feat: group auto assignment and leaving based on role-to-group association

Author: julianlam

lib/controllers.js

@@ -3,6 +3,7 @@
 const fetch = require('node-fetch');
 
 const db = require.main.require('./src/database');
+const groups = require.main.require('./src/groups');
 const slugify = require.main.require('./src/slugify');
 const helpers = require.main.require('./src/controllers/helpers');
 
@@ -11,10 +12,23 @@ const main = require('../library');
 const Controllers = module.exports;
 
 Controllers.renderAdminPage = async (req, res) => {
+	const main = require('../library');
 	const strategies = await main.listStrategies();
+	let groupNames = await db.getSortedSetRange('groups:createtime', 0, -1);
+	groupNames = groupNames.filter(name => (
+		name !== 'registered-users' &&
+		name !== 'verified-users' &&
+		name !== 'unverified-users' &&
+		name !== groups.BANNED_USERS &&
+		!groups.isPrivilegeGroup(name)
+	));
+	const associations = await main.getAssociations();
+
 	res.render('admin/plugins/sso-oauth2-multiple', {
 		title: 'Multiple OAuth2',
 		strategies,
+		associations,
+		groupNames,
 	});
 };
 

library.js

@@ -7,6 +7,8 @@ const winston = module.parent.require('winston');
 const db = require.main.require('./src/database');
 const user = require.main.require('./src/user');
 const plugins = require.main.require('./src/plugins');
+const meta = require.main.require('./src/meta');
+const groups = require.main.require('./src/groups');
 const authenticationController = require.main.require('./src/controllers/authentication');
 const routeHelpers = require.main.require('./src/routes/helpers');
 
@@ -101,6 +103,7 @@ OAuth.loadStrategies = async (strategies) => {
 
 		winston.verbose(`[plugin/sso-oauth2-multiple] Successful login to uid ${user.uid} via ${name} (remote id ${id})`);
 		authenticationController.onSuccessfulLogin(req, user.uid);
+		OAuth.assignGroups({ provider: name, user, profile });
 		done(null, user);
 
 		plugins.hooks.fire('action:oauth2.login', { name, user, profile });
@@ -155,14 +158,15 @@ OAuth.getUserProfile = function (name, userRoute, accessToken, done) {
 OAuth.parseUserReturn = async (provider, profile) => {
 	const {
 		id, sub, name, nickname, preferred_username, picture,
-		email, /* , email_verified */
+		roles, email, /* , email_verified */
 	} = profile;
 	const { usernameViaEmail, idKey } = await OAuth.getStrategy(provider);
 	const normalized = {
 		provider,
 		id: profile[idKey] || id || sub,
 		displayName: nickname || preferred_username || name,
 		picture,
+		roles,
 		email,
 	};
 
@@ -173,6 +177,19 @@ OAuth.parseUserReturn = async (provider, profile) => {
 	return normalized;
 };
 
+OAuth.getAssociations = async () => {
+	let { roles, groups } = await meta.settings.get('sso-oauth2-multiple');
+	if (!roles || !groups) {
+		return [];
+	}
+
+	groups = groups.split(',');
+	return roles.split(',').map((role, idx) => ({
+		role,
+		group: groups[idx],
+	}));
+};
+
 OAuth.login = async (payload) => {
 	let uid = await OAuth.getUidByOAuthid(payload.name, payload.oAuthid);
 	if (uid !== null) {
@@ -202,6 +219,30 @@ OAuth.login = async (payload) => {
 	return { uid };
 };
 
+OAuth.assignGroups = async ({ user, profile }) => {
+	if (!profile.roles || !Array.isArray(profile.roles)) {
+		return;
+	}
+
+	const { uid } = user;
+	const associations = await OAuth.getAssociations();
+	const { toJoin, toLeave } = associations.reduce((memo, { role, group }) => {
+		if (profile.roles.includes(role)) {
+			memo.toJoin.push(group);
+		} else {
+			memo.toLeave.push(group);
+		}
+
+		return memo;
+	}, { toJoin: [], toLeave: [] });
+	if (toLeave.length) {
+		winston.verbose(`[plugins/sso-auth0] uid ${uid} now leaving ${toLeave.length} these user groups: ${toLeave.join(', ')}`);
+	}
+	await groups.leave(toLeave, uid);
+	await groups.join(toJoin, uid);
+	winston.verbose(`[plugins/sso-auth0] uid ${uid} now a part of ${toJoin.length} these user groups: ${toJoin.join(', ')}`);
+};
+
 OAuth.getUidByOAuthid = async (name, oAuthid) => db.getObjectField(`${name}Id:uid`, oAuthid);
 
