmin != userInfo.IsAdmin {
if userInfo.AdminInfoAvailable && existingUser.IsAdmin != userInfo.IsAdmin {
existingUser.IsAdmin = userInfo.IsAdmin
isChanged = true
}
@@ -732,6 +736,7 @@ func (a *Authenticator) updateExternalUser(
slog.Debug("updated user with data from external authentication provider",
"user", existingUser.Identifier,
"adminInfoAvailable", userInfo.AdminInfoAvailable,
"isAdmin", existingUser.IsAdmin,
"provider", source)
}

28
internal/app/auth/auth_ldap.go
View File

@@ -127,18 +127,26 @@ func (l LdapAuthenticator) GetUserInfo(_ context.Context, userId domain.UserIden
// ParseUserInfo parses the user information from the LDAP server into a domain.AuthenticatorUserInfo struct.
func (l LdapAuthenticator) ParseUserInfo(raw map[string]any) (*domain.AuthenticatorUserInfo, error) {
isAdmin, err := internal.LdapIsMemberOf(raw[l.cfg.FieldMap.GroupMembership].([][]byte), l.cfg.ParsedAdminGroupDN)
if err != nil {
return nil, fmt.Errorf("failed to check admin group: %w", err)
isAdmin := false
adminInfoAvailable := false
if l.cfg.FieldMap.GroupMembership != "" {
adminInfoAvailable = true
var err error
isAdmin, err = internal.LdapIsMemberOf(raw[l.cfg.FieldMap.GroupMembership].([][]byte), l.cfg.ParsedAdminGroupDN)
if err != nil {
return nil, fmt.Errorf("failed to check admin group: %w", err)
}
}
userInfo := &domain.AuthenticatorUserInfo{
Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, l.cfg.FieldMap.UserIdentifier, "")),
Email: internal.MapDefaultString(raw, l.cfg.FieldMap.Email, ""),
Firstname: internal.MapDefaultString(raw, l.cfg.FieldMap.Firstname, ""),
Lastname: internal.MapDefaultString(raw, l.cfg.FieldMap.Lastname, ""),
Phone: internal.MapDefaultString(raw, l.cfg.FieldMap.Phone, ""),
Department: internal.MapDefaultString(raw, l.cfg.FieldMap.Department, ""),
IsAdmin: isAdmin,
Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, l.cfg.FieldMap.UserIdentifier, "")),
Email: internal.MapDefaultString(raw, l.cfg.FieldMap.Email, ""),
Firstname: internal.MapDefaultString(raw, l.cfg.FieldMap.Firstname, ""),
Lastname: internal.MapDefaultString(raw, l.cfg.FieldMap.Lastname, ""),
Phone: internal.MapDefaultString(raw, l.cfg.FieldMap.Phone, ""),
Department: internal.MapDefaultString(raw, l.cfg.FieldMap.Department, ""),
IsAdmin: isAdmin,
AdminInfoAvailable: adminInfoAvailable,
}
return userInfo, nil

18
internal/app/auth/oauth_common.go
View File

@@ -15,9 +15,11 @@ func parseOauthUserInfo(
raw map[string]any,
) (*domain.AuthenticatorUserInfo, error) {
var isAdmin bool
var adminInfoAvailable bool
// first try to match the is_admin field against the given regex
if mapping.IsAdmin != "" {
adminInfoAvailable = true
re := adminMapping.GetAdminValueRegex()
if re.MatchString(strings.TrimSpace(internal.MapDefaultString(raw, mapping.IsAdmin, ""))) {
isAdmin = true
@@ -26,6 +28,7 @@ func parseOauthUserInfo(
// next try to parse the user's groups
if !isAdmin && mapping.UserGroups != "" && adminMapping.AdminGroupRegex != "" {
adminInfoAvailable = true
userGroups := internal.MapDefaultStringSlice(raw, mapping.UserGroups, nil)
re := adminMapping.GetAdminGroupRegex()
for _, group := range userGroups {
@@ -37,13 +40,14 @@ func parseOauthUserInfo(
}
userInfo := &domain.AuthenticatorUserInfo{
Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, mapping.UserIdentifier, "")),
Email: internal.MapDefaultString(raw, mapping.Email, ""),
Firstname: internal.MapDefaultString(raw, mapping.Firstname, ""),
Lastname: internal.MapDefaultString(raw, mapping.Lastname, ""),
Phone: internal.MapDefaultString(raw, mapping.Phone, ""),
Department: internal.MapDefaultString(raw, mapping.Department, ""),
IsAdmin: isAdmin,
Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, mapping.UserIdentifier, "")),
Email: internal.MapDefaultString(raw, mapping.Email, ""),
Firstname: internal.MapDefaultString(raw, mapping.Firstname, ""),
Lastname: internal.MapDefaultString(raw, mapping.Lastname, ""),
Phone: internal.MapDefaultString(raw, mapping.Phone, ""),
Department: internal.MapDefaultString(raw, mapping.Department, ""),
IsAdmin: isAdmin,
AdminInfoAvailable: adminInfoAvailable,
}
return userInfo, nil

15
internal/domain/auth.go
View File

@@ -10,11 +10,12 @@ type LoginProviderInfo struct {
}
type AuthenticatorUserInfo struct {
Identifier UserIdentifier
Email string
Firstname string
Lastname string
Phone string
Department string
IsAdmin bool
Identifier UserIdentifier
Email string
Firstname string
Lastname string
Phone string
Department string
IsAdmin bool
AdminInfoAvailable bool // true if the IsAdmin flag is valid
}