From 683100a9fbcf105440376c0742f3eca725816e14 Mon Sep 17 00:00:00 2001
From: Marco Descher <marco@descher.at>
Date: Sat, 21 Mar 2020 02:02:06 +0100
Subject: [PATCH] Synchronize saml roles to local user (#16158)

---
 app/meteor-accounts-saml/server/saml_rocketchat.js | 12 ++++++++++++
 app/meteor-accounts-saml/server/saml_server.js     | 12 ++++++++----
 packages/rocketchat-i18n/i18n/de.i18n.json         |  2 ++
 packages/rocketchat-i18n/i18n/en.i18n.json         |  2 ++
 4 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/app/meteor-accounts-saml/server/saml_rocketchat.js b/app/meteor-accounts-saml/server/saml_rocketchat.js
index 83cc7baa8e9f..c64e00ef5919 100644
--- a/app/meteor-accounts-saml/server/saml_rocketchat.js
+++ b/app/meteor-accounts-saml/server/saml_rocketchat.js
@@ -182,6 +182,15 @@ Meteor.methods({
 			i18nLabel: 'SAML_Role_Attribute_Name',
 			i18nDescription: 'SAML_Role_Attribute_Name_Description',
 		});
+
+		settings.add(`SAML_Custom_${ name }_role_attribute_sync`, false, {
+			type: 'boolean',
+			group: 'SAML',
+			section: name,
+			i18nLabel: 'SAML_Role_Attribute_Sync',
+			i18nDescription: 'SAML_Role_Attribute_Sync_Description',
+		});
+
 		settings.add(`SAML_Custom_${ name }_allowed_clock_drift`, 0, {
 			type: 'int',
 			group: 'SAML',
@@ -222,6 +231,7 @@ const getSamlConfigs = function(service) {
 		authnContextComparison: settings.get(`${ service.key }_authn_context_comparison`),
 		defaultUserRole: settings.get(`${ service.key }_default_user_role`),
 		roleAttributeName: settings.get(`${ service.key }_role_attribute_name`),
+		roleAttributeSync: settings.get(`${ service.key }_role_attribute_sync`),
 		secret: {
 			privateKey: settings.get(`${ service.key }_private_key`),
 			publicCert: settings.get(`${ service.key }_public_cert`),
@@ -264,6 +274,7 @@ const configureSamlService = function(samlConfigs) {
 	Accounts.saml.settings.debug = samlConfigs.debug;
 	Accounts.saml.settings.defaultUserRole = samlConfigs.defaultUserRole;
 	Accounts.saml.settings.roleAttributeName = samlConfigs.roleAttributeName;
+	Accounts.saml.settings.roleAttributeSync = samlConfigs.roleAttributeSync;
 
 	return {
 		provider: samlConfigs.clientConfig.provider,
@@ -277,6 +288,7 @@ const configureSamlService = function(samlConfigs) {
 		authnContextComparison: samlConfigs.authnContextComparison,
 		defaultUserRole: samlConfigs.defaultUserRole,
 		roleAttributeName: samlConfigs.roleAttributeName,
+		roleAttributeSync: samlConfigs.roleAttributeSync,
 		allowedClockDrift: samlConfigs.allowedClockDrift,
 	};
 };
diff --git a/app/meteor-accounts-saml/server/saml_server.js b/app/meteor-accounts-saml/server/saml_server.js
index ca1e6544713a..b2767fc8e70b 100644
--- a/app/meteor-accounts-saml/server/saml_server.js
+++ b/app/meteor-accounts-saml/server/saml_server.js
@@ -33,7 +33,7 @@ RoutePolicy.declare('/_saml/', 'network');
  * Fetch SAML provider configs for given 'provider'.
  */
 function getSamlProviderConfig(provider) {
-	if (! provider) {
+	if (!provider) {
 		throw new Meteor.Error('no-saml-provider',
 			'SAML internal error',
 			{ method: 'getSamlProviderConfig' });
@@ -57,7 +57,7 @@ Meteor.methods({
 		}
 		// This query should respect upcoming array of SAML logins
 		const user = Users.getSAMLByIdAndSAMLProvider(Meteor.userId(), provider);
-		if (!user || !user.services || ! user.services.saml) {
+		if (!user || !user.services || !user.services.saml) {
 			return;
 		}
 
