Synchronize saml roles to local user (#16158)

RocketChat · Mar 21, 2020 · 683100a · 683100a
1 parent f8feb32
commit 683100a
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 4 deletions.
diff --git a/app/meteor-accounts-saml/server/saml_rocketchat.js b/app/meteor-accounts-saml/server/saml_rocketchat.js
@@ -182,6 +182,15 @@ Meteor.methods({
 			i18nLabel: 'SAML_Role_Attribute_Name',
 			i18nDescription: 'SAML_Role_Attribute_Name_Description',
 		});
+
+		settings.add(`SAML_Custom_${ name }_role_attribute_sync`, false, {
+			type: 'boolean',
+			group: 'SAML',
+			section: name,
+			i18nLabel: 'SAML_Role_Attribute_Sync',
+			i18nDescription: 'SAML_Role_Attribute_Sync_Description',
+		});
+
 		settings.add(`SAML_Custom_${ name }_allowed_clock_drift`, 0, {
 			type: 'int',
 			group: 'SAML',
@@ -222,6 +231,7 @@ const getSamlConfigs = function(service) {
 		authnContextComparison: settings.get(`${ service.key }_authn_context_comparison`),
 		defaultUserRole: settings.get(`${ service.key }_default_user_role`),
 		roleAttributeName: settings.get(`${ service.key }_role_attribute_name`),
+		roleAttributeSync: settings.get(`${ service.key }_role_attribute_sync`),
 		secret: {
 			privateKey: settings.get(`${ service.key }_private_key`),
 			publicCert: settings.get(`${ service.key }_public_cert`),
@@ -264,6 +274,7 @@ const configureSamlService = function(samlConfigs) {
 	Accounts.saml.settings.debug = samlConfigs.debug;
 	Accounts.saml.settings.defaultUserRole = samlConfigs.defaultUserRole;
 	Accounts.saml.settings.roleAttributeName = samlConfigs.roleAttributeName;
+	Accounts.saml.settings.roleAttributeSync = samlConfigs.roleAttributeSync;
 
 	return {
 		provider: samlConfigs.clientConfig.provider,
@@ -277,6 +288,7 @@ const configureSamlService = function(samlConfigs) {
 		authnContextComparison: samlConfigs.authnContextComparison,
 		defaultUserRole: samlConfigs.defaultUserRole,
 		roleAttributeName: samlConfigs.roleAttributeName,
+		roleAttributeSync: samlConfigs.roleAttributeSync,
 		allowedClockDrift: samlConfigs.allowedClockDrift,
 	};
 };

diff --git a/app/meteor-accounts-saml/server/saml_server.js b/app/meteor-accounts-saml/server/saml_server.js
@@ -33,7 +33,7 @@ RoutePolicy.declare('/_saml/', 'network');
  * Fetch SAML provider configs for given 'provider'.
  */
 function getSamlProviderConfig(provider) {
-	if (! provider) {
+	if (!provider) {
 		throw new Meteor.Error('no-saml-provider',
 			'SAML internal error',
 			{ method: 'getSamlProviderConfig' });
@@ -57,7 +57,7 @@ Meteor.methods({
 		}
 		// This query should respect upcoming array of SAML logins
 		const user = Users.getSAMLByIdAndSAMLProvider(Meteor.userId(), provider);
-		if (!user || !user.services || ! user.services.saml) {
+		if (!user || !user.services || !user.services.saml) {
 			return;
 		}
 
@@ -245,7 +245,7 @@ Accounts.registerLoginHandler(function(loginRequest) {
 	}
 
 	const { emailField, usernameField, nameField, userDataFieldMap, regexes } = getUserDataMapping();
-	const { defaultUserRole = 'user', roleAttributeName } = Accounts.saml.settings;
+	const { defaultUserRole = 'user', roleAttributeName, roleAttributeSync } = Accounts.saml.settings;
 
 	if (loginResult && loginResult.profile && loginResult.profile[emailField]) {
 		const emailList = Array.isArray(loginResult.profile[emailField]) ? loginResult.profile[emailField] : [loginResult.profile[emailField]];
@@ -384,6 +384,10 @@ Accounts.registerLoginHandler(function(loginRequest) {
 			updateData.emails = emails;
 		}
 
+		if (roleAttributeSync) {
+			updateData.roles = globalRoles;
+		}
+
 		Meteor.users.update({
 			_id: user._id,
 		}, {
@@ -421,7 +425,7 @@ Accounts.saml.subscribeToSAMLChannels = function(channels, user) {
 				room = createRoom('c', roomName, user.username);
 			}
 		}
-	}	catch (err) {
+	} catch (err) {
 		console.error(err);
 	}
 };

diff --git a/packages/rocketchat-i18n/i18n/de.i18n.json b/packages/rocketchat-i18n/i18n/de.i18n.json
@@ -2813,6 +2813,8 @@
   "SAML_Default_User_Role_Description": "Sie können mehrere Rollen angeben, indem Sie sie durch Kommas trennen.",
   "SAML_Role_Attribute_Name": "Rollenattributname",
   "SAML_Role_Attribute_Name_Description": "Wenn dieses Attribut in der SAML-Antwort gefunden wird, werden seine Werte als Rollennamen für neue Benutzer verwendet.",
+  "SAML_Role_Attribute_Sync": "Benutzerrollen synchronisieren",
+  "SAML_Role_Attribute_Sync_Description": "Synchronisiere Benutzerrollen beim Login (Überschreibt lokale Benutzerrollen).",
   "SAML_Allowed_Clock_Drift": "Erlaubte Zeitabweichung zum Identity Provider",
   "SAML_Allowed_Clock_Drift_Description": "Die Uhrzeit des Identitätsproviders kann minimal vor der eigenen Systemzeit liegen. Um eine geringe Abweichung der Zeiten zu berücksichtigen, kann eine Zeitabweichung definiert werden. Der Wert muss in einer Anzahl von Millisekunden (ms) angegeben werden. Der angegebene Wert wird zur aktuellen Zeit, zu der die Antwort validiert wird, addiert.",
   "Saturday": "Samstag",

diff --git a/packages/rocketchat-i18n/i18n/en.i18n.json b/packages/rocketchat-i18n/i18n/en.i18n.json
@@ -2895,6 +2895,8 @@
   "SAML_Default_User_Role_Description": "You can specify multiple roles, separating them with commas.",
   "SAML_Role_Attribute_Name": "Role Attribute Name",
   "SAML_Role_Attribute_Name_Description": "If this attribute is found on the SAML response, it's values will be used as role names for new users.",
+  "SAML_Role_Attribute_Sync": "Sync User Roles",
+  "SAML_Role_Attribute_Sync_Description": "Sync SAML user roles on login (overwrites local user roles).",
   "SAML_Allowed_Clock_Drift": "Allowed clock drift from Identity Provider",
   "SAML_Allowed_Clock_Drift_Description": "The clock of the Identity Provider may drift slightly ahead of your system clocks. You can allow for a small amount of clock drift. Its value must be given in a number of milliseconds (ms). The value given is added to the current time at which the response is validated.",
   "Saturday": "Saturday",