From 11bc33477b84c71fb6ea85e32543eed5b79a304f Mon Sep 17 00:00:00 2001 From: Pinmarva Date: Tue, 21 Nov 2023 16:37:10 +0100 Subject: [PATCH 1/2] Fix role mapping in oauth2 authentication --- lemur/auth/views.py | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/lemur/auth/views.py b/lemur/auth/views.py index 27c9ca6a9b..7d3d5c8890 100644 --- a/lemur/auth/views.py +++ b/lemur/auth/views.py @@ -129,15 +129,16 @@ def validate_id_token(id_token, client_id, jwks_url): # validate your token based on the key it was signed with try: - jwt.decode( + id_token_decoded = jwt.decode( id_token, secret.decode("utf-8"), algorithms=[algo], audience=client_id ) + return id_token_decoded, None except jwt.DecodeError: - return dict(message="Token is invalid"), 401 + return None, dict(message="Token is invalid"), 401 except jwt.ExpiredSignatureError: - return dict(message="Token has expired"), 401 + return None, dict(message="Token has expired"), 401 except jwt.InvalidTokenError: - return dict(message="Token is invalid"), 401 + return None, dict(message="Token is invalid"), 401 def retrieve_user(user_api_url, access_token): @@ -152,7 +153,9 @@ def retrieve_user(user_api_url, access_token): headers = {} - if current_app.config.get("PING_INCLUDE_BEARER_TOKEN"): + if current_app.config.get("PING_INCLUDE_BEARER_TOKEN") and "ping" in current_app.config.get("PING_INCLUDE_BEARER_TOKEN"): + headers = {"Authorization": f"Bearer {access_token}"} + else: headers = {"Authorization": f"Bearer {access_token}"} # retrieve information about the current user. @@ -221,7 +224,7 @@ def create_user_roles(profile: dict) -> list[str]: # If the IDP_GROUPS_TO_ROLES is empty or not set, nothing happens. idp_group_to_role_map = current_app.config.get("IDP_ROLES_MAPPING", {}) matched_roles = [ - idp_group_to_role_map[role] for role in profile.get(idp_groups_key, []) if role in idp_group_to_role_map + role_service.get_by_name(idp_group_to_role_map[role]) for role in profile.get(idp_groups_key, []) if role in idp_group_to_role_map ] roles.extend(matched_roles) @@ -536,7 +539,7 @@ def post(self): ) jwks_url = current_app.config.get("PING_JWKS_URL") - error_code = validate_id_token(id_token, args["clientId"], jwks_url) + id_token_decoded, error_code = validate_id_token(id_token, args["clientId"], jwks_url) if error_code: return error_code @@ -602,12 +605,12 @@ def post(self): ) jwks_url = current_app.config.get("OAUTH2_JWKS_URL") - error_code = validate_id_token(id_token, args["clientId"], jwks_url) + id_token_decoded, error_code = validate_id_token(id_token, args["clientId"], jwks_url) if error_code: return error_code user, profile = retrieve_user(user_api_url, access_token) - roles = create_user_roles(profile) + roles = create_user_roles(id_token_decoded) user = update_user(user, profile, roles) if not user.active: From 99b183d6ccb58fff709148721585269b221f1a4a Mon Sep 17 00:00:00 2001 From: Pinmarva Date: Wed, 22 Nov 2023 09:29:29 +0100 Subject: [PATCH 2/2] Fix variable --- lemur/auth/views.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lemur/auth/views.py b/lemur/auth/views.py index 7d3d5c8890..64c4266cbd 100644 --- a/lemur/auth/views.py +++ b/lemur/auth/views.py @@ -153,7 +153,7 @@ def retrieve_user(user_api_url, access_token): headers = {} - if current_app.config.get("PING_INCLUDE_BEARER_TOKEN") and "ping" in current_app.config.get("PING_INCLUDE_BEARER_TOKEN"): + if current_app.config.get("PING_INCLUDE_BEARER_TOKEN") and "ping" in current_app.config.get("ACTIVE_PROVIDERS"): headers = {"Authorization": f"Bearer {access_token}"} else: headers = {"Authorization": f"Bearer {access_token}"}