From 5f9a46c154fcca171b1f5440c74108b39556f385 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn=20Pedersen?= <bjoern.pedersen@frm2.tum.de>
Date: Wed, 24 May 2023 15:34:57 +0200
Subject: [PATCH] Access groups from payload

* Add configuration option to the groups attribute
* Add incoming data to payload passed to service
* Use generic log text
* really use the configured property to fetch group data

- missing: also allow role mapping

Change-Id: I0e95d0571a7e0ccfe504a88385cc34caa0024a59
---
 Dockerfile                                                     | 2 +-
 .../access-group-provider/access-group-from-payload.service.ts | 2 +-
 src/auth/strategies/oidc.strategy.ts                           | 3 +++
 src/config/configuration.ts                                    | 1 +
 4 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 7198a9364..90dc578a0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,7 +13,7 @@ USER node
 RUN npm install glob rimraf
 RUN npm install
 
-FROM node:16-alpine AS builder 
+FROM node:16-alpine AS builder
 
 # Prepare app directory
 WORKDIR /usr/src/app
diff --git a/src/auth/access-group-provider/access-group-from-payload.service.ts b/src/auth/access-group-provider/access-group-from-payload.service.ts
index 0bf172e8e..ba661a0db 100644
--- a/src/auth/access-group-provider/access-group-from-payload.service.ts
+++ b/src/auth/access-group-provider/access-group-from-payload.service.ts
@@ -33,7 +33,7 @@ export class AccessGroupFromPayloadService extends AccessGroupService {
     }
 
     Logger.log(
-      "ESS access groups getESSAccessGroupService : " + accessGroups.join(","),
+      "Access groups AccessGroupFromPayloadService : " + accessGroups.join(","),
     );
     return accessGroups;
   }
diff --git a/src/auth/strategies/oidc.strategy.ts b/src/auth/strategies/oidc.strategy.ts
index f3eee9c6e..13141d443 100644
--- a/src/auth/strategies/oidc.strategy.ts
+++ b/src/auth/strategies/oidc.strategy.ts
@@ -63,12 +63,15 @@ export class OidcStrategy extends PassportStrategy(Strategy, "oidc") {
 
   async validate(tokenset: TokenSet): Promise<Omit<User, "password">> {
     const userinfo: UserinfoResponse = await this.client.userinfo(tokenset);
+    const oidcConfig = this.configService.get<OidcConfig>("oidc");
 
     const userProfile = this.parseUserInfo(userinfo);
     const userPayload: UserPayload = {
       userId: userProfile.id,
       username: userProfile.username,
       email: userProfile.email,
+      accessGroupProperty: oidcConfig?.accessGroupProperty,
+      payload: userinfo,
     };
     userProfile.accessGroups = await this.accessGroupService.getAccessGroups(
       userPayload,
diff --git a/src/config/configuration.ts b/src/config/configuration.ts
index 12ee31e4b..9302f14ba 100644
--- a/src/config/configuration.ts
+++ b/src/config/configuration.ts
@@ -109,6 +109,7 @@ const configuration = () => {
       scope: process.env.OIDC_SCOPE, // Example: "openid profile email"
       successURL: process.env.OIDC_SUCCESS_URL, // Example: http://localhost:3000/explorer
       accessGroups: process.env.OIDC_ACCESS_GROUPS, // Example: None
+      accessGroupProperty: process.env.OIDC_ACCESS_GROUPS_PROPERTY, // Example: groups
       autoLogout: process.env.OIDC_AUTO_LOGOUT || false,
       returnURL: process.env.OIDC_RETURN_URL,
     },