Add support for synchronizing groups

README.rdoc

@@ -87,6 +87,17 @@ admin_role::
     +realm_access.roles+.
 
     Example: ROLES/REDMINE/ADMIN
+groups_claim::
+    The claim which provides the set of groups (optional).
+
+    Example: +groups+
+group_names_pattern::
+    A regex pattern to filter names of user groups that should be synchronized.
+    Default is +^$+ - match nothing. Note that if you're using local groups (not
+    synchronised with OIDC), they should not match this pattern, otherwise users
+    will be removed from these groups when they log in.
+
+    Example: +^(Red|Blue)$+
 
 
 == Mapping users

app/controllers/oidc_controller.rb

@@ -86,16 +86,42 @@ def create_user
     user.activate
     user.random_password
     user.last_login_on = Time.now
+    update_groups(user)
     user.save ? successful_login(user) : unsuccessful_login(user)
   end
 
   def update_user(user)
     user.update(@oidc_session.user_attributes)
     user.activate
     user.update_last_login_on!
+    update_groups(user)
     user.save ? successful_login(user) : unsuccessful_login(user)
   end
 
+  def update_groups(user)
+    return unless settings.update_groups?
+
+    current = user.groups.select { |group| settings.group_names_regexp.match?(group.name) }
+
+    target = @oidc_session.groups.map do |name|
+      begin
+        Group.named(name).first_or_create!(name: name)
+      rescue ActiveRecord::RecordInvalid => e
+        logger.error "Failed to create group #{name}: #{e}"
+      end
+    end
+
+    unless (added = target - current).empty?
+      logger.info "Adding user #{user.login} to groups: #{added.map(&:name).join(', ')}"
+      user.groups += added
+    end
+
+    unless (removed = current - target).empty?
+      logger.info "Removing user #{user.login} from groups: #{removed.map(&:name).join(', ')}"
+      user.groups -= removed
+    end
+  end
+
   def successful_login(user)
     logger.info "Successful authentication for '#{user.login}' from #{request.remote_ip} at #{Time.now.utc}"
     oidc_session = OidcSession.spawn(session)
@@ -110,4 +136,7 @@ def unsuccessful_login(user)
     end
   end
 
+  def settings
+    @settings ||= RedmineOidc.settings
+  end
 end

app/models/oidc_session.rb

@@ -103,6 +103,16 @@ def user_attributes
     }
   end
 
+  def groups
+    @groups ||= if settings.update_groups?
+      (decoded_id_token.raw_attributes[settings.groups_claim] || [])
+        .select { |name| settings.group_names_regexp.match?(name) }
+        .to_set
+    else
+      Set.new
+    end
+  end
+
   def refresh_token_expiration_timestamp
     decoded_refresh_token['exp']
   end

app/views/settings/_redmine_oidc.html.erb

@@ -38,6 +38,14 @@
   <%= label_tag 'settings[admin_role]', l('oidc.settings.admin_role') %>
   <%= text_field_tag 'settings[admin_role]', oidc_settings.admin_role, size: 60 %>
 </p>
+<p>
+  <%= label_tag 'settings[groups_claim]', l('oidc.settings.groups_claim') %>
+  <%= text_field_tag 'settings[groups_claim]', oidc_settings.groups_claim, size: 60 %>
+</p>
+<p>
+  <%= label_tag 'settings[group_names_pattern]', l('oidc.settings.group_names_pattern') %>
+  <%= text_field_tag 'settings[group_names_pattern]', oidc_settings.group_names_pattern, size: 60, placeholder: l('oidc.settings.group_names_pattern_placeholder') %>
+</p>
 <p>
   <%= label_tag 'settings[session_check_enabled]', l('oidc.settings.session_check_enabled') %>
   <%= check_box_tag 'settings[session_check_enabled]', 1, oidc_settings.session_check_enabled %>

config/locales/de.yml

@@ -34,6 +34,9 @@ de:
       roles_claim_placeholder: roles
       access_roles: Leerzeichen-separierte Liste der autorisierten Rollen
       admin_role: Administrationsrolle
+      groups_claim: Gruppe-Claim (optional)
+      group_names_pattern: Regex zum Filtern der Namen von Gruppen, die synchronisiert werden sollen
+      group_names_pattern_placeholder: ^$
       session_check_enabled: Session Check aktivieren
       session_check_users_csv: Komma-separierte Liste der Logins mit Session Check (* = alle)
     error:

config/locales/en.yml

@@ -34,6 +34,9 @@ en:
       roles_claim_placeholder: roles
       access_roles: Space-separated list of authorized roles
       admin_role: Administration role
+      groups_claim: Groups claim (optional)
+      group_names_pattern: Regex to filter names of groups that should be synchronized
+      group_names_pattern_placeholder: ^$
       session_check_enabled: Enable session check
       session_check_users_csv: Comma-separated list of logins with session check (* = all)
     error:

lib/redmine_oidc/settings.rb

@@ -31,6 +31,8 @@ class Settings
       roles_claim
       access_roles
       admin_role
+      groups_claim
+      group_names_pattern
       session_check_enabled
       session_check_users_csv
     )
@@ -70,6 +72,14 @@ def to_h
       serializable_hash
     end
 
+    def group_names_regexp
+      @group_names_regexp ||= Regexp.new(@group_names_pattern || '^$', Regexp::IGNORECASE)
+    end
+
+    def update_groups?
+      !!@groups_claim
+    end
+
     def session_check_users
       @session_check_users ||= @session_check_users_csv.split(',').map(&:strip)
     end