frontend: Move oidc configuration to dedicated section

2025-12-13 22:52:22 +00:00 · 2025-04-20 20:42:24 +02:00
parent cd0ebc574a
commit 678d2291e0
10 changed files with 98 additions and 98 deletions
--- a/crates/frontend/src/config.rs
+++ b/crates/frontend/src/config.rs
@@ -38,8 +38,6 @@ pub struct FrontendConfig {
    pub secret_key: [u8; 64],
    #[serde(default = "default_true")]
    pub enabled: bool,
-    #[serde(default)]
-    pub oidc: Option<OidcConfig>,
    #[serde(default = "default_true")]
    pub allow_password_login: bool,
 }
--- a/crates/frontend/src/lib.rs
+++ b/crates/frontend/src/lib.rs
@@ -34,7 +34,7 @@ pub mod nextcloud_login;
 mod oidc;
 mod routes;

-pub use config::FrontendConfig;
+pub use config::{FrontendConfig, OidcConfig};

 pub fn generate_app_token() -> String {
    rand::thread_rng()
@@ -193,9 +193,9 @@ pub fn configure_frontend<AP: AuthenticationProvider, CS: CalendarStore, AS: Add
    cal_store: Arc<CS>,
    addr_store: Arc<AS>,
    frontend_config: FrontendConfig,
+    oidc_config: Option<OidcConfig>,
 ) {
-    cfg.service(
-        web::scope("")
+    let mut scope = web::scope("")
        .wrap(ErrorHandlers::new().handler(StatusCode::UNAUTHORIZED, unauthorized_handler))
        .wrap(AuthenticationMiddleware::new(auth_provider.clone()))
        .wrap(session_middleware(frontend_config.secret_key))
@@ -203,6 +203,7 @@ pub fn configure_frontend<AP: AuthenticationProvider, CS: CalendarStore, AS: Add
        .app_data(Data::from(cal_store.clone()))
        .app_data(Data::from(addr_store.clone()))
        .app_data(Data::new(frontend_config.clone()))
+        .app_data(Data::new(oidc_config.clone()))
        .service(EmbedService::<Assets>::new("/assets".to_owned()))
        .service(web::resource("").route(web::method(Method::GET).to(route_root)))
        .service(
@@ -249,7 +250,11 @@ pub fn configure_frontend<AP: AuthenticationProvider, CS: CalendarStore, AS: Add
            web::resource("/logout")
                .name("frontend_logout")
                .route(web::method(Method::POST).to(route_post_logout)),
-            )
+        );
+
+    if let Some(oidc_config) = oidc_config {
+        scope = scope
+            .app_data(Data::new(oidc_config))
            .service(
                web::resource("/login/oidc")
                    .name("frontend_login_oidc")
@@ -259,6 +264,8 @@ pub fn configure_frontend<AP: AuthenticationProvider, CS: CalendarStore, AS: Add
                web::resource("/login/oidc/callback")
                    .name("frontend_oidc_callback")
                    .route(web::method(Method::GET).to(route_get_oidc_callback::<AP>)),
-            ),
            );
    }
+
+    cfg.service(scope);
+}
--- a/crates/frontend/src/oidc/error.rs
+++ b/crates/frontend/src/oidc/error.rs
@@ -12,9 +12,6 @@ pub enum OidcError {
    #[error("Cannot generate redirect url, something's not configured correctly")]
    ActixUrlGenerationError(#[from] UrlGenerationError),

-    #[error("RustiCal is not configured correctly for OIDC")]
-    IncorrectConfiguration,
-
    #[error(transparent)]
    OidcConfigurationError(#[from] ConfigurationError),

