oidc: Add support for requiring groups

2024-12-04 02:26:26 +00:00 · 2023-07-02 07:54:37 +02:00 · 2023-07-02 07:54:37 +02:00 · a880481cc7
commit a880481cc7
parent 9b8cf8f34a
2 changed files with 18 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,4 @@
+.idea
 __pycache__
 .venv
 *.egg-info
--- a/pdot_common/oidc/init.py
+++ b/pdot_common/oidc/init.py
@ -1,4 +1,4 @@
-from dataclasses import dataclass
+from dataclasses import dataclass, field

 import httpx

@ -9,6 +9,7 @@ from fastapi.responses import JSONResponse
@dataclass
 class OIDCConfig:
    userinfo_endpoint: str
+    required_groups: list[str] = field(default_factory=list)


 def add_oidc_middleware(app: FastAPI, config: OIDCConfig):
@ -65,6 +66,21 @@ def add_oidc_middleware(app: FastAPI, config: OIDCConfig):
                    content={"detail": "Invalid token"},
                )

+            if config.required_groups:
+                if not userinfo.get("groups"):
+                    return JSONResponse(
+                        status_code=401,
+                        content={"detail": "User does not have any groups"},
+                    )
+
+                if not any(
+                    group in userinfo["groups"] for group in config.required_groups
+                ):
+                    return JSONResponse(
+                        status_code=401,
+                        content={"detail": "User does not have required groups"},
+                    )
+
            request.state.userinfo = userinfo

        return await call_next(request)