Merge pull request #533 from bheesham/allow-different-apps-to-define-multiple-groups

fix(access): allow apps to be defined multiple times

Author: bheesham

tf/actions/accessRules.js

@@ -267,27 +267,25 @@ exports.onExecutePostLogin = async (event, api) => {
           app.authorized_users.length > 0 &&
           app.authorized_users.indexOf(event.user.email) >= 0
         ) {
-          authorized = true;
+          authorized ||= true;
           // Same dance as above, but for groups
         } else if (
           app.authorized_groups.length > 0 &&
           hasCommonElements(app.authorized_groups, groups)
         ) {
-          authorized = true;
-        } else {
-          authorized = false;
-        }
-
-        if (!authorized) {
-          const msg =
-            `Access denied to ${event.client.client_id} for user ${event.user.email} (${event.user.user_id})` +
-            ` - not in authorized group or not an authorized user`;
-          console.log(msg);
-          return deny("notingroup");
+          authorized ||= true;
         }
       } // correct client id / we matched the current RP
     } // for loop / next rule in apps.yml
 
+    if (!authorized) {
+      const msg =
+        `Access denied to ${event.client.client_id} for user ${event.user.email} (${event.user.user_id})` +
+        ` - not in authorized group or not an authorized user`;
+      console.log(msg);
+      return deny("notingroup");
+    }
+
     // AAI (AUTHENTICATOR ASSURANCE INDICATOR)
     // Sets the AAI for the user. This is later used by the AccessRules.js rule which also sets the AAL.
 

tf/tests/accessRules.test.js

@@ -625,3 +625,36 @@ describe("Client is defined in apps.yml as client00000000000000000000000008", ()
     );
   });
 });
+
+describe("Client is defined multiple times in apps.yml as client00000000000000000000000009", () => {
+  test("User in restricted_group_1; expect allowed", async () => {
+    _event.client.client_id = "client00000000000000000000000009";
+    _event.connection.name = "google-oauth2";
+    _event.user.groups = ["restricted_group_1"];
+    _event.user.ldap_groups = [];
+    _event.user.app_metadata.groups = [];
+    await onExecutePostLogin(_event, api);
+    expect(_event.transaction.redirect_uri).toEqual(undefined);
+  });
+  test("User in restricted_group_2; expect allowed", async () => {
+    _event.client.client_id = "client00000000000000000000000009";
+    _event.connection.name = "google-oauth2";
+    _event.user.groups = ["restricted_group_2"];
+    _event.user.ldap_groups = [];
+    _event.user.app_metadata.groups = [];
+    await onExecutePostLogin(_event, api);
+    expect(_event.transaction.redirect_uri).toEqual(undefined);
+  });
+  test("User in restricted_group_3; expect denied", async () => {
+    _event.client.client_id = "client00000000000000000000000009";
+    _event.connection.name = "google-oauth2";
+    _event.user.groups = ["restricted_group_3"];
+    _event.user.ldap_groups = [];
+    _event.user.app_metadata.groups = [];
+    await onExecutePostLogin(_event, api);
+    expect(_event.transaction.redirect_uri).toBeDefined();
+    expect(decodeRedirect(_event.transaction.redirect_uri)).toEqual(
+      "notingroup"
+    );
+  });
+});

tf/tests/modules/apps.yml.js

@@ -62,6 +62,16 @@ apps:
     - team_moco
     - team_mofo
     authorized_users: []
+- application:
+    authorized_groups:
+    - restricted_group_1
+    authorized_users: []
+    client_id: client00000000000000000000000009
+- application:
+    authorized_groups:
+    - restricted_group_2
+    authorized_users: []
+    client_id: client00000000000000000000000009
 `;
     return appsYaml;
   },