oidc-mytoken
diff --git a/‎config/example-config.yaml
Lines changed: 30 additions & 0 deletions b/‎config/example-config.yaml
Lines changed: 30 additions & 0 deletions
diff --git a/‎go.mod
Lines changed: 1 addition & 1 deletion b/‎go.mod
Lines changed: 1 addition & 1 deletion
diff --git a/‎go.sum
Lines changed: 2 additions & 625 deletions b/‎go.sum
Lines changed: 2 additions & 625 deletions
diff --git a/‎internal/config/config.go
Lines changed: 159 additions & 72 deletions b/‎internal/config/config.go
Lines changed: 159 additions & 72 deletions
@@ -294,4 +294,34 @@ providers:
       request_parameter: "resource"
       # Defines how multiple audience values in a request are handled;
       space_separate_auds: false
+    # Settings related to restrictions that should be enforced for different user groups depending on an OP attribute
+    enforced_restrictions:
+      # A mapping for claim sources: Mapping between an url and claim name; defines how the claim value is obtained
+      # on which the decision which restriction template is enforced is based on
+      # The key should be an url, that behaves in line with an OP's userinfo endpoint
+      # The special keys 'issuer', 'op', 'default', and 'userinfo' can be used;
+      # if one of these keys is used, the claim name is looked up in the
+      # id token, access token, and userinfo endpoint
+      claim_sources:
+      #issuer: "eduperson_entitlements"
+      # If true, indicates that access should be completely forbidden if no value from 'mapping' matches
+      #forbid_on_default: false
+      # The default restriction template that will be enforced for all users where no value from 'mapping' matches;
+      # only used if 'forbid_on_default=false'; the restriction template must be configured on the server or be
+      # provided as json (but as a string)
+      # The help_html content is displayed if forbid_on_default=true and a user tries to log in and does not have
+      # access. The html should contain information about why the user does not have access and what to do in order
+      # to get access. The html can also be given in the help_html_file. This should only be a html snippet, no
+      # complete html page.
+      #help_html:
+      #help_html_file:
+      #default_template: web-default
+      # A mapping between claim values and the enforced restriction template; the templates must be configured on the
+      # server or be provided as json (but as a string); an entry matches if the attribute is a string array and the
+      # mapping key is included in the array or the attribute is a single value and equals the mapping key;
+      # the mapping MUST be given in order such that the highest privileged template is listed first
+      mapping:
+      #admin: ""
+      #urn:geant:mytoken:advanced: "advanced"
+      #urn:geant:mytoken:medium: "medium"
 
@@ -25,7 +25,7 @@ require (
 	github.com/lestrrat-go/jwx v1.2.30
 	github.com/oidc-mytoken/api v0.11.2-0.20240426092102-fa4d583a79ad
 	github.com/oidc-mytoken/lib v0.7.1
-	github.com/oidc-mytoken/utils v0.1.3-0.20230731143919-ea5b78243e5d
+	github.com/oidc-mytoken/utils v0.1.3-0.20240527155944-26103774a5aa
 	github.com/olekukonko/tablewriter v0.0.5
 	github.com/pires/go-proxyproto v0.8.0
 	github.com/pkg/errors v0.9.1
 
@@ -150,7 +150,7 @@ type Config struct {
 	Logging              loggingConf         `yaml:"logging"`
 	ServiceDocumentation string              `yaml:"service_documentation"`
 	Features             featuresConf        `yaml:"features"`
-	Providers            []ProviderConf      `yaml:"providers"`
+	Providers            []*ProviderConf     `yaml:"providers"`
 	ServiceOperator      ServiceOperatorConf `yaml:"service_operator"`
 	Caching              cacheConf           `yaml:"cache"`
 }
@@ -189,6 +189,9 @@ func (c *featuresConf) validate() error {
 	if err := c.Notifications.validate(); err != nil {
 		return err
 	}
+	if err := c.SSH.validate(); err != nil {
+		return err
+	}
 	return nil
 }
 
@@ -230,6 +233,27 @@ type sshConf struct {
 	PrivateKeys      []ssh.Signer `yaml:"-"`
 }
 
+func (c *sshConf) validate() error {
+	if !c.Enabled {
+		return nil
+	}
+	if len(c.KeyFiles) == 0 {
+		return errors.New("invalid config: ssh feature enabled, but no ssh private key set")
+	}
+	for _, pkf := range c.KeyFiles {
+		pemBytes, err := os.ReadFile(pkf)
+		if err != nil {
+			return errors.Wrap(err, "reading ssh private key")
+		}
+		signer, err := ssh.ParsePrivateKey(pemBytes)
+		if err != nil {
+			return errors.Wrap(err, "parsing ssh private key")
+		}
+		c.PrivateKeys = append(c.PrivateKeys, signer)
+	}
+	return nil
+}
+
 type serverProfilesConf struct {
 	Enabled bool                     `yaml:"enabled"`
 	Groups  profileGroupsCredentials `yaml:"groups"`
@@ -422,14 +446,43 @@ type signingConf struct {
 
