openid: Check for role when authenticating

hosts/architect/openid.nix

@@ -1,16 +1,19 @@
+{ lib }:
+
 {
-  openresty_oidc_block = { realm, client_id, client_secret, redirect_uri }: ''
+  openresty_oidc_block =
-    access_by_lua_block {
+    { realm, client_id, client_secret, redirect_uri, access_role ? "" }: ''
-      local opts = {
+      access_by_lua_block {
-        redirect_uri_path = "/redirect_uri",
+        local opts = {
-        accept_none_alg = true,
+          discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
-        discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
+          client_id = "${client_id}",
-        client_id = "${client_id}",
+          client_secret = "${client_secret}",
-        client_secret = "${client_secret}",
+          logout_path = "/logout",
-        logout_path = "/logout",
+          redirect_after_logout_uri = "/",
-        redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}",
+          redirect_uri = "/redirect_uri",
-        redirect_after_logout_with_id_token_hint = false,
+          keepalive = "yes",
-    }
+          accept_none_alg = true
+      }
 
       -- call introspect for OAuth 2.0 Bearer Access Token validation
       local res, err = require("resty.openidc").authenticate(opts)
@@ -20,6 +23,15 @@
         ngx.say(err)
         ngx.exit(ngx.HTTP_FORBIDDEN)
       end
-    }
+
-  '';
+      ${lib.optionalString (access_role != "") ''
+        if not check_role(res, "${access_role}") then
+          ngx.status = 401
+          ngx.header.content_type = 'text/html';
+          ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
+          ngx.exit(ngx.HTTP_UNAUTHORIZED)
+        end
+      ''}
+      }
+    '';
 }