Improve admin privilege handling for OAuth. Update documentation.

Makefile

@@ -133,3 +133,9 @@ build-docker:
 .PHONY: helm-docs
 helm-docs:
 	docker run --rm --volume "${PWD}/deploy:/helm-docs" -u "$$(id -u)" jnorwood/helm-docs -s file
+
+#< run-mkdocs: Run a local instance of MkDocs
+.PHONY: run-mkdocs
+run-mkdocs:
+	python -m venv venv; source venv/bin/activate; pip install mike cairosvg mkdocs-material mkdocs-minify-plugin mkdocs-swagger-ui-tag
+	venv/bin/mkdocs serve

config.yml.sample

@@ -1,3 +1,5 @@
+# More information about the configuration can be found in the documentation: https://wgportal.org/master/documentation/overview/
+
 advanced:
   log_level: trace
 
@@ -22,7 +24,7 @@ auth:
       base_dn: DC=YOURCOMPANY,DC=LOCAL
       login_filter: (&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2))
       admin_group: CN=WireGuardAdmins,OU=it,DC=YOURCOMPANY,DC=LOCAL
-      synchronize: false
+      sync_interval: 0  # sync disabled
       sync_filter: (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))
       registration_enabled: true
   oidc:
@@ -63,5 +65,28 @@ auth:
         email: email
         firstname: name
         user_identifier: sub
-        is_admin: roles
-      registration_enabled: true
+        is_admin: this-attribute-must-be-true
+      registration_enabled: true
+    - id: google_plain_oauth_with_groups
+      provider_name: google4
+      display_name: Login with</br>Google4
+      client_id: another-client-id-1234.apps.googleusercontent.com
+      client_secret: A_CLIENT_SECRET
+      auth_url: https://accounts.google.com/o/oauth2/v2/auth
+      token_url: https://oauth2.googleapis.com/token
+      user_info_url: https://openidconnect.googleapis.com/v1/userinfo
+      scopes:
+        - openid
+        - email
+        - profile
+        - i-want-some-groups
+      field_map:
+        email: email
+        firstname: name
+        user_identifier: sub
+        user_groups: groups
+      admin_mapping:
+        admin_value_regex: ^true$
+        admin_group_regex: ^admin-group-name$
+      registration_enabled: true
+      log_user_info: true

