OIDC: allow to get the role field from a sub-struct

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>

docs/full-configuration.md

@@ -282,7 +282,7 @@ The configuration file contains the following sections:
       - `redirect_base_url`, string. Defines the base URL to redirect to after OpenID authentication. The suffix `/web/oidc/redirect` will be added to this base URL, adding also the `web_root` if configured. Default: blank.
       - `username_field`, string. Defines the ID token claims field to map to the SFTPGo username. Default: blank.
       - `scopes`, list of strings. Request the OAuth provider to provide the scope information from an authenticated users. The `openid` scope is mandatory. Default: `"openid", "profile", "email"`.
-      - `role_field`, string. Defines the optional ID token claims field to map to a SFTPGo role. If the defined ID token claims field is set to `admin` the authenticated user is mapped to an SFTPGo admin. You don't need to specify this field if you want to use OpenID only for the Web Client UI. Default: blank.
+      - `role_field`, string. Defines the optional ID token claims field to map to a SFTPGo role. If the defined ID token claims field is set to `admin` the authenticated user is mapped to an SFTPGo admin. You don't need to specify this field if you want to use OpenID only for the Web Client UI. If the field is inside a nested structure, you can use the dot notation to traverse the structures. Default: blank.
       - `implicit_roles`, boolean. If set, the `role_field` is ignored and the SFTPGo role is assumed based on the login link used. Default: `false`.
       - `custom_fields`, list of strings. Custom token claims fields to pass to the pre-login hook. Default: empty.
       - `debug`, boolean. If set, the received id tokens will be logged at debug level. Default: `false`.

httpd/oidc.go

@@ -225,12 +225,7 @@ func (t *oidcToken) parseClaims(claims map[string]any, usernameField, roleField
 	if forcedRole != "" {
 		t.Role = forcedRole
 	} else {
-		if roleField != "" {
-			role, ok := claims[roleField]
-			if ok {
-				t.Role = role
-			}
-		}
+		t.getRoleFromField(claims, roleField)
 	}
 	t.CustomFields = nil
 	if len(customFields) > 0 {
@@ -254,6 +249,41 @@ func (t *oidcToken) parseClaims(claims map[string]any, usernameField, roleField
 	return nil
 }
 
+func (t *oidcToken) getRoleFromField(claims map[string]any, roleField string) {
+	if roleField != "" {
+		role, ok := claims[roleField]
+		if ok {
+			t.Role = role
+			return
+		}
+		if !strings.Contains(roleField, ".") {
+			return
+		}
+
+		getStructValue := func(outer any, field string) (any, bool) {
+			switch val := outer.(type) {
+			case map[string]any:
+				res, ok := val[field]
+				return res, ok
+			}
+			return nil, false
+		}
+
+		for idx, field := range strings.Split(roleField, ".") {
+			if idx == 0 {
+				role, ok = getStructValue(claims, field)
+			} else {
+				role, ok = getStructValue(role, field)
+			}
+			if !ok {
+				return
+			}
+		}
+
+		t.Role = role
+	}
+}
+
 func (t *oidcToken) isAdmin() bool {
 	switch v := t.Role.(type) {
 	case string:

httpd/oidc_test.go

@@ -1163,6 +1163,59 @@ func TestOIDCIsAdmin(t *testing.T) {
 	}
 }
 
+func TestParseAdminRole(t *testing.T) {
+	claims := make(map[string]any)
+	rawClaims := []byte(`{
+		"sub": "35666371",
+		"email": "example@example.com",
+		"preferred_username": "Sally",
+		"name": "Sally Tyler",
+		"updated_at": "2018-04-13T22:08:45Z",
+		"given_name": "Sally",
+		"family_name": "Tyler",
+		"params": {
+		  "sftpgo_role": "admin",
+		  "subparams": {
+			"sftpgo_role": "admin",
+			"inner": {
+				"sftpgo_role": ["user","admin"]
+			}
+		  }
+		},
+		"at_hash": "lPLhxI2wjEndc-WfyroDZA",
+		"rt_hash": "mCmxPtA04N-55AxlEUbq-A",
+		"aud": "78d1d040-20c9-0136-5146-067351775fae92920",
+		"exp": 1523664997,
+		"iat": 1523657797
+	  }`)
+	err := json.Unmarshal(rawClaims, &claims)
+	assert.NoError(t, err)
+
+	type test struct {
+		input string
+		want  bool
+	}
+
+	tests := []test{
+		{input: "sftpgo_role", want: false},
+		{input: "params.sftpgo_role", want: true},
+		{input: "params.subparams.sftpgo_role", want: true},
+		{input: "params.subparams.inner.sftpgo_role", want: true},
+		{input: "email", want: false},
+		{input: "missing", want: false},
+		{input: "params.email", want: false},
+		{input: "missing.sftpgo_role", want: false},
+		{input: "params", want: false},
+		{input: "params.subparams.inner.sftpgo_role.missing", want: false},
+	}
+
+	for _, tc := range tests {
+		token := oidcToken{}
+		token.getRoleFromField(claims, tc.input)
+		assert.Equal(t, tc.want, token.isAdmin(), "%q should return %t", tc.input, tc.want)
+	}
+}
+
 func TestOIDCWithLoginFormsDisabled(t *testing.T) {
 	oidcMgr, ok := oidcMgr.(*memoryOIDCManager)
 	require.True(t, ok)