ms-identity-javascript-angular-tutorial/5-AccessControl/2-call-api-groups/SPA/src/app/group.guard.ts at 9fa4f5c5921ecc1178a6b03b00c31e29e935d239 · Azure-Samples/ms-identity-javascript-angular-tutorial · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
import { ActivatedRouteSnapshot, Router, RouterStateSnapshot, UrlTree } from "@angular/router";
import { Inject, Injectable } from "@angular/core";
import { Location } from "@angular/common";
import { Observable, of } from "rxjs";
import { concatMap } from "rxjs/operators";

import { MsalBroadcastService, MsalGuardConfiguration, MsalService, MSAL_GUARD_CONFIG } from "@azure/msal-angular";
import { AccountInfo } from "@azure/msal-browser";

import { BaseGuard } from "./base.guard";
import { checkGroupsInStorage, getGroupsFromStorage } from "./utils/storage-utils";

type AccountWithGroupClaims = AccountInfo & {
    idTokenClaims?: {
        groups?: string[],
        _claim_names?: {
            groups?: string | string[]
        },
        _claim_sources?: {
            src1?: {
                endpoint: string | string[]
            }
        }
    }
}

@Injectable()
export class GroupGuard extends BaseGuard {

    constructor(
        @Inject(MSAL_GUARD_CONFIG) protected override msalGuardConfig: MsalGuardConfiguration,
        protected override msalBroadcastService: MsalBroadcastService,
        protected override authService: MsalService,
        protected override location: Location,
        protected override router: Router,
    ) {
        super(msalGuardConfig, msalBroadcastService, authService, location, router);
    }

    override activateHelper(state?: RouterStateSnapshot, route?: ActivatedRouteSnapshot): Observable<boolean | UrlTree> {
        let result = super.activateHelper(state, route);

        const requiredGroups: string[] = route ? route.data['requiredGroups'] : [];

        return result.pipe(
            concatMap(() => {
                let activeAccount = this.authService.instance.getActiveAccount() as AccountWithGroupClaims;

                if (!activeAccount && this.authService.instance.getAllAccounts().length > 0) {
                    activeAccount = this.authService.instance.getAllAccounts()[0] as AccountWithGroupClaims;
                }

                // check either the ID token or a non-expired storage entry for the groups membership claim
                if (!activeAccount?.idTokenClaims?.groups && !checkGroupsInStorage(activeAccount)) {

                    if (activeAccount.idTokenClaims?._claim_names && activeAccount.idTokenClaims?._claim_names.groups) {
                        window.alert('You have too many group memberships. The application will now query Microsoft Graph to check if you are a member of any of the groups required.');
                        return this.router.navigate(['/overage']);
                    }

                    window.alert('Token does not have groups claim. Please ensure that your account is assigned to a security group and then sign-out and sign-in again.');
                    return of(false);
                }

                const hasRequiredGroup = requiredGroups.some((group: string) =>
                    activeAccount?.idTokenClaims?.groups?.includes(group) || getGroupsFromStorage(activeAccount)?.includes(group)
                );

                if (!hasRequiredGroup) {
                    window.alert('You do not have access. Please ensure that your account is assigned to the required security group and then sign-out and sign-in again.');
                }

                return of(hasRequiredGroup);
            })
        );
    }
}