2 files changed, 86 insertions, 7 deletions
diff --git a/internal/api/auth/callback.go b/internal/api/auth/callback.go
index d0fa78322..37c257229 100644
--- a/internal/api/auth/callback.go
+++ b/internal/api/auth/callback.go
@@ -23,6 +23,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"slices"
 	"strings"
 
 	"github.com/gin-contrib/sessions"
@@ -156,6 +157,14 @@ func (m *Module) CallbackGETHandler(c *gin.Context) {
 		apiutil.TemplateWebPage(c, page)
 		return
 	}
+
+	// Check user permissions on login
+	if !allowedGroup(claims.Groups) {
+		err := fmt.Errorf("User groups %+v do not include an allowed group", claims.Groups)
+		apiutil.ErrorHandler(c, gtserror.NewErrorUnauthorized(err, err.Error()), m.processor.InstanceGetV1)
+		return
+	}
+
 	s.Set(sessionUserID, user.ID)
 	if err := s.Save(); err != nil {
 		m.clearSession(s)
@@ -297,6 +306,11 @@ func (m *Module) createUserFromOIDC(ctx context.Context, claims *oidc.Claims, ex
 		return nil, gtserror.NewErrorConflict(err, help)
 	}
 
+	if !allowedGroup(claims.Groups) {
+		err := fmt.Errorf("User groups %+v do not include an allowed group", claims.Groups)
+		return nil, gtserror.NewErrorUnauthorized(err, err.Error())
+	}
+
 	// We still need to set something as a password, even
 	// if it's not a password the user will end up using.
 	//
@@ -356,13 +370,12 @@ func (m *Module) createUserFromOIDC(ctx context.Context, claims *oidc.Claims, ex
 // adminGroup returns true if one of the given OIDC
 // groups is equal to at least one admin OIDC group.
 func adminGroup(groups []string) bool {
-	for _, ag := range config.GetOIDCAdminGroups() {
-		for _, g := range groups {
-			if strings.EqualFold(ag, g) {
-				// This is an admin group,
-				// ∴ user is an admin.
-				return true
-			}
+	adminGroups := config.GetOIDCAdminGroups()
+	for _, claimedGroup := range groups {
+		if slices.ContainsFunc(adminGroups, func(allowedGroup string) bool {
+			return strings.EqualFold(claimedGroup, allowedGroup)
+		}) {
+			return true
 		}
 	}
 
@@ -370,3 +383,24 @@ func adminGroup(groups []string) bool {
 	// ∴ user is not an admin.
 	return false
 }
+
+// allowedGroup returns true if one of the given OIDC
+// groups is equal to at least one allowed OIDC group.
+func allowedGroup(groups []string) bool {
+	allowedGroups := config.GetOIDCAllowedGroups()
+	if len(allowedGroups) == 0 {
+		// If no groups are configured, allow access (for backwards compatibility)
+		return true
+	}
+	for _, claimedGroup := range groups {
+		if slices.ContainsFunc(allowedGroups, func(allowedGroup string) bool {
+			return strings.EqualFold(claimedGroup, allowedGroup)
+		}) {
+			return true
+		}
+	}
+
+	// User is in no allowed groups,
+	// ∴ user is not allowed to log in
+	return false
+}
diff --git a/internal/api/auth/callback_test.go b/internal/api/auth/callback_test.go
new file mode 100644
index 000000000..2624f3f3f
--- /dev/null
+++ b/internal/api/auth/callback_test.go
@@ -0,0 +1,45 @@
+package auth
+
+import (
+	"testing"
+
+	"github.com/superseriousbusiness/gotosocial/testrig"
+)
+
+func TestAdminGroup(t *testing.T) {
+	testrig.InitTestConfig()
+	for _, test := range []struct {
+		name     string
+		groups   []string
+		expected bool
+	}{
+		{name: "not in admin group", groups: []string{"group1", "group2", "allowedRole"}, expected: false},
+		{name: "in admin group", groups: []string{"group1", "group2", "adminRole"}, expected: true},
+	} {
+		test := test // loopvar capture
+		t.Run(test.name, func(t *testing.T) {
+			if got := adminGroup(test.groups); got != test.expected {
+				t.Fatalf("got: %t, wanted: %t", got, test.expected)
+			}
+		})
+	}
+}
+
+func TestAllowedGroup(t *testing.T) {
+	testrig.InitTestConfig()
+	for _, test := range []struct {
+		name     string
+		groups   []string
+		expected bool
+	}{
+		{name: "not in allowed group", groups: []string{"group1", "group2", "adminRole"}, expected: false},
+		{name: "in allowed group", groups: []string{"group1", "group2", "allowedRole"}, expected: true},
+	} {
+		test := test // loopvar capture
+		t.Run(test.name, func(t *testing.T) {
+			if got := allowedGroup(test.groups); got != test.expected {
+				t.Fatalf("got: %t, wanted: %t", got, test.expected)
+			}
+		})
+	}
+}