diff --git a/docs/admin-bootstrap-and-oidc-role-sync.md b/docs/admin-bootstrap-and-oidc-role-sync.md index ee78069..de34d47 100644 --- a/docs/admin-bootstrap-and-oidc-role-sync.md +++ b/docs/admin-bootstrap-and-oidc-role-sync.md @@ -34,7 +34,7 @@ - `OIDC_ADMIN_GROUP_NAME` – OIDC group name that maps to the Admin role. If unset, no role sync. - `OIDC_GROUPS_CLAIM` – JWT claim name for group list (default "groups"). -- Module: Mv.OidcRoleSyncConfig (oidc_admin_group_name/0, oidc_groups_claim/0). +- Module: Mv.Config (oidc_admin_group_name/0, oidc_groups_claim/0). ### Sign-in page (OIDC-only mode) diff --git a/lib/mv/oidc_role_sync.ex b/lib/mv/oidc_role_sync.ex index 0f6467c..7461a32 100644 --- a/lib/mv/oidc_role_sync.ex +++ b/lib/mv/oidc_role_sync.ex @@ -4,7 +4,7 @@ defmodule Mv.OidcRoleSync do Used after OIDC registration (register_with_oidc) and on sign-in so that users in the configured admin group get the Admin role; others get Mitglied. - Configure via OIDC_ADMIN_GROUP_NAME and OIDC_GROUPS_CLAIM (see OidcRoleSyncConfig). + Configure via OIDC_ADMIN_GROUP_NAME and OIDC_GROUPS_CLAIM (see Mv.Config). Groups are read from user_info (ID token claims) first; if missing or empty, the access_token from oauth_tokens is decoded as JWT and the groups claim is @@ -23,7 +23,7 @@ defmodule Mv.OidcRoleSync do """ alias Mv.Accounts.User alias Mv.Authorization.Role - alias Mv.OidcRoleSyncConfig + alias Mv.Config @doc """ Applies Admin or Mitglied role to the user based on OIDC groups claim. @@ -38,12 +38,12 @@ defmodule Mv.OidcRoleSync do @spec apply_admin_role_from_user_info(User.t(), map(), map() | nil) :: :ok def apply_admin_role_from_user_info(user, user_info, oauth_tokens \\ nil) when is_map(user_info) do - admin_group = OidcRoleSyncConfig.oidc_admin_group_name() + admin_group = Config.oidc_admin_group_name() if is_nil(admin_group) or admin_group == "" do :ok else - claim = OidcRoleSyncConfig.oidc_groups_claim() + claim = Config.oidc_groups_claim() groups = groups_from_user_info(user_info, claim) groups = diff --git a/lib/mv/oidc_role_sync_config.ex b/lib/mv/oidc_role_sync_config.ex deleted file mode 100644 index bbb5770..0000000 --- a/lib/mv/oidc_role_sync_config.ex +++ /dev/null @@ -1,20 +0,0 @@ -defmodule Mv.OidcRoleSyncConfig do - @moduledoc """ - Runtime configuration for OIDC group → role sync (e.g. admin group → Admin role). - - Reads from Mv.Config (ENV first, then Settings): - - `oidc_admin_group_name/0` – OIDC group name that maps to Admin role (optional; when nil, no sync). - - `oidc_groups_claim/0` – JWT/user_info claim name for groups (default: `"groups"`). - - Set via ENV: OIDC_ADMIN_GROUP_NAME, OIDC_GROUPS_CLAIM; or via Settings (Basic settings → OIDC). - """ - @doc "Returns the OIDC group name that maps to Admin role, or nil if not configured." - def oidc_admin_group_name do - Mv.Config.oidc_admin_group_name() - end - - @doc "Returns the JWT/user_info claim name for groups; defaults to \"groups\"." - def oidc_groups_claim do - Mv.Config.oidc_groups_claim() - end -end diff --git a/test/mv/oidc_role_sync_config_test.exs b/test/mv/oidc_role_sync_config_test.exs deleted file mode 100644 index 4b77378..0000000 --- a/test/mv/oidc_role_sync_config_test.exs +++ /dev/null @@ -1,59 +0,0 @@ -defmodule Mv.OidcRoleSyncConfigTest do - @moduledoc """ - Tests for OIDC role sync configuration (OIDC_ADMIN_GROUP_NAME, OIDC_GROUPS_CLAIM). - Reads via Mv.Config (ENV first, then Settings). - """ - use Mv.DataCase, async: false - - alias Mv.OidcRoleSyncConfig - - describe "oidc_admin_group_name/0" do - test "returns nil when OIDC_ADMIN_GROUP_NAME is not configured" do - restore = clear_env("OIDC_ADMIN_GROUP_NAME") - on_exit(restore) - - assert OidcRoleSyncConfig.oidc_admin_group_name() == nil - end - - test "returns configured admin group name when set via ENV" do - restore = set_env("OIDC_ADMIN_GROUP_NAME", "mila-admin") - on_exit(restore) - - assert OidcRoleSyncConfig.oidc_admin_group_name() == "mila-admin" - end - end - - describe "oidc_groups_claim/0" do - test "returns default \"groups\" when OIDC_GROUPS_CLAIM is not configured" do - restore = clear_env("OIDC_GROUPS_CLAIM") - on_exit(restore) - - assert OidcRoleSyncConfig.oidc_groups_claim() == "groups" - end - - test "returns configured claim name when OIDC_GROUPS_CLAIM is set via ENV" do - restore = set_env("OIDC_GROUPS_CLAIM", "ak_groups") - on_exit(restore) - - assert OidcRoleSyncConfig.oidc_groups_claim() == "ak_groups" - end - end - - defp set_env(key, value) do - previous = System.get_env(key) - System.put_env(key, value) - - fn -> - if previous, do: System.put_env(key, previous), else: System.delete_env(key) - end - end - - defp clear_env(key) do - previous = System.get_env(key) - System.delete_env(key) - - fn -> - if previous, do: System.put_env(key, previous) - end - end -end