From feeef0ceae2d36bd8d01a9a85766d42de6a8b51a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thorben=20G=C3=BCnther?= <admin@xenrox.net>
Date: Wed, 30 Jun 2021 14:32:30 +0200
Subject: [PATCH] oidc: Add roles claim and bound role

With this you can deny the user from logging in, if a needed group is not
included in the claims.
---
 peertube-plugin-auth-openid-connect/README.md |  2 ++
 peertube-plugin-auth-openid-connect/main.js   | 30 ++++++++++++++++++-
 2 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/peertube-plugin-auth-openid-connect/README.md b/peertube-plugin-auth-openid-connect/README.md
index be1ab07..2ea5a2b 100644
--- a/peertube-plugin-auth-openid-connect/README.md
+++ b/peertube-plugin-auth-openid-connect/README.md
@@ -9,3 +9,5 @@ l'Éducation et de la Jeunesse" (french Ministry of National Education).
 
 The callback URL to configure on the OIDC provider side is: <your-instance-url>/plugins/auth-openid-connect/router/code-cb
 If you don't specifie a role attribute new users will have a 'User' role by default. If you use this attribute it should hold an integer from this set of values: 0 (Administrator), 1 (Moderator), 2 (User).
+
+With `group-property` and `allowed-group` you can allow only a subset of users to login.
diff --git a/peertube-plugin-auth-openid-connect/main.js b/peertube-plugin-auth-openid-connect/main.js
index 0a13a81..974f320 100644
--- a/peertube-plugin-auth-openid-connect/main.js
+++ b/peertube-plugin-auth-openid-connect/main.js
@@ -94,6 +94,22 @@ async function register ({
     private: true
   })
 
+  registerSetting({
+    name: 'group-property',
+    label: 'Group property',
+    type: 'input',
+    private: true,
+    descriptionHTML: 'Property/claim that contains a users groups'
+  })
+
+  registerSetting({
+    name: 'allowed-group',
+    label: 'Allowed group',
+    type: 'input',
+    private: true,
+    descriptionHTML: 'Will only allow login for users whose group array contains this group'
+  })
+
   const router = getRouter()
   router.use('/code-cb', (req, res) => handleCb(peertubeHelpers, settingsManager, req, res))
 
@@ -249,7 +265,9 @@ async function handleCb (peertubeHelpers, settingsManager, req, res) {
       'mail-property',
       'username-property',
       'display-name-property',
-      'role-property'
+      'role-property',
+      'group-property',
+      'allowed-group'
     ])
 
     logger.debug('Got userinfo from openid auth.', { userInfo, settings })
@@ -267,6 +285,16 @@ async function handleCb (peertubeHelpers, settingsManager, req, res) {
       }
     }
 
+    if (settings['group-property'] && settings['allowed-group']) {
+      let roles = userInfo[settings['group-property']]
+      if (!roles.includes(settings['allowed-group'])) {
+        throw {
+          name: "AllowedGroupNotFound",
+          message: "User is not in allowed group"
+        }
+      }
+    }
+
     let displayName
     if (settings['display-name-property']) {
       displayName = userInfo[settings['display-name-property']]