Switch access control from groups to realm roles

2026-04-03 03:03:43 +08:00
parent daa21e81a9
commit fc81696abf
10 changed files with 60 additions and 24 deletions
--- a/backend/app/security/admin_guard.py
+++ b/backend/app/security/admin_guard.py
@@ -5,33 +5,27 @@ from app.schemas.auth import ProviderPrincipal
 from app.security.idp_jwt import require_authenticated_principal


-def _expand_group_aliases(groups: set[str]) -> set[str]:
-    expanded: set[str] = set()
-    for group in groups:
-        value = group.strip().lower()
-        if not value:
-            continue
-        expanded.add(value)
-        stripped = value.lstrip("/")
-        if stripped:
-            expanded.add(stripped)
-            if "/" in stripped:
-                expanded.add(stripped.rsplit("/", 1)[-1])
-    return expanded
+def _normalize_roles(values: set[str]) -> set[str]:
+    normalized: set[str] = set()
+    for value in values:
+        role = value.strip().lower()
+        if role:
+            normalized.add(role)
+    return normalized


 def require_admin_principal(
    principal: ProviderPrincipal = Depends(require_authenticated_principal),
 ) -> ProviderPrincipal:
    settings = get_settings()
-    required_groups = _expand_group_aliases(set(settings.admin_required_groups))
+    required_roles = _normalize_roles(set(settings.admin_required_realm_roles))

-    if not required_groups:
+    if not required_roles:
        raise HTTPException(status_code=status.HTTP_503_SERVICE_UNAVAILABLE, detail="admin_policy_not_configured")

-    principal_groups = _expand_group_aliases(set(principal.groups))
-    group_ok = bool(required_groups.intersection(principal_groups))
+    principal_roles = _normalize_roles(set(principal.realm_roles))
+    role_ok = bool(required_roles.intersection(principal_roles))

-    if not group_ok:
+    if not role_ok:
        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="admin_forbidden")
    return principal