mirror of
https://github.com/lennart-k/rustical.git
synced 2025-12-13 21:42:34 +00:00
frontend: Move oidc configuration to dedicated section
This commit is contained in:
Lennart
@@ -38,8 +38,6 @@ pub struct FrontendConfig {
|
||||
pub secret_key: [u8; 64],
|
||||
#[serde(default = "default_true")]
|
||||
pub enabled: bool,
|
||||
#[serde(default)]
|
||||
pub oidc: Option<OidcConfig>,
|
||||
#[serde(default = "default_true")]
|
||||
pub allow_password_login: bool,
|
||||
}
|
||||
|
||||
@@ -34,7 +34,7 @@ pub mod nextcloud_login;
|
||||
mod oidc;
|
||||
mod routes;
|
||||
|
||||
pub use config::FrontendConfig;
|
||||
pub use config::{FrontendConfig, OidcConfig};
|
||||
|
||||
pub fn generate_app_token() -> String {
|
||||
rand::thread_rng()
|
||||
@@ -193,63 +193,68 @@ pub fn configure_frontend<AP: AuthenticationProvider, CS: CalendarStore, AS: Add
|
||||
cal_store: Arc<CS>,
|
||||
addr_store: Arc<AS>,
|
||||
frontend_config: FrontendConfig,
|
||||
oidc_config: Option<OidcConfig>,
|
||||
) {
|
||||
cfg.service(
|
||||
web::scope("")
|
||||
.wrap(ErrorHandlers::new().handler(StatusCode::UNAUTHORIZED, unauthorized_handler))
|
||||
.wrap(AuthenticationMiddleware::new(auth_provider.clone()))
|
||||
.wrap(session_middleware(frontend_config.secret_key))
|
||||
.app_data(Data::from(auth_provider))
|
||||
.app_data(Data::from(cal_store.clone()))
|
||||
.app_data(Data::from(addr_store.clone()))
|
||||
.app_data(Data::new(frontend_config.clone()))
|
||||
.service(EmbedService::<Assets>::new("/assets".to_owned()))
|
||||
.service(web::resource("").route(web::method(Method::GET).to(route_root)))
|
||||
.service(
|
||||
web::resource("/user")
|
||||
.route(web::method(Method::GET).to(route_user))
|
||||
.name("frontend_user"),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}")
|
||||
.route(web::method(Method::GET).to(route_user_named::<CS, AS>))
|
||||
.name("frontend_user_named"),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}/app_token")
|
||||
.route(web::method(Method::POST).to(route_post_app_token::<AP>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}/app_token/{id}/delete")
|
||||
.route(web::method(Method::POST).to(route_delete_app_token::<AP>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}/calendar/{calendar}")
|
||||
.route(web::method(Method::GET).to(route_calendar::<CS>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}/calendar/{calendar}/restore")
|
||||
.route(web::method(Method::POST).to(route_calendar_restore::<CS>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}/addressbook/{addressbook}")
|
||||
.route(web::method(Method::GET).to(route_addressbook::<AS>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}/addressbook/{addressbook}/restore")
|
||||
.route(web::method(Method::POST).to(route_addressbook_restore::<AS>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/login")
|
||||
.name("frontend_login")
|
||||
.route(web::method(Method::GET).to(route_get_login))
|
||||
.route(web::method(Method::POST).to(route_post_login::<AP>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/logout")
|
||||
.name("frontend_logout")
|
||||
.route(web::method(Method::POST).to(route_post_logout)),
|
||||
)
|
||||
let mut scope = web::scope("")
|
||||
.wrap(ErrorHandlers::new().handler(StatusCode::UNAUTHORIZED, unauthorized_handler))
|
||||
.wrap(AuthenticationMiddleware::new(auth_provider.clone()))
|
||||
.wrap(session_middleware(frontend_config.secret_key))
|
||||
.app_data(Data::from(auth_provider))
|
||||
