Add role field array support (#774)

oidc: add array role field support Signed-off-by: Ismail Baskin <ismailbaskin5@gmail.com>
2022-03-25 12:36:35 +03:00 · 2022-03-25 12:36:35 +03:00 · 853086b942
commit 853086b942
parent 81bdba6782
2 changed files with 52 additions and 14 deletions
--- a/httpd/oidc.go
+++ b/httpd/oidc.go
@ -169,7 +169,7 @@ type oidcToken struct {
 	Nonce        string      `json:"nonce"`
 	Username     string      `json:"username"`
 	Permissions  []string    `json:"permissions"`
-	Role         string   `json:"role"`
+	Role         interface{} `json:"role"`
 	Cookie       string      `json:"cookie"`
 	UsedAt       int64       `json:"used_at"`
 }
@ -190,7 +190,7 @@ func (t *oidcToken) parseClaims(claims map[string]interface{}, usernameField, ro
 	}
 	t.Username = username
 	if roleField != "" {
-		role, ok := claims[roleField].(string)
+		role, ok := claims[roleField]
 		if ok {
 			t.Role = role
 		}
@ -203,7 +203,19 @@ func (t *oidcToken) parseClaims(claims map[string]interface{}, usernameField, ro
 }

 func (t *oidcToken) isAdmin() bool {
-	return t.Role == "admin"
+	switch v := t.Role.(type) {
+	case string:
+		return v == "admin"
+	case []interface{}:
+		for _, s := range v {
+			if val, ok := s.(string); ok && val == "admin" {
+				return true
+			}
+		}
+		return false
+	default:
+		return false
+	}
 }

 func (t *oidcToken) isExpired() bool {
--- a/httpd/oidc_test.go
+++ b/httpd/oidc_test.go
@ -1005,3 +1005,29 @@ func getPreLoginScriptContent(user dataprovider.User, nonJSONResponse bool) []by
 	}
 	return content
 }
+
+func TestOIDCIsAdmin(t *testing.T) {
+	type test struct {
+		input interface{}
+		want  bool
+	}
+
+	emptySlice := make([]interface{}, 0)
+
+	tests := []test{
+		{input: "admin", want: true},
+		{input: append(emptySlice, "admin"), want: true},
+		{input: append(emptySlice, "user", "admin"), want: true},
+		{input: "user", want: false},
+		{input: emptySlice, want: false},
+		{input: append(emptySlice, 1), want: false},
+		{input: 1, want: false},
+		{input: nil, want: false},
+	}
+	for _, tc := range tests {
+		token := oidcToken{
+			Role: tc.input,
+		}
+		assert.Equal(t, tc.want, token.isAdmin(), "%v should return %t", tc.input, tc.want)
+	}
+}