 OAuth.deleteUserData = async (data) => {

static/lib/admin.js

@@ -7,16 +7,10 @@ import { alert as bootboxAlert, confirm } from 'bootbox';
 import { get, post, del } from 'api';
 import { alert, error } from 'alerts';
 import { render } from 'benchpress';
+import { save, load } from 'settings';
 
 // eslint-disable-next-line import/prefer-default-export
 export function init() {
-	// settings.load('sso-oauth2-multiple', $('.sso-oauth2-multiple-settings'));
-	// $('#save').on('click', saveSettings);
-	const saveEl = document.getElementById('save');
-	if (saveEl) {
-		saveEl.classList.toggle('d-none', true);
-	}
-
 	const formEl = document.querySelector('.sso-oauth2-multiple-settings');
 	formEl.addEventListener('click', async (e) => {
 		const subselector = e.target.closest('[data-action]');
@@ -85,6 +79,61 @@ export function init() {
 			}
 		}
 	});
+
+	handleSettingsForm();
+	handleAssociations();
+}
+
+function handleSettingsForm() {
+	load('sso-oauth2-multiple', $('.sso-oauth2-multiple-settings'), () => {
+		const fieldset = document.getElementById('associations');
+		const selectEls = fieldset.querySelectorAll('select[data-value]');
+		if (selectEls.length) {
+			selectEls.forEach((el) => {
+				const value = el.getAttribute('data-value');
+				const optionEl = el.querySelector(`option[value="${value}"]`);
+				optionEl.selected = true;
+			});
+		}
+
+		// settings.load shoves all the values into the first association input, so
+		// the roles all start out disabled so that they don't get overridden
+		const domainEls = fieldset.querySelectorAll('input[disabled]');
+		domainEls.forEach((el) => {
+			el.disabled = false;
+		});
+	});
+
+	$('#save').on('click', () => {
+		save('sso-oauth2-multiple', $('.sso-oauth2-multiple-settings')); // pass in a function in the 3rd parameter to override the default success/failure handler
+	});
+}
+
+function handleAssociations() {
+	const addEl = document.querySelector('[data-action="add"]');
+	const fieldset = document.getElementById('associations');
+	console.log(addEl, fieldset);
+	if (!addEl || !fieldset) {
+		return;
+	}
+
+	addEl.addEventListener('click', async () => {
+		let html = await render('partials/group-association-field', {
+			groupNames: ajaxify.data.groupNames,
+		});
+		html = new DOMParser().parseFromString(html, 'text/html').body.childNodes;
+		fieldset.append(...html);
+	});
+
+	fieldset.addEventListener('click', (e) => {
+		const subselector = e.target.closest('[data-action="remove"]');
+		if (!subselector) {
+			return;
+		}
+
+		const row = subselector.closest('.association');
+		row.remove();
+	});
 }
 
 function handleEditStrategy(ok) {

static/templates/admin/plugins/sso-oauth2-multiple.tpl

@@ -50,6 +50,22 @@
 						</tfoot>
 					</table>
 				</div>
+
+				<div class="mb-4">
+					<h5>Role to Group Associations</h5>
+					<p>
+						If the OAuth2 provider sends back a <code>roles</code> property in the User Info endpoint,
+						the user can be assigned to a specific user group based on a configured association below.
+					</p>
+
+					<fieldset id="associations">
+						{{{ each associations }}}
+						<!-- IMPORT partials/group-association-field.tpl -->
+						{{{ end }}}
+					</fieldset>
+
+					<button type="button" class="btn btn-primary" data-action="add">Add association</button>
+				</div>
 			</form>
 		</div>
 

static/templates/partials/group-association-field.tpl

@@ -0,0 +1,12 @@
+<div class="mb-3 association">
+	<div class="input-group">
+		<input type="text" name="roles" class="form-control" placeholder="Role" value="{./role}" {{{ if ./role }}}disabled{{{ end }}}>
+		<span class="input-group-text">&rarr;</span>
+		<select class="form-control" name="groups" data-value="{./group}">
+			{{{ each groupNames }}}
+			<option value="{@value}">{@value}</option>
+			{{{ end }}}
+		</select>
+		<button class="btn" type="button" data-action="remove"><i class="fa fa-trash text-danger"></i></button>
+	</div>
+</div>