Add a field to specify a list of allowed emails when using OpenID Connect auth.

2025-02-08 12:38:14 -05:00 · 2020-05-22 15:51:34 -05:00 · 2020-05-22 15:51:34 -05:00 · cdf702e545
commit cdf702e545
parent 5811345050
7 changed files with 172 additions and 30 deletions
--- a/backend/migrations/20200522144240_openid_allowed_users.js
+++ b/backend/migrations/20200522144240_openid_allowed_users.js
@ -0,0 +1,40 @@
 const migrate_name = 'openid_allowed_users';
 const logger       = require('../logger').migrate;
 /**
 * Migrate
 *
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object}  knex
 * @param   {Promise} Promise
 * @returns {Promise}
 */
 exports.up = function (knex/*, Promise*/) {
 	logger.info('[' + migrate_name + '] Migrating Up...');
 	return knex.schema.table('proxy_host', function (proxy_host) {
 		proxy_host.integer('openidc_restrict_users_enabled').notNull().unsigned().defaultTo(0);
 		proxy_host.json('openidc_allowed_users').notNull().defaultTo([]);
 	})
 		.then(() => {
 			logger.info('[' + migrate_name + '] proxy_host Table altered');
 		});
 };
 /**
 * Undo Migrate
 *
 * @param   {Object}  knex
 * @param   {Promise} Promise
 * @returns {Promise}
 */
 exports.down = function (knex/*, Promise*/) {
 	return knex.schema.table('proxy_host', function (proxy_host) {
 		proxy_host.dropColumn('openidc_restrict_users_enabled');
 		proxy_host.dropColumn('openidc_allowed_users');
 	})
 		.then(() => {
 			logger.info('[' + migrate_name + '] proxy_host Table altered');
 		});
 };
--- a/backend/models/proxy_host.js
+++ b/backend/models/proxy_host.js
@ -20,12 +20,18 @@ class ProxyHost extends Model {
 			this.domain_names = [];
 		}
 		// Default for openidc_allowed_users
 		if (typeof this.openidc_allowed_users === 'undefined') {
 			this.openidc_allowed_users = [];
 		}
 		// Default for meta
 		if (typeof this.meta === 'undefined') {
 			this.meta = {};
 		}
 		this.domain_names.sort();
 		this.openidc_allowed_users.sort();
 	}
 	$beforeUpdate () {
@ -35,6 +41,11 @@ class ProxyHost extends Model {
 		if (typeof this.domain_names !== 'undefined') {
 			this.domain_names.sort();
 		}
 		// Sort openidc_allowed_users
 		if (typeof this.openidc_allowed_users !== 'undefined') {
 			this.openidc_allowed_users.sort();
 		}
 	}
 	static get name () {
@ -46,7 +57,7 @@ class ProxyHost extends Model {
 	}
 	static get jsonAttributes () {
-		return ['domain_names', 'meta', 'locations'];
+		return ['domain_names', 'meta', 'locations', 'openidc_allowed_users'];
 	}
 	static get relationMappings () {
--- a/backend/schema/definitions.json
+++ b/backend/schema/definitions.json
@ -256,6 +256,22 @@
    },
    "openidc_client_secret": {
      "type": "string"
    },
    "openidc_restrict_users_enabled": {
      "description": "Only allow a specific set of OpenID Connect emails to access the resource",
      "example": true,
      "type": "boolean"
    },
    "openidc_allowed_users": {
      "type": "array",
      "minItems": 0,
      "items": {
        "type": "string",
        "description": "Email Address",
        "example": "john@example.com",
        "format": "email",
        "minLength": 1
      }
    }
  }
 }
--- a/backend/schema/endpoints/proxy-hosts.json
+++ b/backend/schema/endpoints/proxy-hosts.json
@ -82,6 +82,12 @@
    "openidc_client_secret": {
      "$ref": "../definitions.json#/definitions/openidc_client_secret"
    },
    "openidc_restrict_users_enabled": {
      "$ref": "../definitions.json#/definitions/openidc_restrict_users_enabled"
    },
    "openidc_allowed_users": {
      "$ref": "../definitions.json#/definitions/openidc_allowed_users"
    },
    "enabled": {
      "$ref": "../definitions.json#/definitions/enabled"
    },
@ -197,6 +203,12 @@
    "openidc_client_secret": {
      "$ref": "#/definitions/openidc_client_secret"
    },
    "openidc_restrict_users_enabled": {
      "$ref": "#/definitions/openidc_restrict_users_enabled"
    },
    "openidc_allowed_users": {
      "$ref": "#/definitions/openidc_allowed_users"
    },
    "enabled": {
      "$ref": "#/definitions/enabled"
    },
@ -305,6 +317,12 @@
          "openidc_client_secret": {
            "$ref": "#/definitions/openidc_client_secret"
          },
          "openidc_restrict_users_enabled": {
            "$ref": "#/definitions/openidc_restrict_users_enabled"
          },
          "openidc_allowed_users": {
            "$ref": "#/definitions/openidc_allowed_users"
          },
          "enabled": {
            "$ref": "#/definitions/enabled"
          },
@ -396,6 +414,12 @@
          "openidc_client_secret": {
            "$ref": "#/definitions/openidc_client_secret"
          },
          "openidc_restrict_users_enabled": {
            "$ref": "#/definitions/openidc_restrict_users_enabled"
          },
          "openidc_allowed_users": {
            "$ref": "#/definitions/openidc_allowed_users"
          },
          "enabled": {
            "$ref": "#/definitions/enabled"
          },
--- a/frontend/js/app/nginx/proxy/form.ejs
+++ b/frontend/js/app/nginx/proxy/form.ejs
@ -280,7 +280,7 @@
                                <label class="custom-switch">
                                    <input type="checkbox" class="custom-switch-input" name="openidc_enabled" value="1"<%- openidc_enabled ? ' checked' : '' %>>
                                    <span class="custom-switch-indicator"></span>
-                                    <span class="custom-switch-description">Use OpenID Connect authentication <span class="form-required">*</span></span>
