From 5562d8b1ddf24d53cbe394f83d924b192bae53dd Mon Sep 17 00:00:00 2001 From: Maxime Besson Date: Mon, 1 Feb 2021 11:45:29 +0100 Subject: [PATCH] Add a function to resolve allowed scopes from rules (#2424) --- .../Lemonldap/NG/Portal/Lib/OpenIDConnect.pm | 42 +++++++++++++++++++ 1 file changed, 42 insertions(+) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm index 3baab59c7..5d8a28e82 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm @@ -1328,6 +1328,48 @@ sub getAttributesListFromClaim { return $self->rpAttributes->{$rp}->{$claim}; } +# Return granted scopes for this request +# @param req current request +# @param req selected RP +# @param scope requested scope +sub getScope { + my ( $self, $req, $rp, $scope ) = @_; + + my @scope_values = split( /\s+/, $scope ); + + # If this RP has dynamic scopes + if ( $self->spScopeRules->{$rp} ) { + + # Add dynamic scopes + for my $dynamicScope ( keys %{ $self->spScopeRules->{$rp} } ) { + + # Set a magic "$requested" variable that contains true if the + # scope was requested by the application + my $requested = grep { $_ eq $dynamicScope } @scope_values; + my $attributes = { %{ $req->userData }, requested => $requested }; + + # If scope is granted by the rule + if ( $self->spScopeRules->{$rp}->{$dynamicScope} + ->( $req, $attributes ) ) + { + # Add to list + unless ( grep { $_ eq $dynamicScope } @scope_values ) { + push @scope_values, $dynamicScope; + } + + } + + # Else make sure it is not granted + else { + @scope_values = grep { $_ ne $dynamicScope } @scope_values; + } + } + } + + $self->p->processHook( $req, 'oidcResolveScope', \@scope_values, $rp ); + return join( ' ', @scope_values ); +} + # Return Hash of UserInfo data # @param scope OIDC scope # @param rp Internal Relying Party identifier