Check IAM policy for OAuth2 logins
This commit is contained in:
		
							parent
							
								
									084ec7bbc1
								
							
						
					
					
						commit
						fcbf25e3ce
					
				| @ -119,8 +119,6 @@ class OpenIDController extends Controller { | |||||||
|             uid, prompt, params, session, |             uid, prompt, params, session, | ||||||
|         } = await this.openid_connect.provider.interactionDetails(req, res) |         } = await this.openid_connect.provider.interactionDetails(req, res) | ||||||
| 
 | 
 | ||||||
|         console.log({uid, prompt, params, session}) |  | ||||||
| 
 |  | ||||||
|         const name = prompt.name |         const name = prompt.name | ||||||
|         if ( typeof this[name] !== 'function' ) { |         if ( typeof this[name] !== 'function' ) { | ||||||
|             return this.fail(res, 'Sorry, something has gone wrong.') |             return this.fail(res, 'Sorry, something has gone wrong.') | ||||||
|  | |||||||
| @ -18,6 +18,24 @@ class Oauth2 extends Oauth2Controller { | |||||||
|         const StarshipClient = this.models.get('oauth:Client') |         const StarshipClient = this.models.get('oauth:Client') | ||||||
|         const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID }) |         const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID }) | ||||||
| 
 | 
 | ||||||
|  |         // Make sure the user has IAM access before proceeding
 | ||||||
|  |         const Application = this.models.get('Application') | ||||||
|  |         const Policy = this.models.get('iam:Policy') | ||||||
|  |         const application = await Application.findOne({ oauth_client_ids: starship_client.id }) | ||||||
|  |         if ( !application ) { | ||||||
|  |             this.output.warning('IAM Denial!') | ||||||
|  |             return this.Vue.auth_message(res, { | ||||||
|  |                 message: req.T('saml.no_access').replace('APP_NAME', application.name), | ||||||
|  |                 next_destination: '/dash', | ||||||
|  |             }) | ||||||
|  |         } else if ( !(await Policy.check_user_access(req.user, application.id)) ) { | ||||||
|  |             this.output.warning('IAM Denial!') | ||||||
|  |             return this.Vue.auth_message(res, { | ||||||
|  |                 message: req.T('saml.no_access').replace('APP_NAME', application.name), | ||||||
|  |                 next_destination: '/dash', | ||||||
|  |             }) | ||||||
|  |         } | ||||||
|  | 
 | ||||||
|         req.user.authorize(starship_client) |         req.user.authorize(starship_client) | ||||||
|         await req.user.save() |         await req.user.save() | ||||||
|         return super.authorize_post(req, res, next) |         return super.authorize_post(req, res, next) | ||||||
| @ -31,6 +49,24 @@ class Oauth2 extends Oauth2Controller { | |||||||
|         const StarshipClient = this.models.get('oauth:Client') |         const StarshipClient = this.models.get('oauth:Client') | ||||||
|         const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID }) |         const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID }) | ||||||
| 
 | 
 | ||||||
|  |         // Make sure the user has IAM access before proceeding
 | ||||||
|  |         const Application = this.models.get('Application') | ||||||
|  |         const Policy = this.models.get('iam:Policy') | ||||||
|  |         const application = await Application.findOne({ oauth_client_ids: starship_client.id }) | ||||||
|  |         if ( !application ) { | ||||||
|  |             this.output.warning('IAM Denial!') | ||||||
|  |             return this.Vue.auth_message(res, { | ||||||
|  |                 message: req.T('saml.no_access').replace('APP_NAME', application.name), | ||||||
|  |                 next_destination: '/dash', | ||||||
|  |             }) | ||||||
|  |         } else if ( !(await Policy.check_user_access(req.user, application.id)) ) { | ||||||
|  |             this.output.warning('IAM Denial!') | ||||||
|  |             return this.Vue.auth_message(res, { | ||||||
|  |                 message: req.T('saml.no_access').replace('APP_NAME', application.name), | ||||||
|  |                 next_destination: '/dash', | ||||||
|  |             }) | ||||||
|  |         } | ||||||
|  | 
 | ||||||
|         if ( req.user.has_authorized(starship_client) ) { |         if ( req.user.has_authorized(starship_client) ) { | ||||||
|             return this.Vue.invoke_action(res, { |             return this.Vue.invoke_action(res, { | ||||||
|                 text: 'Grant Access', |                 text: 'Grant Access', | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user