Add methods to check group memberships

gregcorbett · gregcorbett · commit bc761ba2c2c6 · 2023-02-17T14:24:13.000Z
diff --git a/lib/Authentication/AuthTokens/OIDCAuthToken.php b/lib/Authentication/AuthTokens/OIDCAuthToken.php
@@ -11,6 +11,11 @@ abstract class OIDCAuthToken implements IAuthentication
     private $principal;
     protected $acceptedIssuers;
     protected $authRealm;
+    protected $groupHeader;
+    protected $groupSplitChar;
+    protected $bannedGroups;
+    protected $requiredGroups;
+    protected $helpString;
 
     /**
      * {@see IAuthentication::eraseCredentials()}
@@ -101,7 +106,7 @@ public static function isStateless()
     }
 
     /**
-     * Set principal/User details from the session.
+     * Set principal/User details from the session and check group membership.
      */
     protected function setTokenFromSession()
     {
@@ -110,6 +115,82 @@ protected function setTokenFromSession()
             $this->userDetails = array(
                 'AuthenticationRealm' => array($this->authRealm)
             );
+
+            // Check group membership is acceptable.
+            $this->checkBannedGroups();
+            $this->checkRequiredGroups();
+        }
+    }
+
+    /**
+     * Check the token lists all the required groups.
+     */
+    protected function checkRequiredGroups()
+    {
+        $groupArray = explode(
+            $this->groupSplitChar,
+            $_SERVER[$this->groupHeader]
+        );
+
+        // Build up a list of missing groups.
+        $missingGoodGroups = [];
+        foreach ($this->requiredGroups as $group) {
+            if (!in_array($group, $groupArray)) {
+                $missingGoodGroups[] = $group;
+            }
+        }
+
+        // If the list of missing groups is not empty, reject the user.
+        if (!empty($missingGoodGroups)) {
+            $this->rejectUser(
+                'You are missing the following group(s):',
+                $missingGoodGroups
+            );
+        }
+    }
+
+    /**
+     * Check the token lists non of the banned groups.
+     */
+    protected function checkBannedGroups()
+    {
+        $groupArray = explode($this->groupSplitChar, $_SERVER[$this->groupHeader]);
+
+        $presentBadGroups = [];
+        foreach ($this->bannedGroups as $group) {
+            if (in_array($group, $groupArray)) {
+                $presentBadGroups[] = $group;
+            }
+        }
+
+        // If the list of present bad groups is not empty, reject the user.
+        if (!empty($presentBadGroups)) {
+            $this->rejectUser(
+                'We do not grant access to GOCDB to members of the following group(s):',
+                $presentBadGroups
+            );
         }
     }
+
+    /**
+     * Craft a BadCredentialsException exception.
+     *
+     * Uses the given error message to provide the end user more context.
+     *
+     * @param string   $errorContext  Context for the error.
+     * @param string[] $groupArray    An array of group memberships
+     */
+    protected function rejectUser($errorContext, $groupArray)
+    {
+        // For readability, when listing groups to the user,
+        // start each one on a new line with a '-' character.
+        $prependString = '<br />- ';
+        $groupString = implode($prependString, $groupArray);
+        throw new BadCredentialsException(
+            null,
+            'You do not belong to the correct group(s) ' .
+            'to gain access to this site.<br /><br />' . $errorContext .
+            $prependString . $groupString . '<br /><br />' . $this->helpString
+        );
+    }
 }