--- a/crates/frontend/src/oidc/mod.rs
+++ b/crates/frontend/src/oidc/mod.rs
@@ -1,7 +1,4 @@
-use crate::{
-    FrontendConfig,
-    config::{OidcConfig, UserIdClaim},
-};
+use crate::config::{OidcConfig, UserIdClaim};
 use actix_session::Session;
 use actix_web::{
    HttpRequest, HttpResponse, Responder,
@@ -92,17 +89,12 @@ pub struct GetOidcForm {
 pub async fn route_post_oidc(
    req: HttpRequest,
    Form(GetOidcForm { redirect_uri }): Form<GetOidcForm>,
-    config: Data<FrontendConfig>,
+    oidc_config: Data<OidcConfig>,
    session: Session,
 ) -> Result<impl Responder, OidcError> {
-    let oidc_config = config
-        .oidc
-        .clone()
-        .ok_or(OidcError::IncorrectConfiguration)?;
-
    let http_client = get_http_client();
    let oidc_client = get_oidc_client(
-        oidc_config.clone(),
+        oidc_config.as_ref().clone(),
        &http_client,
        RedirectUrl::new(req.url_for_static("frontend_oidc_callback")?.to_string())?,
    )
@@ -137,21 +129,16 @@ pub async fn route_post_oidc(
 pub struct AuthCallbackQuery {
    code: AuthorizationCode,
    iss: IssuerUrl,
-    // scope: String,
-    // state: String,
 }

+/// Handle callback from IdP page
 pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
    req: HttpRequest,
-    config: Data<FrontendConfig>,
+    oidc_config: Data<OidcConfig>,
    session: Session,
    auth_provider: Data<AP>,
    Query(AuthCallbackQuery { code, iss }): Query<AuthCallbackQuery>,
 ) -> Result<impl Responder, OidcError> {
-    let oidc_config = config
-        .oidc
-        .clone()
-        .ok_or(OidcError::IncorrectConfiguration)?;
    assert_eq!(iss, oidc_config.issuer);
    let oidc_state = session
        .remove_as::<OidcState>(SESSION_KEY_OIDC_STATE)
@@ -160,7 +147,7 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(

    let http_client = get_http_client();
    let oidc_client = get_oidc_client(
-        oidc_config.clone(),
+        oidc_config.get_ref().clone(),
        &http_client,
        RedirectUrl::new(req.url_for_static("frontend_oidc_callback")?.to_string())?,
    )
@@ -186,11 +173,11 @@ pub async fn route_get_oidc_callback<AP: AuthenticationProvider>(
        .await
        .map_err(|_| OidcError::Other("Error fetching user info"))?;

-    if let Some(require_group) = oidc_config.require_group {
+    if let Some(require_group) = &oidc_config.require_group {
        if !user_info_claims
            .additional_claims()
            .groups
-            .contains(&require_group)
+            .contains(require_group)
        {
            return Ok(HttpResponse::build(StatusCode::UNAUTHORIZED)
                .body("User is not in an authorized group to use RustiCal"));
--- a/crates/frontend/src/routes/login.rs
+++ b/crates/frontend/src/routes/login.rs
@@ -1,4 +1,4 @@
-use crate::{FrontendConfig, oidc::OidcProviderData};
+use crate::{FrontendConfig, OidcConfig, oidc::OidcProviderData};
 use actix_session::Session;
 use actix_web::{
    HttpRequest, HttpResponse, Responder,
@@ -24,22 +24,27 @@ pub struct GetLoginQuery {
    redirect_uri: Option<String>,
 }

-#[instrument(skip(req, config))]
+#[instrument(skip(req, config, oidc_config))]
 pub async fn route_get_login(
    Query(GetLoginQuery { redirect_uri }): Query<GetLoginQuery>,
    req: HttpRequest,
    config: Data<FrontendConfig>,
+    oidc_config: Data<Option<OidcConfig>>,
 ) -> impl Responder {
-    LoginPage {
-        redirect_uri,
-        allow_password_login: config.allow_password_login,
-        oidc_data: config.oidc.as_ref().map(|oidc| OidcProviderData {
-            name: &oidc.name,
+    let oidc_data = oidc_config
+        .as_ref()
+        .as_ref()
+        .map(|oidc_config| OidcProviderData {
+            name: &oidc_config.name,
            redirect_url: req
                .url_for_static("frontend_login_oidc")
                .unwrap()
                .to_string(),
-        }),
+        });
+    LoginPage {
+        redirect_uri,
+        allow_password_login: config.allow_password_login,
+        oidc_data,
    }
    .respond_to(&req)
 }
--- a/docs/setup/oidc.md
+++ b/docs/setup/oidc.md
@@ -5,7 +5,7 @@ You can set up RustiCal with an OpenID Connect identity provider
 ## Example: Authelia

 ```toml title="RustiCal configuration"
-[frontend.oidc]
+[oidc]
 name = "Authelia"
 issuer = "https://auth.example.com"
 client_id = "rustical"
--- a/src/app.rs
+++ b/src/app.rs
@@ -5,7 +5,7 @@ use actix_web::{App, web};
 use rustical_caldav::caldav_service;
 use rustical_carddav::carddav_service;
 use rustical_frontend::nextcloud_login::{NextcloudFlows, configure_nextcloud_login};
-use rustical_frontend::{FrontendConfig, configure_frontend};
+use rustical_frontend::{FrontendConfig, OidcConfig, configure_frontend};
 use rustical_store::auth::AuthenticationProvider;
 use rustical_store::{AddressbookStore, CalendarStore, SubscriptionStore};
 use std::sync::Arc;
@@ -13,12 +13,14 @@ use tracing_actix_web::TracingLogger;

 use crate::config::NextcloudLoginConfig;

+#[allow(clippy::too_many_arguments)]
 pub fn make_app<AS: AddressbookStore, CS: CalendarStore, S: SubscriptionStore>(
    addr_store: Arc<AS>,
    cal_store: Arc<CS>,
    subscription_store: Arc<S>,
    auth_provider: Arc<impl AuthenticationProvider>,
    frontend_config: FrontendConfig,
+    oidc_config: Option<OidcConfig>,
    nextcloud_login_config: NextcloudLoginConfig,
    nextcloud_flows_state: Arc<NextcloudFlows>,
 ) -> App<
@@ -70,6 +72,7 @@ pub fn make_app<AS: AddressbookStore, CS: CalendarStore, S: SubscriptionStore>(
                    cal_store.clone(),
                    addr_store.clone(),
                    frontend_config,
+                    oidc_config,
                )
            }))
            .service(web::redirect("/", "/frontend").see_other());
--- a/src/commands/mod.rs
+++ b/src/commands/mod.rs
@@ -37,9 +37,9 @@ pub fn cmd_gen_config(_args: GenConfigArgs) -> anyhow::Result<()> {
        frontend: FrontendConfig {
            secret_key: generate_frontend_secret(),
            enabled: true,
-            oidc: None,
            allow_password_login: true,
        },
+        oidc: None,
        dav_push: DavPushConfig::default(),
        nextcloud_login: Default::default(),
    };
--- a/src/config.rs
+++ b/src/config.rs
@@ -1,4 +1,4 @@
-use rustical_frontend::FrontendConfig;
+use rustical_frontend::{FrontendConfig, OidcConfig};
 use rustical_store::auth::TomlUserStoreConfig;
 use serde::{Deserialize, Serialize};

@@ -84,6 +84,8 @@ pub struct Config {
    pub http: HttpConfig,
    pub frontend: FrontendConfig,
    #[serde(default)]
+    pub oidc: Option<OidcConfig>,
+    #[serde(default)]
    pub tracing: TracingConfig,
    #[serde(default)]
    pub dav_push: DavPushConfig,
--- a/src/main.rs
+++ b/src/main.rs
@@ -108,6 +108,7 @@ async fn main() -> Result<()> {
                    subscription_store.clone(),
                    user_store.clone(),
                    config.frontend.clone(),
+                    config.oidc.clone(),
                    config.nextcloud_login.clone(),
                    nextcloud_flows.clone(),
                )
@@ -221,9 +222,9 @@ mod tests {
            FrontendConfig {
                enabled: false,
                secret_key: generate_frontend_secret(),
-                oidc: None,
                allow_password_login: false,
            },
+            None,
            NextcloudLoginConfig { enabled: false },
            Arc::new(NextcloudFlows::default()),
        );