private/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update
All checks were successful
Deploy / deploy-staging (push) Successful in 5s
Details
Deploy / deploy-production (push) Has been skipped
Details

Browse Source
This commit is contained in:
Lars Gebhardt-Kusche
2026-04-14 22:48:35 +02:00
parent 3e9fa3d4a1
commit 93c867040e
4 changed files with 281 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
src/App/AuthService.php
View File

@@ -77,6 +77,8 @@ final class AuthService
];
$_SESSION['auth_id_token'] = $idToken;
$_SESSION['auth_expires_at'] = time() + self::SESSION_TTL;
$this->rememberKeycloakUser($claims, $groups);
}
public function canAccessModule(array $module): bool
@@ -111,6 +113,38 @@ final class AuthService
return array_intersect($allowedGroups, $userGroups) !== [];
}
private function rememberKeycloakUser(array $claims, array $groups): void
{
$pdo = $this->app->basePdo();
$sub = trim((string)($claims['sub'] ?? ''));
if (!$pdo || $sub === '') {
return;
}
$groupsJson = json_encode(array_values(array_unique(array_map('strval', $groups))), JSON_UNESCAPED_UNICODE);
if (!is_string($groupsJson)) {
$groupsJson = '[]';
}
$stmt = $pdo->prepare(
"INSERT INTO nexus_auth_users (sub, username, email, name, groups, last_login_at)
VALUES (:sub, :username, :email, :name, :groups, CURRENT_TIMESTAMP)
ON CONFLICT(sub) DO UPDATE SET
username = excluded.username,
email = excluded.email,
name = excluded.name,
groups = excluded.groups,
last_login_at = CURRENT_TIMESTAMP"
);
$stmt->execute([
'sub' => $sub,
'username' => (string)($claims['preferred_username'] ?? ''),
'email' => (string)($claims['email'] ?? ''),
'name' => (string)($claims['name'] ?? ''),
'groups' => $groupsJson,
]);
}
public function requireModuleAccess(array $module): void
{
if ($this->canAccessModule($module)) {

63
src/App/BaseSchema.php
View File

@@ -40,6 +40,27 @@ final class BaseSchema
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_module_auth (
name TEXT PRIMARY KEY,
required BOOLEAN NOT NULL DEFAULT false,
users TEXT NOT NULL DEFAULT '[]',
groups TEXT NOT NULL DEFAULT '[]',
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_auth_users (
sub TEXT PRIMARY KEY,
username TEXT,
email TEXT,
name TEXT,
groups TEXT NOT NULL DEFAULT '[]',
last_login_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_settings (
key TEXT PRIMARY KEY,
@@ -96,6 +117,27 @@ final class BaseSchema
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_module_auth (
name TEXT PRIMARY KEY,
required INTEGER NOT NULL DEFAULT 0,
users TEXT NOT NULL DEFAULT '[]',
groups TEXT NOT NULL DEFAULT '[]',
updated_at TEXT NOT NULL DEFAULT (datetime('now'))
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_auth_users (
sub TEXT PRIMARY KEY,
username TEXT,
email TEXT,
name TEXT,
groups TEXT NOT NULL DEFAULT '[]',
last_login_at TEXT NOT NULL DEFAULT (datetime('now'))
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_settings (
key TEXT PRIMARY KEY,
@@ -152,6 +194,27 @@ final class BaseSchema
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_module_auth (
name VARCHAR(190) PRIMARY KEY,
required TINYINT NOT NULL DEFAULT 0,
users TEXT NOT NULL,
groups TEXT NOT NULL,
updated_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_auth_users (
sub VARCHAR(190) PRIMARY KEY,
username VARCHAR(190),
email VARCHAR(190),
name VARCHAR(190),
groups TEXT NOT NULL,
last_login_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
)"
);
$pdo->exec(
"CREATE TABLE IF NOT EXISTS nexus_settings (
`key` VARCHAR(190) PRIMARY KEY,

124
src/App/ModuleManager.php
View File

@@ -248,6 +248,7 @@ final class ModuleManager
continue;
}
$manifestAuth = is_array($data['auth'] ?? null) ? $data['auth'] : ['required' => false, 'users' => [], 'groups' => []];
$module = [
'name' => $name,
'slug' => $name,
@@ -261,7 +262,7 @@ final class ModuleManager
'metadata_db_defaults' => $data['metadata_db_defaults'] ?? [],
'path' => $dir,
'entry' => '/module/' . rawurlencode($name),
'auth' => is_array($data['auth'] ?? null) ? $data['auth'] : ['required' => false, 'users' => [], 'groups' => []],
'auth' => $this->loadAuth($name, $manifestAuth),
'enabled_by_default' => (bool)($data['enabled_by_default'] ?? false),
'enabled' => false,
];
@@ -314,28 +315,121 @@ final class ModuleManager
throw new \RuntimeException('Module not found.');
}
$manifest = $module['path'] . '/module.json';
$raw = is_file($manifest) ? file_get_contents($manifest) : '';
$data = $raw ? json_decode($raw, true) : [];
if (!is_array($data)) {
$data = [];
}
$data['auth'] = [
$authConfig = [
'required' => (bool) ($auth['required'] ?? false),
'users' => $this->normalizeList($auth['users'] ?? []),
'groups' => $this->normalizeList($auth['groups'] ?? []),
];
$json = json_encode($data, JSON_PRETTY_PRINT | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
if (!is_string($json)) {
throw new \RuntimeException('Could not encode module metadata.');
if ($this->basePdo) {
$usersJson = json_encode($authConfig['users'], JSON_UNESCAPED_UNICODE);
$groupsJson = json_encode($authConfig['groups'], JSON_UNESCAPED_UNICODE);
if (!is_string($usersJson) || !is_string($groupsJson)) {
throw new \RuntimeException('Could not encode module auth.');
}
$stmt = $this->basePdo->prepare(
"INSERT INTO nexus_module_auth (name, required, users, groups, updated_at)
VALUES (:name, :required, :users, :groups, CURRENT_TIMESTAMP)
ON CONFLICT(name) DO UPDATE SET
required = excluded.required,
users = excluded.users,
groups = excluded.groups,
updated_at = CURRENT_TIMESTAMP"
);
$stmt->execute([
'name' => $name,
'required' => $authConfig['required'] ? 1 : 0,
'users' => $usersJson,
'groups' => $groupsJson,
]);
$this->modules[$name]['auth'] = $authConfig;
return $authConfig;
}
file_put_contents($manifest, $json . PHP_EOL, LOCK_EX);
$this->scanModules();
$this->modules[$name]['auth'] = $authConfig;
return $authConfig;
}
return $data['auth'];
public function knownAuthUsers(): array
{
if (!$this->basePdo) {
return [];
}
$stmt = $this->basePdo->query(
"SELECT sub, username, email, name, groups, last_login_at
FROM nexus_auth_users
ORDER BY COALESCE(NULLIF(name, ''), NULLIF(username, ''), email, sub)"
);
$users = [];
foreach ($stmt->fetchAll(\PDO::FETCH_ASSOC) as $row) {
$groups = json_decode((string)($row['groups'] ?? '[]'), true);
$row['groups'] = is_array($groups) ? array_values(array_filter(array_map('strval', $groups))) : [];
$users[] = $row;
}
return $users;
}
public function knownAuthGroups(): array
{
$groups = [];
foreach ($this->knownAuthUsers() as $user) {
foreach (($user['groups'] ?? []) as $group) {
$group = trim((string)$group);
if ($group !== '') {
$groups[] = $group;
}
}
}
foreach ($this->modules as $module) {
$auth = is_array($module['auth'] ?? null) ? $module['auth'] : [];
foreach (($auth['groups'] ?? []) as $group) {
$group = trim((string)$group);
if ($group !== '') {
$groups[] = $group;
}
}
}
sort($groups, SORT_NATURAL | SORT_FLAG_CASE);
return array_values(array_unique($groups));
}
private function loadAuth(string $name, array $fallback): array
{
$auth = [
'required' => (bool)($fallback['required'] ?? false),
'users' => $this->normalizeList($fallback['users'] ?? []),
'groups' => $this->normalizeList($fallback['groups'] ?? []),
];
if (!$this->basePdo) {
return $auth;
}
$stmt = $this->basePdo->prepare(
"SELECT required, users, groups
FROM nexus_module_auth
WHERE name = :name
LIMIT 1"
);
$stmt->execute(['name' => $name]);
$row = $stmt->fetch(\PDO::FETCH_ASSOC);
if ($row === false) {
return $auth;
}
$users = json_decode((string)($row['users'] ?? '[]'), true);
$groups = json_decode((string)($row['groups'] ?? '[]'), true);
return [
'required' => (bool)($row['required'] ?? false),
'users' => $this->normalizeList(is_array($users) ? $users : []),
'groups' => $this->normalizeList(is_array($groups) ? $groups : []),
];
}
private function normalizeList(mixed $values): array