feat: mapping admin based on OIDC groups

Author: gaetan-steininger

api/login.go

@@ -555,6 +555,7 @@ type claimResult struct {
 	username string
 	name     string
 	email    string
+	admin    bool
 }
 
 func parseClaim(str string, claims map[string]any) (string, bool) {
@@ -629,6 +630,10 @@ func parseClaims(claims map[string]any, provider util.ClaimsProvider) (res claim
 		res.name = getRandomProfileName()
 	}
 
+	if provider.IsAdminMappingEnable() {
+		res.admin = provider.IsAdminUserClaims(claims)
+	}
+
 	return
 }
 
@@ -793,6 +798,17 @@ func oidcRedirect(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if provider.IsAdminMappingEnable() {
+		user.Admin = claims.admin
+	}
+
+	err = helpers.Store(r).UpdateUser(db.UserWithPwd{Pwd: "", User: user})
+	if err != nil {
+		log.Error(fmt.Errorf("Failed update OIDC user '%s': %v", user.Username, err))
+		http.Redirect(w, r, loginURL, http.StatusTemporaryRedirect)
+		return
+	}
+
 	createSession(w, r, user, true)
 
 	config, ok := util.Config.OidcProviders[pid]

util/OdbcProvider.go

@@ -15,15 +15,36 @@ type OidcProvider struct {
 	UsernameClaim    string       `json:"username_claim" default:"preferred_username"`
 	NameClaim        string       `json:"name_claim" default:"preferred_username"`
 	EmailClaim       string       `json:"email_claim" default:"email"`
+	GroupsClaim      string       `json:"groups_claim" default:"groups"`
+	AdminGroup       string       `json:"admin_group" default:""` // Group from the groups in the claims that members will be map as admin on semaphore
 	Order            int          `json:"order"`
 	// ReturnViaState when true, passes the return path via the OAuth state parameter instead of the redirect URL path. This is useful for OAuth providers that have strict redirect URL validation.
-	ReturnViaState   bool         `json:"return_via_state"`
+	ReturnViaState bool `json:"return_via_state"`
 }
 
 type ClaimsProvider interface {
 	GetUsernameClaim() string
 	GetEmailClaim() string
 	GetNameClaim() string
+	IsAdminMappingEnable() bool
+	IsAdminUserClaims(claims map[string]any) bool
+}
+
+func (p *OidcProvider) IsAdminMappingEnable() bool {
+	return p.AdminGroup != ""
+}
+
+func (p *OidcProvider) IsAdminUserClaims(claims map[string]any) bool {
+	if rawList, ok := claims[p.GroupsClaim].([]any); ok {
+		for _, g := range rawList {
+			if group, ok := g.(string); ok {
+				if p.AdminGroup == group {
+					return true
+				}
+			}
+		}
+	}
+	return false
 }
 
 func (p *OidcProvider) GetUsernameClaim() string {

util/config.go

@@ -64,6 +64,16 @@ type LdapMappings struct {
 	CN   string `json:"cn" env:"SEMAPHORE_LDAP_MAPPING_CN" default:"cn"`
 }
 
+func (p *LdapMappings) IsAdminMappingEnable() bool {
+	// Always returns ‘not implemented’ with LDAP
+	return false
+}
+
+func (p *LdapMappings) IsAdminUserClaims(claims map[string]any) bool {
+	// Always returns ‘not implemented’ with LDAP
+	return false
+}
+
 func (p *LdapMappings) GetUsernameClaim() string {
 	return p.UID
 }