Check IAM policy for OAuth2 logins

inflate OpenID UID to case-sensitive on lookup
Force OpenID UID to be lowercase
2020-10-19 09:51:36 -05:00 · 2020-10-19 09:39:28 -05:00 · 2020-10-19 09:35:49 -05:00 · 2020-10-19 09:26:52 -05:00
3 changed files with 54 additions and 5 deletions
--- a/app/classes/oidc/CoreIDAdapter.js
+++ b/app/classes/oidc/CoreIDAdapter.js
@@ -18,6 +18,11 @@ class CoreIDAdapter {
            expiresAt = new Date(Date.now() + (expiresIn * 1000))
        }

+        if ( payload.uid ) {
+            payload.originalUid = payload.uid
+            payload.uid = payload.uid.toLowerCase()
+        }
+
        await this.coll().updateOne(
            { _id },
            { $set: { payload, ...(expiresAt ? { expiresAt } : undefined) } },
@@ -34,6 +39,11 @@ class CoreIDAdapter {
        ).limit(1).next()

        if (!result) return undefined
+
+        if ( result?.payload?.originalUid ) {
+            result.payload.uid = result.payload.originalUid
+        }
+
        return result.payload
    }

@@ -54,6 +64,11 @@ class CoreIDAdapter {
        ).limit(1).next()

        if (!result) return undefined
+
+        if ( result?.payload?.originalUid ) {
+            result.payload.uid = result.payload.originalUid
+        }
+
        return result.payload
    }

--- a/app/controllers/OpenID.controller.js
+++ b/app/controllers/OpenID.controller.js
@@ -119,14 +119,12 @@ class OpenIDController extends Controller {
            uid, prompt, params, session,
        } = await this.openid_connect.provider.interactionDetails(req, res)

-        console.log({uid, prompt, params, session})
-
        const name = prompt.name
        if ( typeof this[name] !== 'function' ) {
            return this.fail(res, 'Sorry, something has gone wrong.')
        }

-        return this[name](req, res, { uid: uid, prompt, params, session })
+        return this[name](req, res, { uid: uid.toLowerCase(), prompt, params, session })
    }

    async consent(req, res, { uid, prompt, params, session }) {
@@ -172,7 +170,7 @@ class OpenIDController extends Controller {
                    {
                        text: req.T('common.grant'),
                        action: 'redirect',
-                        next: `/openid/interaction/${uid}/grant`,
+                        next: `/openid/interaction/${uid.toLowerCase()}/grant`,
                    },
                ],
            })
@@ -180,7 +178,7 @@ class OpenIDController extends Controller {
    }

    async login(req, res, { uid, prompt, params, session }) {
-        return res.redirect(`/openid/interaction/${uid}/start-session`)
+        return res.redirect(`/openid/interaction/${uid.toLowerCase()}/start-session`)
    }

    /**
--- a/app/controllers/auth/Oauth2.controller.js
+++ b/app/controllers/auth/Oauth2.controller.js
@@ -18,6 +18,24 @@ class Oauth2 extends Oauth2Controller {
        const StarshipClient = this.models.get('oauth:Client')
        const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })

+        // Make sure the user has IAM access before proceeding
+        const Application = this.models.get('Application')
+        const Policy = this.models.get('iam:Policy')
+        const application = await Application.findOne({ oauth_client_ids: starship_client.id })
+        if ( !application ) {
+            this.output.warning('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        } else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
+            this.output.warning('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        }
+
        req.user.authorize(starship_client)
        await req.user.save()
        return super.authorize_post(req, res, next)
@@ -31,6 +49,24 @@ class Oauth2 extends Oauth2Controller {
        const StarshipClient = this.models.get('oauth:Client')
        const starship_client = await StarshipClient.findOne({ active: true, uuid: client.clientID })

+        // Make sure the user has IAM access before proceeding
+        const Application = this.models.get('Application')
+        const Policy = this.models.get('iam:Policy')
+        const application = await Application.findOne({ oauth_client_ids: starship_client.id })
+        if ( !application ) {
+            this.output.warning('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        } else if ( !(await Policy.check_user_access(req.user, application.id)) ) {
+            this.output.warning('IAM Denial!')
+            return this.Vue.auth_message(res, {
+                message: req.T('saml.no_access').replace('APP_NAME', application.name),
+                next_destination: '/dash',
+            })
+        }
+
        if ( req.user.has_authorized(starship_client) ) {
            return this.Vue.invoke_action(res, {
                text: 'Grant Access',
Author	SHA1	Message	Date
garrettmills	fcbf25e3ce	Check IAM policy for OAuth2 logins All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-19 09:51:36 -05:00
garrettmills	084ec7bbc1	inflate OpenID UID to case-sensitive on lookup All checks were successful continuous-integration/drone/push Build is passing Details	2020-10-19 09:39:28 -05:00
garrettmills	6b3339a883	Force OpenID UID to be lowercase All checks were successful continuous-integration/drone/push Build is passing Details	2020-10-19 09:35:49 -05:00
garrettmills	8f1bbfef56	OpenID - revert case insensitive session UID lookup All checks were successful continuous-integration/drone/push Build is passing Details continuous-integration/drone/tag Build is passing Details	2020-10-19 09:26:52 -05:00