refactor(oidc): drop OidcRoleSyncConfig passthrough and use Mv.Config directly
This commit is contained in:
parent
c4a695329c
commit
924dbd3bb8
4 changed files with 5 additions and 84 deletions
|
|
@ -34,7 +34,7 @@
|
|||
|
||||
- `OIDC_ADMIN_GROUP_NAME` – OIDC group name that maps to the Admin role. If unset, no role sync.
|
||||
- `OIDC_GROUPS_CLAIM` – JWT claim name for group list (default "groups").
|
||||
- Module: Mv.OidcRoleSyncConfig (oidc_admin_group_name/0, oidc_groups_claim/0).
|
||||
- Module: Mv.Config (oidc_admin_group_name/0, oidc_groups_claim/0).
|
||||
|
||||
### Sign-in page (OIDC-only mode)
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@ defmodule Mv.OidcRoleSync do
|
|||
|
||||
Used after OIDC registration (register_with_oidc) and on sign-in so that
|
||||
users in the configured admin group get the Admin role; others get Mitglied.
|
||||
Configure via OIDC_ADMIN_GROUP_NAME and OIDC_GROUPS_CLAIM (see OidcRoleSyncConfig).
|
||||
Configure via OIDC_ADMIN_GROUP_NAME and OIDC_GROUPS_CLAIM (see Mv.Config).
|
||||
|
||||
Groups are read from user_info (ID token claims) first; if missing or empty,
|
||||
the access_token from oauth_tokens is decoded as JWT and the groups claim is
|
||||
|
|
@ -23,7 +23,7 @@ defmodule Mv.OidcRoleSync do
|
|||
"""
|
||||
alias Mv.Accounts.User
|
||||
alias Mv.Authorization.Role
|
||||
alias Mv.OidcRoleSyncConfig
|
||||
alias Mv.Config
|
||||
|
||||
@doc """
|
||||
Applies Admin or Mitglied role to the user based on OIDC groups claim.
|
||||
|
|
@ -38,12 +38,12 @@ defmodule Mv.OidcRoleSync do
|
|||
@spec apply_admin_role_from_user_info(User.t(), map(), map() | nil) :: :ok
|
||||
def apply_admin_role_from_user_info(user, user_info, oauth_tokens \\ nil)
|
||||
when is_map(user_info) do
|
||||
admin_group = OidcRoleSyncConfig.oidc_admin_group_name()
|
||||
admin_group = Config.oidc_admin_group_name()
|
||||
|
||||
if is_nil(admin_group) or admin_group == "" do
|
||||
:ok
|
||||
else
|
||||
claim = OidcRoleSyncConfig.oidc_groups_claim()
|
||||
claim = Config.oidc_groups_claim()
|
||||
groups = groups_from_user_info(user_info, claim)
|
||||
|
||||
groups =
|
||||
|
|
|
|||
|
|
@ -1,20 +0,0 @@
|
|||
defmodule Mv.OidcRoleSyncConfig do
|
||||
@moduledoc """
|
||||
Runtime configuration for OIDC group → role sync (e.g. admin group → Admin role).
|
||||
|
||||
Reads from Mv.Config (ENV first, then Settings):
|
||||
- `oidc_admin_group_name/0` – OIDC group name that maps to Admin role (optional; when nil, no sync).
|
||||
- `oidc_groups_claim/0` – JWT/user_info claim name for groups (default: `"groups"`).
|
||||
|
||||
Set via ENV: OIDC_ADMIN_GROUP_NAME, OIDC_GROUPS_CLAIM; or via Settings (Basic settings → OIDC).
|
||||
"""
|
||||
@doc "Returns the OIDC group name that maps to Admin role, or nil if not configured."
|
||||
def oidc_admin_group_name do
|
||||
Mv.Config.oidc_admin_group_name()
|
||||
end
|
||||
|
||||
@doc "Returns the JWT/user_info claim name for groups; defaults to \"groups\"."
|
||||
def oidc_groups_claim do
|
||||
Mv.Config.oidc_groups_claim()
|
||||
end
|
||||
end
|
||||
|
|
@ -1,59 +0,0 @@
|
|||
defmodule Mv.OidcRoleSyncConfigTest do
|
||||
@moduledoc """
|
||||
Tests for OIDC role sync configuration (OIDC_ADMIN_GROUP_NAME, OIDC_GROUPS_CLAIM).
|
||||
Reads via Mv.Config (ENV first, then Settings).
|
||||
"""
|
||||
use Mv.DataCase, async: false
|
||||
|
||||
alias Mv.OidcRoleSyncConfig
|
||||
|
||||
describe "oidc_admin_group_name/0" do
|
||||
test "returns nil when OIDC_ADMIN_GROUP_NAME is not configured" do
|
||||
restore = clear_env("OIDC_ADMIN_GROUP_NAME")
|
||||
on_exit(restore)
|
||||
|
||||
assert OidcRoleSyncConfig.oidc_admin_group_name() == nil
|
||||
end
|
||||
|
||||
test "returns configured admin group name when set via ENV" do
|
||||
restore = set_env("OIDC_ADMIN_GROUP_NAME", "mila-admin")
|
||||
on_exit(restore)
|
||||
|
||||
assert OidcRoleSyncConfig.oidc_admin_group_name() == "mila-admin"
|
||||
end
|
||||
end
|
||||
|
||||
describe "oidc_groups_claim/0" do
|
||||
test "returns default \"groups\" when OIDC_GROUPS_CLAIM is not configured" do
|
||||
restore = clear_env("OIDC_GROUPS_CLAIM")
|
||||
on_exit(restore)
|
||||
|
||||
assert OidcRoleSyncConfig.oidc_groups_claim() == "groups"
|
||||
end
|
||||
|
||||
test "returns configured claim name when OIDC_GROUPS_CLAIM is set via ENV" do
|
||||
restore = set_env("OIDC_GROUPS_CLAIM", "ak_groups")
|
||||
on_exit(restore)
|
||||
|
||||
assert OidcRoleSyncConfig.oidc_groups_claim() == "ak_groups"
|
||||
end
|
||||
end
|
||||
|
||||
defp set_env(key, value) do
|
||||
previous = System.get_env(key)
|
||||
System.put_env(key, value)
|
||||
|
||||
fn ->
|
||||
if previous, do: System.put_env(key, previous), else: System.delete_env(key)
|
||||
end
|
||||
end
|
||||
|
||||
defp clear_env(key) do
|
||||
previous = System.get_env(key)
|
||||
System.delete_env(key)
|
||||
|
||||
fn ->
|
||||
if previous, do: System.put_env(key, previous)
|
||||
end
|
||||
end
|
||||
end
|
||||
Loading…
Add table
Add a link
Reference in a new issue