diff options
author | Daniel <djr2468@gmail.com> | 2023-04-05 17:59:04 +0100 |
---|---|---|
committer | Daniel <djr2468@gmail.com> | 2023-04-05 17:59:04 +0100 |
commit | c56b136a328bc1781ccc74aa27fdecf4a17b9595 (patch) | |
tree | 1232cadf61a35fbe653ecdb02a059ed0bab6bfd8 /src/main/java | |
parent | 9ab4a6e303c0e8a4997252b4c6a8b2dd601d73af (diff) | |
download | trackermap-server-c56b136a328bc1781ccc74aa27fdecf4a17b9595.tar.gz trackermap-server-c56b136a328bc1781ccc74aa27fdecf4a17b9595.tar.bz2 trackermap-server-c56b136a328bc1781ccc74aa27fdecf4a17b9595.zip |
Added openid.allowGroup
Diffstat (limited to 'src/main/java')
-rw-r--r-- | src/main/java/org/traccar/config/Keys.java | 9 | ||||
-rw-r--r-- | src/main/java/org/traccar/database/OpenIdProvider.java | 10 |
2 files changed, 18 insertions, 1 deletions
diff --git a/src/main/java/org/traccar/config/Keys.java b/src/main/java/org/traccar/config/Keys.java index 3ed6c6026..363d4a472 100644 --- a/src/main/java/org/traccar/config/Keys.java +++ b/src/main/java/org/traccar/config/Keys.java @@ -673,6 +673,15 @@ public final class Keys { List.of(KeyType.CONFIG)); /** + * OpenID Connect group to restrict access to. + * If this is not provided, all OpenID users will have access to Traccar. + * This option will only work if your OpenID provider supports the groups scope. + */ + public static final ConfigKey<String> OPENID_ALLOWGROUP = new StringConfigKey( + "openid.allowGroup", + List.of(KeyType.CONFIG)); + + /** * OpenID Connect group to grant admin access. * If this is not provided, no groups will be granted admin access. * This option will only work if your OpenID provider supports the groups scope. diff --git a/src/main/java/org/traccar/database/OpenIdProvider.java b/src/main/java/org/traccar/database/OpenIdProvider.java index 2b0f9d290..370876ed9 100644 --- a/src/main/java/org/traccar/database/OpenIdProvider.java +++ b/src/main/java/org/traccar/database/OpenIdProvider.java @@ -30,6 +30,7 @@ import java.net.http.HttpClient; import java.net.http.HttpRequest; import java.net.http.HttpResponse.BodyHandlers; import java.security.GeneralSecurityException; +import java.util.List; import java.util.Map; import java.io.IOException; import javax.servlet.http.HttpServletRequest; @@ -76,6 +77,7 @@ public class OpenIdProvider { private URI userInfoUrl; private URI baseUrl; private final String adminGroup; + private final String allowGroup; private LoginService loginService; @@ -129,6 +131,7 @@ public class OpenIdProvider { } adminGroup = config.getString(Keys.OPENID_ADMINGROUP); + allowGroup = config.getString(Keys.OPENID_ALLOWGROUP); } public URI createAuthUri() { @@ -200,7 +203,12 @@ public class OpenIdProvider { UserInfo userInfo = getUserInfo(bearerToken); - Boolean administrator = adminGroup != null && userInfo.getStringListClaim("groups").contains(adminGroup); + List<String> userGroups = userInfo.getStringListClaim("groups"); + Boolean administrator = adminGroup != null && userGroups.contains(adminGroup); + + if (!(administrator || allowGroup == null || userGroups.contains(allowGroup))) { + throw new GeneralSecurityException("Your OpenID Groups do not permit access to Traccar."); + } User user = loginService.login(userInfo.getEmailAddress(), userInfo.getName(), administrator); |