 // ProviderConf holds information about a provider
 type ProviderConf struct {
-	Issuer              string              `yaml:"issuer"`
-	ClientID            string              `yaml:"client_id"`
-	ClientSecret        string              `yaml:"client_secret"`
-	Scopes              []string            `yaml:"scopes"`
-	MytokensMaxLifetime int64               `yaml:"mytokens_max_lifetime"`
-	Endpoints           *oauth2x.Endpoints  `yaml:"-"`
-	Name                string              `yaml:"name"`
-	Audience            *model.AudienceConf `yaml:"audience"`
+	Issuer               string                   `yaml:"issuer"`
+	ClientID             string                   `yaml:"client_id"`
+	ClientSecret         string                   `yaml:"client_secret"`
+	Scopes               []string                 `yaml:"scopes"`
+	MytokensMaxLifetime  int64                    `yaml:"mytokens_max_lifetime"`
+	EnforcedRestrictions EnforcedRestrictionsConf `yaml:"enforced_restrictions"`
+	Endpoints            *oauth2x.Endpoints       `yaml:"-"`
+	Name                 string                   `yaml:"name"`
+	Audience             *model.AudienceConf      `yaml:"audience"`
+}
+
+// EnforcedRestrictionsConf is a type for holding configuration for enforced restrictions
+type EnforcedRestrictionsConf struct {
+	Enabled         bool              `yaml:"-"`
+	ClaimSources    map[string]string `yaml:"claim_sources"`
+	DefaultTemplate string            `yaml:"default_template"`
+	ForbidOnDefault bool              `yaml:"forbid_on_default"`
+	HelpHTMLText    string            `yaml:"help_html"`
+	HelpHTMLFile    string            `yaml:"help_html_file"`
+	Mapping         map[string]string `yaml:"mapping"`
+}
+
+func (c *EnforcedRestrictionsConf) validate() error {
+	if len(c.ClaimSources) >= 1 {
+		c.Enabled = true
+	}
+	if c.HelpHTMLFile != "" {
+		content, err := os.ReadFile(c.HelpHTMLFile)
+		if err != nil {
+			return errors.Wrapf(
+				err,
+				"error reading enforced restrictions help html file '%s'", c.HelpHTMLFile,
+			)
+		}
+		c.HelpHTMLText = string(content)
+	}
+	return nil
 }
 
