refactor(oidc): drop OidcRoleSyncConfig passthrough and use Mv.Config directly
This commit is contained in:
parent
418c07efc8
commit
7d712f6ce2
4 changed files with 5 additions and 84 deletions
|
|
@ -34,7 +34,7 @@
|
||||||
|
|
||||||
- `OIDC_ADMIN_GROUP_NAME` – OIDC group name that maps to the Admin role. If unset, no role sync.
|
- `OIDC_ADMIN_GROUP_NAME` – OIDC group name that maps to the Admin role. If unset, no role sync.
|
||||||
- `OIDC_GROUPS_CLAIM` – JWT claim name for group list (default "groups").
|
- `OIDC_GROUPS_CLAIM` – JWT claim name for group list (default "groups").
|
||||||
- Module: Mv.OidcRoleSyncConfig (oidc_admin_group_name/0, oidc_groups_claim/0).
|
- Module: Mv.Config (oidc_admin_group_name/0, oidc_groups_claim/0).
|
||||||
|
|
||||||
### Sign-in page (OIDC-only mode)
|
### Sign-in page (OIDC-only mode)
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,7 @@ defmodule Mv.OidcRoleSync do
|
||||||
|
|
||||||
Used after OIDC registration (register_with_oidc) and on sign-in so that
|
Used after OIDC registration (register_with_oidc) and on sign-in so that
|
||||||
users in the configured admin group get the Admin role; others get Mitglied.
|
users in the configured admin group get the Admin role; others get Mitglied.
|
||||||
Configure via OIDC_ADMIN_GROUP_NAME and OIDC_GROUPS_CLAIM (see OidcRoleSyncConfig).
|
Configure via OIDC_ADMIN_GROUP_NAME and OIDC_GROUPS_CLAIM (see Mv.Config).
|
||||||
|
|
||||||
Groups are read from user_info (ID token claims) first; if missing or empty,
|
Groups are read from user_info (ID token claims) first; if missing or empty,
|
||||||
the access_token from oauth_tokens is decoded as JWT and the groups claim is
|
the access_token from oauth_tokens is decoded as JWT and the groups claim is
|
||||||
|
|
@ -23,7 +23,7 @@ defmodule Mv.OidcRoleSync do
|
||||||
"""
|
"""
|
||||||
alias Mv.Accounts.User
|
alias Mv.Accounts.User
|
||||||
alias Mv.Authorization.Role
|
alias Mv.Authorization.Role
|
||||||
alias Mv.OidcRoleSyncConfig
|
alias Mv.Config
|
||||||
|
|
||||||
@doc """
|
@doc """
|
||||||
Applies Admin or Mitglied role to the user based on OIDC groups claim.
|
Applies Admin or Mitglied role to the user based on OIDC groups claim.
|
||||||
|
|
@ -38,12 +38,12 @@ defmodule Mv.OidcRoleSync do
|
||||||
@spec apply_admin_role_from_user_info(User.t(), map(), map() | nil) :: :ok
|
@spec apply_admin_role_from_user_info(User.t(), map(), map() | nil) :: :ok
|
||||||
def apply_admin_role_from_user_info(user, user_info, oauth_tokens \\ nil)
|
def apply_admin_role_from_user_info(user, user_info, oauth_tokens \\ nil)
|
||||||
when is_map(user_info) do
|
when is_map(user_info) do
|
||||||
admin_group = OidcRoleSyncConfig.oidc_admin_group_name()
|
admin_group = Config.oidc_admin_group_name()
|
||||||
|
|
||||||
if is_nil(admin_group) or admin_group == "" do
|
if is_nil(admin_group) or admin_group == "" do
|
||||||
:ok
|
:ok
|
||||||
else
|
else
|
||||||
claim = OidcRoleSyncConfig.oidc_groups_claim()
|
claim = Config.oidc_groups_claim()
|
||||||
groups = groups_from_user_info(user_info, claim)
|
groups = groups_from_user_info(user_info, claim)
|
||||||
|
|
||||||
groups =
|
groups =
|
||||||
|
|
|
||||||
|
|
@ -1,20 +0,0 @@
|
||||||
defmodule Mv.OidcRoleSyncConfig do
|
|
||||||
@moduledoc """
|
|
||||||
Runtime configuration for OIDC group → role sync (e.g. admin group → Admin role).