docs/documentation/configuration/examples.md

@@ -0,0 +1,176 @@
+Below are some sample YAML configurations demonstrating how to override some default values. 
+
+## Basic Configuration
+```yaml
+core:
+  admin_user: [email protected]
+  admin_password: password
+  import_existing: false
+  create_default_peer: true
+  self_provisioning_allowed: true
+
+web:
+  site_title: My WireGuard Server
+  site_company_name: My Company
+  listening_address: :8080
+  external_url: https://my.externa-domain.com
+  csrf_secret: super-s3cr3t-csrf
+  session_secret: super-s3cr3t-session
+  request_logging: true
+
+advanced:
+  log_level: trace
+  log_pretty: true
+  log_json: false
+  config_storage_path: /etc/wireguard
+  expiry_check_interval: 5m
+
+database:
+  debug: true
+  type: sqlite
+  dsn: data/sqlite.db
+```
+
+## LDAP Authentication and Synchronization Configuration
+```yaml
+# ... (basic configuration)
+
+auth:
+  ldap:
+
+    # a sample LDAP provider with user sync enabled
+    - id: ldap
+      provider_name: Active Directory
+      display_name: Login with</br>AD
+      url: ldap://srv-ad1.company.local:389
+      bind_user: [email protected]
+      bind_pass: super-s3cr3t-ldap
+      base_dn: DC=COMPANY,DC=LOCAL
+      login_filter: (&(objectClass=organizationalPerson)(mail={{login_identifier}})(!userAccountControl:1.2.840.113556.1.4.803:=2))
+      sync_interval: 15m
+      sync_filter: (&(objectClass=organizationalPerson)(!userAccountControl:1.2.840.113556.1.4.803:=2)(mail=*))
+      disable_missing: true
+      field_map:
+        user_identifier: sAMAccountName
+        email: mail
+        firstname: givenName
+        lastname: sn
+        phone: telephoneNumber
+        department: department
+        memberof: memberOf
+      admin_group: CN=WireGuardAdmins,OU=Some-OU,DC=COMPANY,DC=LOCAL
+      registration_enabled: true
+      log_user_info: true
+```
+
+## OpenID Connect (OIDC) Authentication Configuration
+```yaml
+# ... (basic configuration)
+
+auth:
+  oidc:
+
+    # a sample provider where users with the attribute `wg_admin` set to `true` are considered as admins   
+    - id: oidc-with-admin-attribute
+      provider_name: google
+      display_name: Login with</br>Google
+      base_url: https://accounts.google.com
+      client_id: the-client-id-1234.apps.googleusercontent.com
+      client_secret: A_CLIENT_SECRET
+      extra_scopes:
+        - https://www.googleapis.com/auth/userinfo.email
+        - https://www.googleapis.com/auth/userinfo.profile
+      field_map:
+        user_identifier: sub
+        email: email
+        firstname: given_name
+        lastname: family_name
+        phone: phone_number
+        department: department
+        is_admin: wg_admin
+      admin_mapping:
+        - admin_value_regex: ^true$
+      registration_enabled: true
+      log_user_info: true
+
+    # a sample provider where users in the group `the-admin-group` are considered as admins    
+    - id: oidc-with-admin-group
+      provider_name: google2
+      display_name: Login with</br>Google2
+      base_url: https://accounts.google.com
+      client_id: another-client-id-1234.apps.googleusercontent.com
+      client_secret: A_CLIENT_SECRET
+      extra_scopes:
+        - https://www.googleapis.com/auth/userinfo.email
+        - https://www.googleapis.com/auth/userinfo.profile
+      field_map:
+        user_identifier: sub
+        email: email
+        firstname: given_name
+        lastname: family_name
+        phone: phone_number
+        department: department
+        user_groups: groups
+      admin_mapping:
+        - admin_group_regex: ^the-admin-group$
+      registration_enabled: true
+      log_user_info: true
+```
+
+## Plain OAuth2 Authentication Configuration
+```yaml
+# ... (basic configuration)
+
+auth:
+  oauth:
+
+    # a sample provider where users with the attribute `this-attribute-must-be-true` set to `true` or `True`
+    # are considered as admins    
+    - id: google_plain_oauth-with-admin-attribute
+      provider_name: google3
+      display_name: Login with</br>Google3
+      client_id: another-client-id-1234.apps.googleusercontent.com
+      client_secret: A_CLIENT_SECRET
+      auth_url: https://accounts.google.com/o/oauth2/v2/auth
+      token_url: https://oauth2.googleapis.com/token
+      user_info_url: https://openidconnect.googleapis.com/v1/userinfo
+      scopes:
+        - openid
+        - email
+        - profile
+      field_map:
+        user_identifier: sub
+        email: email
+        firstname: name
+        is_admin: this-attribute-must-be-true
+      admin_mapping:
+        - admin_value_regex: ^(True|true)$
+      registration_enabled: true
+
+    # a sample provider where either users with the attribute `this-attribute-must-be-true` set to `true` or 
+    # users in the group `admin-group-name` are considered as admins    
+    - id: google_plain_oauth_with_groups
+      provider_name: google4
+      display_name: Login with</br>Google4
+      client_id: another-client-id-1234.apps.googleusercontent.com
+      client_secret: A_CLIENT_SECRET
+      auth_url: https://accounts.google.com/o/oauth2/v2/auth
+      token_url: https://oauth2.googleapis.com/token
+      user_info_url: https://openidconnect.googleapis.com/v1/userinfo
+      scopes:
+        - openid
+        - email
+        - profile
+        - i-want-some-groups
+      field_map:
+        email: email
+        firstname: name
+        user_identifier: sub
+        is_admin: this-attribute-must-be-true
+        user_groups: groups
+      admin_mapping:
+        admin_value_regex: ^true$
+        admin_group_regex: ^admin-group-name$
+      registration_enabled: true
+      log_user_info: true
+```