Added openid.allowGroup

author: Daniel <djr2468@gmail.com> 2023-04-05 17:59:04 +0100
committer: Daniel <djr2468@gmail.com> 2023-04-05 17:59:04 +0100
commit: c56b136a328bc1781ccc74aa27fdecf4a17b9595 (patch)
tree: 1232cadf61a35fbe653ecdb02a059ed0bab6bfd8 /src/main/java/org/traccar
parent: 9ab4a6e303c0e8a4997252b4c6a8b2dd601d73af (diff)
download: trackermap-server-c56b136a328bc1781ccc74aa27fdecf4a17b9595.tar.gz
trackermap-server-c56b136a328bc1781ccc74aa27fdecf4a17b9595.tar.bz2
trackermap-server-c56b136a328bc1781ccc74aa27fdecf4a17b9595.zip
2 files changed, 18 insertions, 1 deletions
diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java
index 3ed6c6026..363d4a472 100644
--- a/src/main/java/org/traccar/config/Keys.java
+++ b/src/main/java/org/traccar/config/Keys.java
@@ -673,6 +673,15 @@ public final class Keys {
             List.of(KeyType.CONFIG));
 
     /**
+     * OpenID Connect group to restrict access to.
+     * If this is not provided, all OpenID users will have access to Traccar.
+     * This option will only work if your OpenID provider supports the groups scope.
+     */
+    public static final ConfigKey<String> OPENID_ALLOWGROUP = new StringConfigKey(
+        "openid.allowGroup",
+        List.of(KeyType.CONFIG));
+
+    /**
      * OpenID Connect group to grant admin access.
      * If this is not provided, no groups will be granted admin access.
      * This option will only work if your OpenID provider supports the groups scope.
diff --git a/src/main/java/org/traccar/database/OpenIdProvider.java b/src/main/java/org/traccar/database/OpenIdProvider.java
index 2b0f9d290..370876ed9 100644
--- a/src/main/java/org/traccar/database/OpenIdProvider.java
+++ b/src/main/java/org/traccar/database/OpenIdProvider.java
@@ -30,6 +30,7 @@ import java.net.http.HttpClient;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse.BodyHandlers;
 import java.security.GeneralSecurityException;
+import java.util.List;
 import java.util.Map;
 import java.io.IOException;
 import javax.servlet.http.HttpServletRequest;
@@ -76,6 +77,7 @@ public class OpenIdProvider {
     private URI userInfoUrl;
     private URI baseUrl;
     private final String adminGroup;
+    private final String allowGroup;
 
     private LoginService loginService;
 
@@ -129,6 +131,7 @@ public class OpenIdProvider {
         }
 
         adminGroup = config.getString(Keys.OPENID_ADMINGROUP);
+        allowGroup = config.getString(Keys.OPENID_ALLOWGROUP);
     }
 
     public URI createAuthUri() {
@@ -200,7 +203,12 @@ public class OpenIdProvider {
 
             UserInfo userInfo = getUserInfo(bearerToken);
 
-            Boolean administrator = adminGroup != null && userInfo.getStringListClaim("groups").contains(adminGroup);
+            List<String> userGroups = userInfo.getStringListClaim("groups");
+            Boolean administrator = adminGroup != null && userGroups.contains(adminGroup);
+
+            if (!(administrator || allowGroup == null || userGroups.contains(allowGroup))) {
+                throw new GeneralSecurityException("Your OpenID Groups do not permit access to Traccar.");
+            }
 
             User user = loginService.login(userInfo.getEmailAddress(), userInfo.getName(), administrator);
author	Daniel <djr2468@gmail.com>	2023-04-05 17:59:04 +0100
committer	Daniel <djr2468@gmail.com>	2023-04-05 17:59:04 +0100
commit	c56b136a328bc1781ccc74aa27fdecf4a17b9595 (patch)
tree	1232cadf61a35fbe653ecdb02a059ed0bab6bfd8 /src/main/java/org/traccar
parent	9ab4a6e303c0e8a4997252b4c6a8b2dd601d73af (diff)
download	trackermap-server-c56b136a328bc1781ccc74aa27fdecf4a17b9595.tar.gz trackermap-server-c56b136a328bc1781ccc74aa27fdecf4a17b9595.tar.bz2 trackermap-server-c56b136a328bc1781ccc74aa27fdecf4a17b9595.zip