|
|
||||||
|
|
||||||
Reads from Mv.Config (ENV first, then Settings):
|
|
||||||
- `oidc_admin_group_name/0` – OIDC group name that maps to Admin role (optional; when nil, no sync).
|
|
||||||
- `oidc_groups_claim/0` – JWT/user_info claim name for groups (default: `"groups"`).
|
|
||||||
|
|
||||||
Set via ENV: OIDC_ADMIN_GROUP_NAME, OIDC_GROUPS_CLAIM; or via Settings (Basic settings → OIDC).
|
|
||||||
"""
|
|
||||||
@doc "Returns the OIDC group name that maps to Admin role, or nil if not configured."
|
|
||||||
def oidc_admin_group_name do
|
|
||||||
Mv.Config.oidc_admin_group_name()
|
|
||||||
end
|
|
||||||
|
|
||||||
@doc "Returns the JWT/user_info claim name for groups; defaults to \"groups\"."
|
|
||||||
def oidc_groups_claim do
|
|
||||||
Mv.Config.oidc_groups_claim()
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
@ -1,59 +0,0 @@
|
||||||
defmodule Mv.OidcRoleSyncConfigTest do
|
|
||||||
@moduledoc """
|
|
||||||
Tests for OIDC role sync configuration (OIDC_ADMIN_GROUP_NAME, OIDC_GROUPS_CLAIM).
|
|
||||||
Reads via Mv.Config (ENV first, then Settings).
|
|
||||||
"""
|
|
||||||
use Mv.DataCase, async: false
|
|
||||||
|
|
||||||
alias Mv.OidcRoleSyncConfig
|
|
||||||
|
|
||||||
describe "oidc_admin_group_name/0" do
|
|
||||||
test "returns nil when OIDC_ADMIN_GROUP_NAME is not configured" do
|
|
||||||
restore = clear_env("OIDC_ADMIN_GROUP_NAME")
|
|
||||||
on_exit(restore)
|
|
||||||
|
|
||||||
assert OidcRoleSyncConfig.oidc_admin_group_name() == nil
|
|
||||||
end
|
|
||||||
|
|
||||||
test "returns configured admin group name when set via ENV" do
|
|
||||||
restore = set_env("OIDC_ADMIN_GROUP_NAME", "mila-admin")
|
|
||||||
on_exit(restore)
|
|
||||||
|
|
||||||
assert OidcRoleSyncConfig.oidc_admin_group_name() == "mila-admin"
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
describe "oidc_groups_claim/0" do
|
|
||||||
test "returns default \"groups\" when OIDC_GROUPS_CLAIM is not configured" do
|
|
||||||
restore = clear_env("OIDC_GROUPS_CLAIM")
|
|
||||||
on_exit(restore)
|
|
||||||
|
|
||||||
assert OidcRoleSyncConfig.oidc_groups_claim() == "groups"
|
|
||||||
end
|
|
||||||
|
|
||||||
test "returns configured claim name when OIDC_GROUPS_CLAIM is set via ENV" do
|
|
||||||
restore = set_env("OIDC_GROUPS_CLAIM", "ak_groups")
|
|
||||||
on_exit(restore)
|
|
||||||
|
|
||||||
assert OidcRoleSyncConfig.oidc_groups_claim() == "ak_groups"
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
defp set_env(key, value) do
|
|
||||||
previous = System.get_env(key)
|
|
||||||
System.put_env(key, value)
|
|
||||||
|
|
||||||
fn ->
|
|
||||||
if previous, do: System.put_env(key, previous), else: System.delete_env(key)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
|
|
||||||
defp clear_env(key) do
|
|
||||||
previous = System.get_env(key)
|
|
||||||
System.delete_env(key)
|
|
||||||
|
|
||||||
fn ->
|
|
||||||
if previous, do: System.put_env(key, previous)
|
|
||||||
end
|
|
||||||
end
|
|
||||||
end
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue