member/member-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): accept keycloak group path variants for admin guard

Browse Source
This commit is contained in:
Chris
2026-04-03 00:24:32 +08:00
parent 0db04f9afc
commit fd55d90a44
1 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
app/security/admin_guard.py
View File

@@ -5,16 +5,31 @@ from app.schemas.auth import KeycloakPrincipal
from app.security.idp_jwt import require_authenticated_principal from app.security.idp_jwt import require_authenticated_principal
def _expand_group_aliases(groups: set[str]) -> set[str]:
expanded: set[str] = set()
for group in groups:
value = group.strip().lower()
if not value:
continue
expanded.add(value)
stripped = value.lstrip("/")
if stripped:
expanded.add(stripped)
if "/" in stripped:
expanded.add(stripped.rsplit("/", 1)[-1])
return expanded
def require_admin_principal( def require_admin_principal(
principal: KeycloakPrincipal = Depends(require_authenticated_principal), principal: KeycloakPrincipal = Depends(require_authenticated_principal),
) -> KeycloakPrincipal: ) -> KeycloakPrincipal:
settings = get_settings() settings = get_settings()
required_groups = {group.lower() for group in settings.admin_required_groups} required_groups = _expand_group_aliases(set(settings.admin_required_groups))
if not required_groups: if not required_groups:
raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="admin_policy_not_configured") raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="admin_policy_not_configured")
principal_groups = {group.lower() for group in principal.groups} principal_groups = _expand_group_aliases(set(principal.groups))
group_ok = bool(required_groups.intersection(principal_groups)) group_ok = bool(required_groups.intersection(principal_groups))
if not group_ok: if not group_ok: