mod_http_oauth2: Refactor scope handling into smaller functions
Goal is to put a dropdown on the consent page with your allowed roles.
Smaller functions make it easier to reuse. Readability may be improved
slightly as well.
--- a/mod_http_oauth2/mod_http_oauth2.lua Thu May 04 18:41:33 2023 +0200
+++ b/mod_http_oauth2/mod_http_oauth2.lua Fri May 05 00:57:20 2023 +0200
@@ -97,25 +97,45 @@
local openid_claims = set.new({ "openid", "profile"; "email"; "address"; "phone" });
-local function filter_scopes(username, requested_scope_string)
- local selected_role, granted_scopes = nil, array();
+local function split_scopes(scope_list)
+ local claims, roles, unknown = array(), array(), array();
+ local all_roles = usermanager.get_all_roles(module.host);
+ for _, scope in ipairs(scope_list) do
+ if openid_claims:contains(scope) then
+ claims:push(scope);
+ elseif all_roles[scope] then
+ roles:push(scope);
+ else
+ unknown:push(scope);
+ end
+ end
+ return claims, roles, unknown;
+end
- if requested_scope_string then -- Specific role(s) requested
- local requested_scopes = parse_scopes(requested_scope_string);
- for _, scope in ipairs(requested_scopes) do
- if openid_claims:contains(scope) then
- granted_scopes:push(scope);
- end
- if selected_role == nil and usermanager.user_can_assume_role(username, module.host, scope) then
- selected_role = scope;
+local function can_assume_role(username, requested_role)
+ return usermanager.user_can_assume_role(username, module.host, requested_role);
+end
+
+local function select_role(username, requested_roles)
+ if requested_roles then
+ for _, requested_role in ipairs(requested_roles) do
+ if can_assume_role(username, requested_role) then
+ return requested_role;
end
end
end
+ -- otherwise the default role
+ return usermanager.get_user_role(username, module.host).name;
+end
- if not selected_role then
- -- By default use the users' default role
- selected_role = usermanager.get_user_role(username, module.host).name;
+local function filter_scopes(username, requested_scope_string)
+ local granted_scopes, requested_roles;
+
+ if requested_scope_string then -- Specific role(s) requested
+ granted_scopes, requested_roles = split_scopes(parse_scopes(requested_scope_string));
end
+
+ local selected_role = select_role(username, requested_roles);
granted_scopes:push(selected_role);
return granted_scopes:concat(" "), selected_role;