From e310478e6dd532d2d729629dadb80a08f14b9094 Mon Sep 17 00:00:00 2001
From: Clement Michaud <clement.michaud34@gmail.com>
Date: Sat, 25 Mar 2017 15:28:57 +0100
Subject: [PATCH] Allow per user access control rules

---
 config.template.yml                      |  3 ++
 src/lib/routes/first_factor.js           | 13 ++++--
 test/unitary/routes/test_first_factor.js | 54 +++++++++++++++++-------
 3 files changed, 50 insertions(+), 20 deletions(-)

diff --git a/config.template.yml b/config.template.yml
index b84fb053e..d05e0de6e 100644
--- a/config.template.yml
+++ b/config.template.yml
@@ -50,6 +50,9 @@ access_control:
   - group: dev
     allowed_domains:
     - secret2.test.local
+  - user: harry
+    allowed_domains:
+    - secret1.test.local
 
 
 # Configuration of session cookies
diff --git a/src/lib/routes/first_factor.js b/src/lib/routes/first_factor.js
index 4ba9a97c1..59464e6ed 100644
--- a/src/lib/routes/first_factor.js
+++ b/src/lib/routes/first_factor.js
@@ -5,13 +5,17 @@ var exceptions = require('../exceptions');
 var objectPath = require('object-path');
 var Promise = require('bluebird');
 
-function get_allowed_domains(access_control, groups) {
+function get_allowed_domains(access_control, username, groups) {
   var allowed_domains = [];
 
   for(var i = 0; i<access_control.length; ++i) {
     var rule = access_control[i];
-    if('group' in rule && 'allowed_domains' in rule) {
-      if(groups.indexOf(rule['group']) >= 0) {
+    if('allowed_domains' in rule) {
+      if('group' in rule && groups.indexOf(rule['group']) >= 0) {
+        var domains = rule.allowed_domains;
+        allowed_domains = allowed_domains.concat(domains);
+      }
+      else if('user' in rule && username == rule['user']) {
         var domains = rule.allowed_domains;
         allowed_domains = allowed_domains.concat(domains);
       }
@@ -58,7 +62,8 @@ function first_factor(req, res) {
     objectPath.set(req, 'session.auth_session.email', emails[0]);
 
     if(config.access_control) {
-      var allowed_domains = get_allowed_domains(config.access_control, groups);
+      var allowed_domains = get_allowed_domains(config.access_control, 
+        username, groups);
       logger.debug('1st factor: allowed domains are %s', allowed_domains);
       objectPath.set(req, 'session.auth_session.allowed_domains', 
         allowed_domains);
diff --git a/test/unitary/routes/test_first_factor.js b/test/unitary/routes/test_first_factor.js
index 4798f9820..9f52bc92c 100644
--- a/test/unitary/routes/test_first_factor.js
+++ b/test/unitary/routes/test_first_factor.js
@@ -74,23 +74,45 @@ describe('test the first factor validation route', function() {
     });
   });
 
-  it('should store the allowed domains in the auth session', function() {
-    config.access_control = [];
-    config.access_control.push({ 
-      group: 'group1', 
-      allowed_domains: ['domain1.example.com', 'domain2.example.com']
-    });
-    return new Promise(function(resolve, reject) {
-      res.send = sinon.spy(function(data) {
-        assert.deepEqual(['domain1.example.com', 'domain2.example.com'], 
-          req.session.auth_session.allowed_domains);
-        assert.equal(204, res.status.getCall(0).args[0]);
-        resolve();
+  describe('store the allowed domains in the auth session', function() {
+    it('should store the per group allowed domains', function() {
+      config.access_control = [];
+      config.access_control.push({ 
+        group: 'group1', 
+        allowed_domains: ['domain1.example.com', 'domain2.example.com']
+      });
+      return new Promise(function(resolve, reject) {
+        res.send = sinon.spy(function(data) {
+          assert.deepEqual(['domain1.example.com', 'domain2.example.com'], 
+            req.session.auth_session.allowed_domains);
+          assert.equal(204, res.status.getCall(0).args[0]);
+          resolve();
+        });
+        ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
+        ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
+        ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
+        first_factor(req, res);
+      });
+    });
+
+    it('should store the per group allowed domains', function() {
+      config.access_control = [];
+      config.access_control.push({ 
+        user: 'username', 
+        allowed_domains: ['domain1.example.com', 'domain2.example.com']
+      });
+      return new Promise(function(resolve, reject) {
+        res.send = sinon.spy(function(data) {
+          assert.deepEqual(['domain1.example.com', 'domain2.example.com'], 
+            req.session.auth_session.allowed_domains);
+          assert.equal(204, res.status.getCall(0).args[0]);
+          resolve();
+        });
+        ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
+        ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
+        ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
+        first_factor(req, res);
       });
-      ldap_interface_mock.bind.withArgs('username').returns(Promise.resolve());
-      ldap_interface_mock.get_emails.returns(Promise.resolve(emails));
-      ldap_interface_mock.get_groups.returns(Promise.resolve(groups));
-      first_factor(req, res);
     });
   });