 // ServiceOperatorConf is type holding the configuration for the service operator of this mytoken instance
@@ -541,6 +594,28 @@ func validate() error {
 	if conf == nil {
 		return errors.New("config not set")
 	}
+	if err := validateIssuerURL(); err != nil {
+		return err
+	}
+	if err := configureServerTLS(); err != nil {
+		return err
+	}
+	if err := validateConfigSections(); err != nil {
+		return err
+	}
+	if err := validateProviders(); err != nil {
+		return err
+	}
+	if conf.Features.GuestMode.Enabled {
+		addGuestModeProvider()
+	}
+	if err := validateSigningConfig(); err != nil {
+		return err
+	}
+	return validateWebInterface()
+}
+
+func validateIssuerURL() error {
 	if conf.IssuerURL == "" {
 		return errors.New("invalid config: issuer_url not set")
 	}
@@ -553,94 +628,106 @@ func validate() error {
 		return errors.Wrap(err, "invalid config: issuer_url not valid")
 	}
 	conf.Host = u.Hostname()
+	return nil
+}
+
+func configureServerTLS() error {
 	if conf.Server.TLS.Enabled {
 		if conf.Server.TLS.Key != "" && conf.Server.TLS.Cert != "" {
 			conf.Server.Port = 443
 		} else {
 			conf.Server.TLS.Enabled = false
 		}
 	}
-	if err = conf.Logging.validate(); err != nil {
-		return err
-	}
-	if err = conf.ServiceOperator.validate(); err != nil {
+	return nil
+}
+
+func validateConfigSections() error {
+	if err := conf.Logging.validate(); err != nil {
 		return err
 	}
-	if err = conf.Features.validate(); err != nil {
+
+	if err := conf.ServiceOperator.validate(); err != nil {
 		return err
 	}
-	if len(conf.Providers) <= 0 {
+
+	return conf.Features.validate()
+}
+
+func validateProviders() error {
+	if len(conf.Providers) == 0 {
 		return errors.New("invalid config: providers must have at least one entry")
 	}
 	for i, p := range conf.Providers {
-		if p.Issuer == "" {
-			return errors.Errorf("invalid config: provider.issuer not set (Index %d)", i)
-		}
-		oc, err := oauth2x.NewConfig(context.Get(), p.Issuer)
-		if err != nil {
-			return errors.Errorf("error '%s' for provider.issuer '%s' (Index %d)", err, p.Issuer, i)
-		}
-		// Endpoints only returns an error if it does discovery but this was already done in NewConfig, so we can ignore
-		// the error value
-		p.Endpoints, _ = oc.Endpoints()
-		if p.ClientID == "" {
-			return errors.Errorf("invalid config: provider.clientid not set (Index %d)", i)
-		}
-		if p.ClientSecret == "" {
-			return errors.Errorf("invalid config: provider.clientsecret not set (Index %d)", i)
-		}
-		if len(p.Scopes) <= 0 {
-			return errors.Errorf("invalid config: provider.scopes not set (Index %d)", i)
-		}
-		if p.Audience == nil {
-			p.Audience = &model.AudienceConf{RFC8707: true}
-		}
-		if p.Audience.RFC8707 {
-			p.Audience.RequestParameter = model.AudienceParameterResource
-			p.Audience.SpaceSeparateAuds = false
-		} else if p.Audience.RequestParameter == "" {
-			p.Audience.RequestParameter = model.AudienceParameterResource
+		if err := validateProvider(p, i); err != nil {
+			return err
 		}
 		conf.Providers[i] = p
 	}
-	if conf.Features.GuestMode.Enabled {
-		iss := utils2.CombineURLPath(conf.IssuerURL, paths.GetCurrentAPIPaths().GuestModeOP)
-		p := ProviderConf{
-			Issuer: iss,
-			Name:   "Guest Mode",
-			Scopes: []string{"openid"},
-			Endpoints: &oauth2x.Endpoints{
-				Authorization: utils2.CombineURLPath(iss, "auth"),
-				Token:         utils2.CombineURLPath(iss, "token"),
-			},
-		}
-		conf.Providers = append(conf.Providers, p)
+	return nil
+}
+
+func validateProvider(p *ProviderConf, i int) error {
+	if p.Issuer == "" {
+		return errors.Errorf("invalid config: provider.issuer not set (Index %d)", i)
 	}
-	if conf.IssuerURL == "" {
-		return errors.New("invalid config: issuer_url not set")
+	if err := p.EnforcedRestrictions.validate(); err != nil {
+		return err
+	}
+	oc, err := oauth2x.NewConfig(context.Get(), p.Issuer)
+	if err != nil {
+		return errors.Errorf("error '%s' for provider.issuer '%s' (Index %d)", err, p.Issuer, i)
 	}
+	p.Endpoints, err = oc.Endpoints()
+	if err != nil {
+		return errors.Errorf("error '%s' for provider.issuer '%s' (Index %d)", err, p.Issuer, i)
+	}
+	if p.ClientID == "" {
+		return errors.Errorf("invalid config: provider.clientid not set (Index %d)", i)
+	}
+	if p.ClientSecret == "" {
+		return errors.Errorf("invalid config: provider.clientsecret not set (Index %d)", i)
+	}
+	if len(p.Scopes) == 0 {
+		return errors.Errorf("invalid config: provider.scopes not set (Index %d)", i)
+	}
+	if p.Audience == nil {
+		p.Audience = &model.AudienceConf{RFC8707: true}
+	}
+	if p.Audience.RFC8707 {
+		p.Audience.RequestParameter = model.AudienceParameterResource
+		p.Audience.SpaceSeparateAuds = false
+	} else if p.Audience.RequestParameter == "" {
+		p.Audience.RequestParameter = model.AudienceParameterResource
+	}
+	return nil
+}
+
+func addGuestModeProvider() {
+	iss := utils2.CombineURLPath(conf.IssuerURL, paths.GetCurrentAPIPaths().GuestModeOP)
+	p := &ProviderConf{
+		Issuer: iss,
+		Name:   "Guest Mode",
+		Scopes: []string{"openid"},
+		Endpoints: &oauth2x.Endpoints{
+			Authorization: utils2.CombineURLPath(iss, "auth"),
+			Token:         utils2.CombineURLPath(iss, "token"),
+		},
+	}
+	conf.Providers = append(conf.Providers, p)
+}
+
+func validateSigningConfig() error {
 	if conf.Signing.Mytoken.KeyFile == "" {
 		return errors.New("invalid config: signing keyfile not set")
 	}
 	if conf.Signing.Mytoken.Alg == "" {
 		return errors.New("invalid config: token signing alg not set")
 	}
-	if conf.Features.SSH.Enabled {
-		if len(conf.Features.SSH.KeyFiles) == 0 {
-			return errors.New("invalid config: ssh feature enabled, but no ssh private key set")
-		}
-		for _, pkf := range conf.Features.SSH.KeyFiles {
-			pemBytes, err := os.ReadFile(pkf)
-			if err != nil {
-				return errors.Wrap(err, "reading ssh private key")
-			}
-			signer, err := ssh.ParsePrivateKey(pemBytes)
-			if err != nil {
-				return errors.Wrap(err, "parsing ssh private key")
-			}
-			conf.Features.SSH.PrivateKeys = append(conf.Features.SSH.PrivateKeys, signer)
-		}
-	}
+	return nil
+}
+
+func validateWebInterface() error {
 	if !conf.Features.TokenInfo.Introspect.Enabled && conf.Features.WebInterface.Enabled {
 		return errors.New("web interface requires tokeninfo.introspect to be enabled")
 	}