Implement OAuth2 server, link oauth:Client and auth::Oauth2Client, implement permission checks

2020-05-16 23:55:08 -05:00
parent 6f621f5891
commit d558f21375
51 changed files with 2808 additions and 159 deletions
--- a/app/controllers/saml/SAML.controller.js
+++ b/app/controllers/saml/SAML.controller.js
@@ -4,7 +4,7 @@ const samlp = require('samlp')

 class SAMLController extends Controller {
    static get services() {
-        return [...super.services, 'saml', 'output', 'Vue', 'configs']
+        return [...super.services, 'saml', 'output', 'Vue', 'configs', 'models']
    }

    async get_metadata(req, res, next) {
@@ -20,10 +20,24 @@ class SAMLController extends Controller {
    }

    // TODO some sort of first-logon flow
-    // TODO Also, customize logon continue message
    async get_sso(req, res, next) {
        const index = await req.saml.participants.issue({ service_provider: req.saml_request.service_provider })

+        // Apply the appropriate IAM policy if this SAML SP is associated with an App
+        // If the SAML service provider has no associated application, just allow it
+        // TODO test this
+        const associated_app = await req.saml_request.service_provider.application()
+        if ( associated_app ) {
+            const Policy = this.models.get('iam:Policy')
+            const can_access = await Policy.check_user_access(req.user, associated_app.id)
+            if ( !can_access ) {
+                return this.Vue.auth_message(res, {
+                    message: `Sorry, you don't have permission to access this application. Please ask your administrator to grant you access to ${associated_app.name}.`,
+                    next_destination: '/dash',
+                })
+            }
+        }
+
        return samlp.auth({
            issuer: this.saml.config().provider_name,
            cert: await this.saml.public_cert(),