[feature] Make OIDC admin groups configurable (#1555)

This removes the current default of checking for membership of the admin
or admins group and makes it required to explicitly configure which
groups should grant admin access, if any.

Relying on the implicit default of admin or admins is potentially
dangerous as that group may contain a different subset of people that we
may wish to grant admin access to GtS. This is probably not an issue for
a single-person instance, but for a community instance different admin
groups may exist in an OIDC provider for different applications.

I'm explicitly opting for not defaulting the value of oidc-admin-groups
to admin,admins because I think it's better for those things to be
explicitly configured.

3 files changed, 33 insertions, 2 deletions

diff --git a/internal/api/auth/callback.go b/internal/api/auth/callback.go
index bef7b013f..5f0425dea 100644
--- a/internal/api/auth/callback.go
+++ b/internal/api/auth/callback.go
@@ -284,10 +284,15 @@ func (m *Module) createUserFromOIDC(ctx context.Context, claims *oidc.Claims, ex
 	}
 
 	// check if the user is in any recognised admin groups
+	adminGroups := config.GetOIDCAdminGroups()
 	var admin bool
+LOOP:
 	for _, g := range claims.Groups {
-		if strings.EqualFold(g, "admin") || strings.EqualFold(g, "admins") {
-			admin = true
+		for _, ag := range adminGroups {
+			if strings.EqualFold(g, ag) {
+				admin = true
+				break LOOP
+			}
 		}
 	}
 
diff --git a/internal/config/config.go b/internal/config/config.go
index 1dea90788..5673b76dd 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -122,6 +122,7 @@ type Configuration struct {
 	OIDCClientSecret     string   `name:"oidc-client-secret" usage:"ClientSecret of GoToSocial, as registered with the OIDC provider."`
 	OIDCScopes           []string `name:"oidc-scopes" usage:"OIDC scopes."`
 	OIDCLinkExisting     bool     `name:"oidc-link-existing" usage:"link existing user accounts to OIDC logins based on the stored email value"`
+	OIDCAdminGroups      []string `name:"oidc-admin-groups" usage:"Membership of one of the listed groups makes someone a GtS admin"`
 
 	SMTPHost     string `name:"smtp-host" usage:"Host of the smtp server. Eg., 'smtp.eu.mailgun.org'"`
 	SMTPPort     int    `name:"smtp-port" usage:"Port of the smtp server. Eg., 587"`
diff --git a/internal/config/helpers.gen.go b/internal/config/helpers.gen.go
index 1a4c14a82..41c56a571 100644
--- a/internal/config/helpers.gen.go
+++ b/internal/config/helpers.gen.go
@@ -1724,6 +1724,31 @@ func GetOIDCLinkExisting() bool { return global.GetOIDCLinkExisting() }
 // SetOIDCLinkExisting safely sets the value for global configuration 'OIDCLinkExisting' field
 func SetOIDCLinkExisting(v bool) { global.SetOIDCLinkExisting(v) }
 
+// GetOIDCAdminGroups safely fetches the Configuration value for state's 'OIDCAdminGroups' field
+func (st *ConfigState) GetOIDCAdminGroups() (v []string) {
+	st.mutex.Lock()
+	v = st.config.OIDCAdminGroups
+	st.mutex.Unlock()
+	return
+}
+
+// SetOIDCAdminGroups safely sets the Configuration value for state's 'OIDCAdminGroups' field
+func (st *ConfigState) SetOIDCAdminGroups(v []string) {
+	st.mutex.Lock()
+	defer st.mutex.Unlock()
+	st.config.OIDCAdminGroups = v
+	st.reloadToViper()
+}
+
+// OIDCAdminGroupsFlag returns the flag name for the 'OIDCAdminGroups' field
+func OIDCAdminGroupsFlag() string { return "oidc-admin-groups" }
+
+// GetOIDCAdminGroups safely fetches the value for global configuration 'OIDCAdminGroups' field
+func GetOIDCAdminGroups() []string { return global.GetOIDCAdminGroups() }
+
+// SetOIDCAdminGroups safely sets the value for global configuration 'OIDCAdminGroups' field
+func SetOIDCAdminGroups(v []string) { global.SetOIDCAdminGroups(v) }
+
 // GetSMTPHost safely fetches the Configuration value for state's 'SMTPHost' field
 func (st *ConfigState) GetSMTPHost() (v string) {
 	st.mutex.Lock()