From 3428cb981f9f7ec913322f4d964509f9abcbd485 Mon Sep 17 00:00:00 2001
From: Maxime Besson <maxime.besson@worteks.com>
Date: Wed, 18 May 2022 00:03:23 +0200
Subject: [PATCH] Add OP resolution rules (#2753)

---
 .../Lemonldap/NG/Portal/Auth/OpenIDConnect.pm | 21 +++++++++++++------
 .../Lemonldap/NG/Portal/Lib/OpenIDConnect.pm  | 15 +++++++++++++
 2 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm
index 95509515b..0b57e367e 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/OpenIDConnect.pm
@@ -249,14 +249,23 @@ sub extractFormInfo {
 
         else {
 
-            # IDP list
-            my $portalPath = $self->{conf}->{portal};
-            $portalPath =~ s#^https?://[^/]+/?#/#;
+            # Try to use OP resolution ruls
+            foreach ( keys %{ $self->opRules } ) {
+                my $cond = $self->opRules->{$_} or next;
+                if ( $cond->( $req, $req->sessionInfo ) ) {
+                    $self->logger->debug("OP $_ selected from resolution rule");
+                    $op = $_;
+                    last;
+                }
+            }
 
-            $req->data->{list} = $self->opList;
+            unless ($op) {
 
-            $req->data->{login} = 1;
-            return PE_IDPCHOICE;
+                # display OP list
+                $req->data->{list}  = $self->opList;
+                $req->data->{login} = 1;
+                return PE_IDPCHOICE;
+            }
         }
     }
 
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
index 47dbd1851..d96fc05c3 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm
@@ -41,6 +41,7 @@ use constant OIDC_SCOPES => [qw/openid profile email address phone/];
 has oidcOPList   => ( is => 'rw', default => sub { {} }, );
 has oidcRPList   => ( is => 'rw', default => sub { {} }, );
 has rpAttributes => ( is => 'rw', default => sub { {} }, );
+has opRules      => ( is => 'rw', default => sub { {} } );
 has spRules      => ( is => 'rw', default => sub { {} } );
 has spMacros     => ( is => 'rw', default => sub { {} } );
 has spScopeRules => ( is => 'rw', default => sub { {} } );
@@ -90,6 +91,20 @@ sub loadOPs {
         $self->oidcOPList->{$_}->{jwks} =
           $self->decodeJSON( $self->conf->{oidcOPMetaDataJWKS}->{$_} );
     }
+
+    # Set rule
+    foreach ( keys %{ $self->conf->{oidcOPMetaDataOptions} } ) {
+        my $cond = $self->conf->{oidcOPMetaDataOptions}->{$_}
+          ->{oidcOPMetaDataOptionsResolutionRule};
+        if ( length $cond ) {
+            my $rule_sub =
+              $self->p->buildRule( $cond, "OIDC provider resolution" );
+            if ($rule_sub) {
+                $self->opRules->{$_} = $rule_sub;
+            }
+        }
+    }
+
     return 1;
 }