.app_data(Data::from(cal_store.clone()))
|
||||
.app_data(Data::from(addr_store.clone()))
|
||||
.app_data(Data::new(frontend_config.clone()))
|
||||
.app_data(Data::new(oidc_config.clone()))
|
||||
.service(EmbedService::<Assets>::new("/assets".to_owned()))
|
||||
.service(web::resource("").route(web::method(Method::GET).to(route_root)))
|
||||
.service(
|
||||
web::resource("/user")
|
||||
.route(web::method(Method::GET).to(route_user))
|
||||
.name("frontend_user"),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}")
|
||||
.route(web::method(Method::GET).to(route_user_named::<CS, AS>))
|
||||
.name("frontend_user_named"),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}/app_token")
|
||||
.route(web::method(Method::POST).to(route_post_app_token::<AP>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}/app_token/{id}/delete")
|
||||
.route(web::method(Method::POST).to(route_delete_app_token::<AP>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}/calendar/{calendar}")
|
||||
.route(web::method(Method::GET).to(route_calendar::<CS>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}/calendar/{calendar}/restore")
|
||||
.route(web::method(Method::POST).to(route_calendar_restore::<CS>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}/addressbook/{addressbook}")
|
||||
.route(web::method(Method::GET).to(route_addressbook::<AS>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/user/{user}/addressbook/{addressbook}/restore")
|
||||
.route(web::method(Method::POST).to(route_addressbook_restore::<AS>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/login")
|
||||
.name("frontend_login")
|
||||
.route(web::method(Method::GET).to(route_get_login))
|
||||
.route(web::method(Method::POST).to(route_post_login::<AP>)),
|
||||
)
|
||||
.service(
|
||||
web::resource("/logout")
|
||||
.name("frontend_logout")
|
||||
.route(web::method(Method::POST).to(route_post_logout)),
|
||||
);
|
||||
|
||||
if let Some(oidc_config) = oidc_config {
|
||||
scope = scope
|
||||
.app_data(Data::new(oidc_config))
|
||||
.service(
|
||||
web::resource("/login/oidc")
|
||||
.name("frontend_login_oidc")
|
||||
@@ -259,6 +264,8 @@ pub fn configure_frontend<AP: AuthenticationProvider, CS: CalendarStore, AS: Add
|
||||
web::resource("/login/oidc/callback")
|
||||
.name("frontend_oidc_callback")
|
||||
.route(web::method(Method::GET).to(route_get_oidc_callback::<AP>)),
|
||||
),
|
||||
);
|
||||
);
|
||||
}
|
||||
|
||||
cfg.service(scope);
|
||||
}
|
||||
|
||||
@@ -12,9 +12,6 @@ pub enum OidcError {
|
||||
#[error("Cannot generate redirect url, something's not configured correctly")]
|
||||
ActixUrlGenerationError(#[from] UrlGenerationError),
|
||||
|
||||
#[error("RustiCal is not configured correctly for OIDC")]
|
||||
IncorrectConfiguration,
|
||||
|
||||
#[error(transparent)]
|
||||
OidcConfigurationError(#[from] ConfigurationError),
|
||||
|
||||
|
||||
@@ -1,7 +1,4 @@
|
||||
use crate::{
|
||||
FrontendConfig,
|
||||
config::{OidcConfig, UserIdClaim},
|
||||
};
|
||||
use crate::config::{OidcConfig, UserIdClaim};
|
||||
use actix_session::Session;
|
||||
use actix_web::{
|
||||
HttpRequest, HttpResponse, Responder,
|
||||
@@ -92,17 +89,12 @@ pub struct GetOidcForm {
|
||||
pub async fn route_post_oidc(
|
||||
req: HttpRequest,
|
||||
Form(GetOidcForm { redirect_uri }): Form<GetOidcForm>,
|
||||
config: Data<FrontendConfig>,
|
||||
oidc_config: Data<OidcConfig>,
|
||||
session: Session,
|
||||
) -> Result<impl Responder, OidcError> {
|
||||
let oidc_config = config
|
||||