+                                    <span class="custom-switch-description">Use OpenID Connect authentication</span>
                                </label>
                            </div>
                        </div>
@ -317,6 +317,23 @@
                                <input type="text" name="openidc_client_secret" class="form-control text-monospace" placeholder="" value="<%- openidc_client_secret %>" autocomplete="off" maxlength="255" required>
                            </div>
                        </div>
                        <div class="openidc">
                            <div class="col-sm-12 col-md-12">
                                <div class="form-group">
                                    <label class="custom-switch">
                                        <input type="checkbox" class="custom-switch-input" name="openidc_restrict_users_enabled" value="1"<%- openidc_restrict_users_enabled ? ' checked' : '' %>>
                                        <span class="custom-switch-indicator"></span>
                                        <span class="custom-switch-description">Allow only these user emails</span>
                                    </label>
                                </div>
                            </div>
                            <div class="col-sm-12 col-md-12 openidc_users">
                                <div class="form-group">
                                    <label class="form-label">Allowed email addresses<span class="form-required">*</span></label>
                                    <input type="text" name="openidc_allowed_users" class="form-control" id="openidc_allowed_users" value="<%- openidc_allowed_users.join(',') %>" required>
                                </div>
                            </div>
                        </div>
                    </div>
                </div>
            </div>
--- a/frontend/js/app/nginx/proxy/form.js
+++ b/frontend/js/app/nginx/proxy/form.js
@ -45,7 +45,10 @@ module.exports = Mn.View.extend({
        forward_scheme:                 'select[name="forward_scheme"]',
        letsencrypt:                    '.letsencrypt',
        openidc_enabled:                'input[name="openidc_enabled"]',
-        openidc:                  '.openidc'
+        openidc_restrict_users_enabled: 'input[name="openidc_restrict_users_enabled"]',
        openidc_allowed_users:          'input[name="openidc_allowed_users"]',
        openidc:                        '.openidc',
        openidc_users:                  '.openidc_users',
    },
    regions: {
@ -135,9 +138,18 @@ module.exports = Mn.View.extend({
            let checked = this.ui.openidc_enabled.prop('checked');
            if (checked) {
-                this.ui.openidc.show().find('input').prop('required', true);
+                this.ui.openidc.show().find('input').prop('disabled', false);
            } else {
-                this.ui.openidc.hide().find('input').prop('required', false);
+                this.ui.openidc.hide().find('input').prop('disabled', true);
            }
        },
        'change @ui.openidc_restrict_users_enabled': function () {
            let checked = this.ui.openidc_restrict_users_enabled.prop('checked');
            if (checked) {
                this.ui.openidc_users.show().find('input').prop('disabled', false);
            } else {
                this.ui.openidc_users.hide().find('input').prop('disabled', true);
            }
        },
@ -180,6 +192,13 @@ module.exports = Mn.View.extend({
            data.hsts_subdomains         = !!data.hsts_subdomains;
            data.ssl_forced              = !!data.ssl_forced;
            data.openidc_enabled         = data.openidc_enabled === '1';
            data.openidc_restrict_users_enabled = data.openidc_restrict_users_enabled === '1';
            if (data.openidc_restrict_users_enabled) {
                if (typeof data.openidc_allowed_users === 'string' && data.openidc_allowed_users) {
                    data.openidc_allowed_users = data.openidc_allowed_users.split(',');
                }
            }
            if (typeof data.meta === 'undefined') data.meta = {};
            data.meta.letsencrypt_agree = data.meta.letsencrypt_agree == 1;
@ -365,8 +384,21 @@ module.exports = Mn.View.extend({
        });
        // OpenID Connect
-        this.ui.openidc.hide().find('input').prop('required', false);
+        this.ui.openidc_allowed_users.selectize({
            delimiter:    ',',
            persist:      false,
            maxOptions:   15,
            create:       function (input) {
                return {
                    value: input,
                    text:  input
                };
            }
        });
        this.ui.openidc.hide().find('input').prop('disabled', true);
        this.ui.openidc_users.hide().find('input').prop('disabled', true);
        this.ui.openidc_enabled.trigger('change');
        this.ui.openidc_restrict_users_enabled.trigger('change');
    },
    initialize: function (options) {
--- a/frontend/js/models/proxy-host.js
+++ b/frontend/js/models/proxy-host.js
@ -28,6 +28,8 @@ const model = Backbone.Model.extend({
            openidc_auth_method:     'client_secret_post',
            openidc_client_id:       '',
            openidc_client_secret:   '',
            openidc_restrict_users_enabled: false,
            openidc_allowed_users:   [],
            enabled:                 true,
            meta:                    {},
            // The following are expansions: