Skip to content

Commit

Permalink
#47: Assign user roles via SAML claims.
Browse files Browse the repository at this point in the history
In the old version of the catalog we had a list of adminstrator ids in a
configuration file to provide access to management features. Instead,
shift that assignment off to Azure AD to make it easier to review and
modify via the AzureAD admin tools.
  • Loading branch information
adamfranco committed Dec 2, 2024
1 parent 1293fb6 commit 550ad5e
Showing 1 changed file with 14 additions and 2 deletions.
16 changes: 14 additions & 2 deletions src/Security/SamlUser.php
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ class SamlUser implements SamlUserInterface
private $email;
private $givenName;
private $surname;
private $assignedRoles = [];

public function __construct(
private string $id,
Expand All @@ -26,6 +27,15 @@ public function setSamlAttributes(array $attributes): void
if (!empty($attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'][0])) {
$this->surname = $attributes['http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname'][0];
}
// Add a custom attribute called 'AssignedRoles' and supply zero or more
// of the following values in the SAML response:
// "App.EmailSendAllowed" -- If included, the user will be able to send
// their schedule as an email.
// "App.Manager" -- If included, the user will be able to manage term
// visibility and export configurations.
if (!empty($attributes['AssignedRoles'])) {
$this->assignedRoles = $attributes['AssignedRoles'];
}
}

/**
Expand All @@ -46,10 +56,12 @@ public function getRoles(): array
{
$roles = ['ROLE_USER'];

// This is just a placeholder implementation. It should be configurable.
if ($this->email && preg_match('/@middlebury\.edu$/', $this->email)) {
if (!empty($this->assignedRoles) && in_array('App.EmailSendAllowed', $this->assignedRoles)) {
$roles[] = 'ROLE_CAN_SEND_EMAIL';
}
if (!empty($this->assignedRoles) && in_array('App.Manager', $this->assignedRoles)) {
$roles[] = 'ROLE_ADMIN';
}

return $roles;
}
Expand Down

0 comments on commit 550ad5e

Please sign in to comment.