From aeded938bd0ed913310212a6c591cc1567504072 Mon Sep 17 00:00:00 2001
From: Peter Bastiani <peter.bastiani@akkerweb.nl>
Date: Fri, 10 Feb 2023 15:30:35 +0100
Subject: [PATCH] AW-4628 Add role-based security to authguard

---
 .../src/fm/services/auth-guard.service.ts     | 17 +++++++++----
 src/app/admin/admin-router.module.ts          | 25 +++++++++++++++++++
 src/app/admin/admin.component.ts              |  8 ++++++
 src/app/admin/admin.module.ts                 | 14 +++++++++++
 src/app/app-routing.module.ts                 |  1 +
 5 files changed, 60 insertions(+), 5 deletions(-)
 create mode 100644 src/app/admin/admin-router.module.ts
 create mode 100644 src/app/admin/admin.component.ts
 create mode 100644 src/app/admin/admin.module.ts

diff --git a/projects/common/src/fm/services/auth-guard.service.ts b/projects/common/src/fm/services/auth-guard.service.ts
index a8ed09b..2e37948 100644
--- a/projects/common/src/fm/services/auth-guard.service.ts
+++ b/projects/common/src/fm/services/auth-guard.service.ts
@@ -24,26 +24,33 @@ export class AuthGuard implements CanActivate, CanLoad, CanActivateChild  {
   canActivate(route: ActivatedRouteSnapshot, state: RouterStateSnapshot): Promise<boolean> {
     let url: string = state.url;
 
-    return this.checkLogin(url);
+    return this.checkLogin(url, route);
   }
 
   canActivateChild(childRoute: ActivatedRouteSnapshot, state: RouterStateSnapshot): Promise<boolean> {
     let url: string = state.url;
 
-    return this.checkLogin(url);
+    return this.checkLogin(url, childRoute);
   }
 
   canLoad(route: Route): Promise<boolean> {
-    return this.checkLogin(route.path);
+    return this.checkLogin(route.path, null);
   }
 
-  checkLogin(url: string): Promise<boolean> {
+  checkLogin(url: string, route: ActivatedRouteSnapshot): Promise<boolean> {
     return new Promise<boolean>((resolve) => {
       if (!this.oauthService.hasValidAccessToken()) {
         console.debug("No valid token");
         this.oauthService.initCodeFlow(url);
         resolve(false);
-      } else {        
+      } else {
+        const requiredRoleClaim = route.data.role;
+        if (!requiredRoleClaim) { resolve(true); }
+        const ownedClaims = this.oauthService.getIdentityClaims();
+        if (!ownedClaims) { resolve(false); }
+        const ownedRoleClaims: string[] = ownedClaims['role'];
+        if (!ownedRoleClaims) { resolve(false); }
+        if (ownedRoleClaims.findIndex(r => r === requiredRoleClaim) <= -1) { resolve(false); }
         resolve(true);
       }
     });
diff --git a/src/app/admin/admin-router.module.ts b/src/app/admin/admin-router.module.ts
new file mode 100644
index 0000000..b6486fe
--- /dev/null
+++ b/src/app/admin/admin-router.module.ts
@@ -0,0 +1,25 @@
+import { NgModule } from '@angular/core';
+import { RouterModule } from '@angular/router';
+import { AuthGuard } from 'dist/common';
+import { AdminComponent } from './admin.component';
+
+const routes = [   
+  {
+      path: '',
+      component: AdminComponent,
+      canActivate: [AuthGuard],
+      data: {
+        role: 'admin'
+      }   
+  }
+];
+
+@NgModule({
+  imports: [
+      RouterModule.forChild(routes),
+  ],
+  exports: [
+      RouterModule
+  ]
+})
+export class AdminRouterModule { }
\ No newline at end of file
diff --git a/src/app/admin/admin.component.ts b/src/app/admin/admin.component.ts
new file mode 100644
index 0000000..a71f765
--- /dev/null
+++ b/src/app/admin/admin.component.ts
@@ -0,0 +1,8 @@
+import { Component } from '@angular/core';
+
+@Component({
+  selector: 'app-test',
+  template: `<h1>Yes! You have access to the admin component.</h1>`
+})
+export class AdminComponent {
+}
diff --git a/src/app/admin/admin.module.ts b/src/app/admin/admin.module.ts
new file mode 100644
index 0000000..ed3f2bc
--- /dev/null
+++ b/src/app/admin/admin.module.ts
@@ -0,0 +1,14 @@
+import { NgModule } from '@angular/core';
+import { AdminRouterModule} from './admin-router.module';
+import { AdminComponent } from './admin.component';
+
+@NgModule({
+  imports: [
+      AdminRouterModule
+  ],
+  declarations: [
+      AdminComponent
+  ]
+})
+  
+export class AdminModule { }
\ No newline at end of file
diff --git a/src/app/app-routing.module.ts b/src/app/app-routing.module.ts
index e061dc9..4f708af 100644
--- a/src/app/app-routing.module.ts
+++ b/src/app/app-routing.module.ts
@@ -65,6 +65,7 @@ const routes = [
   },
   { path: 'map', loadChildren: () => import('../../projects/common-map/src/public-api').then(m => m.AppCommonMapModule), canActivateChild: [AuthGuard],canActivate: [FullScreenGuard], },
   { path: 'map3d', loadChildren: () => import('./map3d/map3d.module').then(m => m.Map3DModule), canActivateChild: [AuthGuard], canActivate: [FullScreenGuard] },
+  { path: 'admin', loadChildren: () => import('./admin/admin.module').then(m => m.AdminModule), canActivateChild: [AuthGuard], canActivate: [FullScreenGuard], data: { role: 'admin' } },
   {
     path: 'registerdevice/:deviceToken',
     canActivate: [FullScreenGuard],