.oidc
|
||||
.clone()
|
||||
.ok_or(OidcError::IncorrectConfiguration)?;
|
||||
|
||||
let http_client = get_http_client();
|
||||
let oidc_client = get_oidc_client(
|
||||
oidc_config.clone(),
|
||||
oidc_config.as_ref().clone(),
|
||||
&http_client,
|
||||
RedirectUrl::new(req.url_for_static("frontend_oidc_callback")?.to_string())?,
|
||||
)
|
||||
@@ -137,21 +129,16 @@ pub async fn route_post_oidc(
|
||||
pub struct AuthCallbackQuery {
|
||||
code: AuthorizationCode,
|
||||
iss: IssuerUrl,
|
||||
// scope: String,
|
||||
// state: String,
|
||||
}
|
||||
|
||||
/// Handle callback from IdP page
|
||||
pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
|
||||
req: HttpRequest,
|
||||
config: Data<FrontendConfig>,
|
||||
oidc_config: Data<OidcConfig>,
|
||||
session: Session,
|
||||
auth_provider: Data<AP>,
|
||||
Query(AuthCallbackQuery { code, iss }): Query<AuthCallbackQuery>,
|
||||
) -> Result<impl Responder, OidcError> {
|
||||
let oidc_config = config
|
||||
.oidc
|
||||
.clone()
|
||||
.ok_or(OidcError::IncorrectConfiguration)?;
|
||||
assert_eq!(iss, oidc_config.issuer);
|
||||
let oidc_state = session
|
||||
.remove_as::<OidcState>(SESSION_KEY_OIDC_STATE)
|
||||
@@ -160,7 +147,7 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
|
||||
|
||||
let http_client = get_http_client();
|
||||
let oidc_client = get_oidc_client(
|
||||
oidc_config.clone(),
|
||||
oidc_config.get_ref().clone(),
|
||||
&http_client,
|
||||
RedirectUrl::new(req.url_for_static("frontend_oidc_callback")?.to_string())?,
|
||||
)
|
||||
@@ -186,11 +173,11 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
|
||||
.await
|
||||
.map_err(|_| OidcError::Other("Error fetching user info"))?;
|
||||
|
||||
if let Some(require_group) = oidc_config.require_group {
|
||||
if let Some(require_group) = &oidc_config.require_group {
|
||||
if !user_info_claims
|
||||
.additional_claims()
|
||||
.groups
|
||||
.contains(&require_group)
|
||||
.contains(require_group)
|
||||
{
|
||||
return Ok(HttpResponse::build(StatusCode::UNAUTHORIZED)
|
||||
.body("User is not in an authorized group to use RustiCal"));
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
use crate::{FrontendConfig, oidc::OidcProviderData};
|
||||
use crate::{FrontendConfig, OidcConfig, oidc::OidcProviderData};
|
||||
use actix_session::Session;
|
||||
use actix_web::{
|
||||
HttpRequest, HttpResponse, Responder,
|
||||
@@ -24,22 +24,27 @@ pub struct GetLoginQuery {
|
||||
redirect_uri: Option<String>,
|
||||
}
|
||||
|
||||
#[instrument(skip(req, config))]
|
||||
#[instrument(skip(req, config, oidc_config))]
|
||||
pub async fn route_get_login(
|
||||
Query(GetLoginQuery { redirect_uri }): Query<GetLoginQuery>,
|
||||
req: HttpRequest,
|
||||
config: Data<FrontendConfig>,
|
||||
oidc_config: Data<Option<OidcConfig>>,
|
||||
) -> impl Responder {
|
||||
LoginPage {
|
||||
redirect_uri,
|
||||
allow_password_login: config.allow_password_login,
|
||||
oidc_data: config.oidc.as_ref().map(|oidc| OidcProviderData {
|
||||
name: &oidc.name,
|
||||
let oidc_data = oidc_config
|
||||
.as_ref()
|
||||
.as_ref()
|
||||
.map(|oidc_config| OidcProviderData {
|
||||
name: &oidc_config.name,
|
||||
redirect_url: req
|
||||
.url_for_static("frontend_login_oidc")
|
||||
.unwrap()
|
||||
.to_string(),
|
||||
}),
|
||||
});
|
||||
LoginPage {
|
||||
redirect_uri,
|
||||
allow_password_login: config.allow_password_login,
|
||||
oidc_data,
|
||||
}
|
||||
.respond_to(&req)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user