Check IAM policy for OAuth2 logins

4 years ago · fcbf25e3ce
parent 084ec7bbc1
commit fcbf25e3ce
2 changed files with 36 additions and 2 deletions
--- a/app/controllers/OpenID.controller.js
+++ b/app/controllers/OpenID.controller.js
@ -119,8 +119,6 @@ class OpenIDController extends Controller {
            uid, prompt, params, session,
        } = await this.openid_connect.provider.interactionDetails(req, res)

-        console.log({uid, prompt, params, session})
-
        const name = prompt.name
        if ( typeof this[name] !== 'function' ) {
            return this.fail(res, 'Sorry, something has gone wrong.')
--- a/app/controllers/auth/Oauth2.controller.js
+++ b/app/controllers/auth/Oauth2.controller.js
@ -18,6 +18,24 @@ class Oauth2 extends Oauth2Controller {
        const StarshipClient = this.models.get('oauth:Client')
        const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })

+        // Make sure the user has IAM access before proceeding
+        const Application = this.models.get('Application')
+        const Policy = this.models.get('iam:Policy')
+        const application = await Application.findOne({ oauth_client_ids: starship_client.id })
+        if ( !application ) {
+            this.output.warning('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        } else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
+            this.output.warning('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        }
+
        req.user.authorize(starship_client)
        await req.user.save()
        return super.authorize_post(req, res, next)
@ -31,6 +49,24 @@ class Oauth2 extends Oauth2Controller {
        const StarshipClient = this.models.get('oauth:Client')
        const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })

+        // Make sure the user has IAM access before proceeding
+        const Application = this.models.get('Application')
+        const Policy = this.models.get('iam:Policy')
+        const application = await Application.findOne({ oauth_client_ids: starship_client.id })
+        if ( !application ) {
+            this.output.warning('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        } else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
+            this.output.warning('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        }
+
        if ( req.user.has_authorized(starship_client) ) {
            return this.Vue.invoke_action(res, {
                text: 'Grant Access',