@@ -245,7 +245,7 @@ Accounts.registerLoginHandler(function(loginRequest) {
 	}
 
 	const { emailField, usernameField, nameField, userDataFieldMap, regexes } = getUserDataMapping();
-	const { defaultUserRole = 'user', roleAttributeName } = Accounts.saml.settings;
+	const { defaultUserRole = 'user', roleAttributeName, roleAttributeSync } = Accounts.saml.settings;
 
 	if (loginResult && loginResult.profile && loginResult.profile[emailField]) {
 		const emailList = Array.isArray(loginResult.profile[emailField]) ? loginResult.profile[emailField] : [loginResult.profile[emailField]];
@@ -384,6 +384,10 @@ Accounts.registerLoginHandler(function(loginRequest) {
 			updateData.emails = emails;
 		}
 
+		if (roleAttributeSync) {
+			updateData.roles = globalRoles;
+		}
+
 		Meteor.users.update({
 			_id: user._id,
 		}, {
@@ -421,7 +425,7 @@ Accounts.saml.subscribeToSAMLChannels = function(channels, user) {
 				room = createRoom('c', roomName, user.username);
 			}
 		}
-	}	catch (err) {
+	} catch (err) {
 		console.error(err);
 	}
 };
diff --git a/packages/rocketchat-i18n/i18n/de.i18n.json b/packages/rocketchat-i18n/i18n/de.i18n.json
index 91aa9aa8929f..df895432c5e4 100644
--- a/packages/rocketchat-i18n/i18n/de.i18n.json
+++ b/packages/rocketchat-i18n/i18n/de.i18n.json
@@ -2813,6 +2813,8 @@
   "SAML_Default_User_Role_Description": "Sie können mehrere Rollen angeben, indem Sie sie durch Kommas trennen.",
   "SAML_Role_Attribute_Name": "Rollenattributname",
   "SAML_Role_Attribute_Name_Description": "Wenn dieses Attribut in der SAML-Antwort gefunden wird, werden seine Werte als Rollennamen für neue Benutzer verwendet.",
+  "SAML_Role_Attribute_Sync": "Benutzerrollen synchronisieren",
+  "SAML_Role_Attribute_Sync_Description": "Synchronisiere Benutzerrollen beim Login (Überschreibt lokale Benutzerrollen).",
   "SAML_Allowed_Clock_Drift": "Erlaubte Zeitabweichung zum Identity Provider",
   "SAML_Allowed_Clock_Drift_Description": "Die Uhrzeit des Identitätsproviders kann minimal vor der eigenen Systemzeit liegen. Um eine geringe Abweichung der Zeiten zu berücksichtigen, kann eine Zeitabweichung definiert werden. Der Wert muss in einer Anzahl von Millisekunden (ms) angegeben werden. Der angegebene Wert wird zur aktuellen Zeit, zu der die Antwort validiert wird, addiert.",
   "Saturday": "Samstag",
diff --git a/packages/rocketchat-i18n/i18n/en.i18n.json b/packages/rocketchat-i18n/i18n/en.i18n.json
index 8759d94d6399..66386a3217aa 100644
--- a/packages/rocketchat-i18n/i18n/en.i18n.json
+++ b/packages/rocketchat-i18n/i18n/en.i18n.json
@@ -2895,6 +2895,8 @@
   "SAML_Default_User_Role_Description": "You can specify multiple roles, separating them with commas.",
   "SAML_Role_Attribute_Name": "Role Attribute Name",
   "SAML_Role_Attribute_Name_Description": "If this attribute is found on the SAML response, it's values will be used as role names for new users.",
+  "SAML_Role_Attribute_Sync": "Sync User Roles",
+  "SAML_Role_Attribute_Sync_Description": "Sync SAML user roles on login (overwrites local user roles).",
   "SAML_Allowed_Clock_Drift": "Allowed clock drift from Identity Provider",
   "SAML_Allowed_Clock_Drift_Description": "The clock of the Identity Provider may drift slightly ahead of your system clocks. You can allow for a small amount of clock drift. Its value must be given in a number of milliseconds (ms). The value given is added to the current time at which the response is validated.",
   "Saturday": "Saturday",