Oauth: Assign role from GF_USERS_AUTO_ASSIGN_ORG_ROLE for Azure AD Oauth (#34838)

* 30555:Assign correct role with environment variable GF_USERS_AUTO_ASSIGN_ORG_ROLE * 30555:Remove unused condition
2024-11-25 18:30:41 -06:00 · 2021-05-28 16:14:30 +02:00 · 2021-05-28 16:14:30 +02:00 · 48f6d6f7e6
commit 48f6d6f7e6
parent ad6648b649
2 changed files with 35 additions and 8 deletions
--- a/pkg/login/social/azuread_oauth.go
+++ b/pkg/login/social/azuread_oauth.go
@ -7,6 +7,7 @@ import (
 	"strings"

 	"github.com/grafana/grafana/pkg/models"
+	"github.com/grafana/grafana/pkg/setting"
 	"github.com/grafana/grafana/pkg/util/errutil"

 	"golang.org/x/oauth2"
@ -97,7 +98,7 @@ func extractEmail(claims azureClaims) string {

 func extractRole(claims azureClaims) models.RoleType {
 	if len(claims.Roles) == 0 {
-		return models.ROLE_VIEWER
+		return models.RoleType(setting.AutoAssignOrgRole)
 	}

 	roleOrder := []models.RoleType{
--- a/pkg/login/social/azuread_oauth_test.go
+++ b/pkg/login/social/azuread_oauth_test.go
@ -6,6 +6,7 @@ import (
 	"testing"
 	"time"

+	"github.com/grafana/grafana/pkg/setting"
 	"golang.org/x/oauth2"
 	"gopkg.in/square/go-jose.v2"
 	"gopkg.in/square/go-jose.v2/jwt"
@ -21,12 +22,13 @@ func TestSocialAzureAD_UserInfo(t *testing.T) {
 	}

 	tests := []struct {
-		name    string
-		fields  fields
-		claims  *azureClaims
-		args    args
-		want    *BasicUserInfo
-		wantErr bool
+		name                     string
+		fields                   fields
+		claims                   *azureClaims
+		args                     args
+		settingAutoAssignOrgRole string
+		want                     *BasicUserInfo
+		wantErr                  bool
 	}{
 		{
 			name: "Email in email claim",
@ -37,6 +39,7 @@ func TestSocialAzureAD_UserInfo(t *testing.T) {
 				Name:              "My Name",
 				ID:                "1234",
 			},
+			settingAutoAssignOrgRole: "Viewer",
 			want: &BasicUserInfo{
 				Id:      "1234",
 				Name:    "My Name",
@ -74,6 +77,7 @@ func TestSocialAzureAD_UserInfo(t *testing.T) {
 				Name:              "My Name",
 				ID:                "1234",
 			},
+			settingAutoAssignOrgRole: "Viewer",
 			want: &BasicUserInfo{
 				Id:      "1234",
 				Name:    "My Name",
@ -141,7 +145,26 @@ func TestSocialAzureAD_UserInfo(t *testing.T) {
 				Groups:  []string{},
 			},
 		},
-
+		{
+			name: "role from env variable",
+			claims: &azureClaims{
+				Email:             "me@example.com",
+				PreferredUsername: "",
+				Roles:             []string{},
+				Name:              "My Name",
+				ID:                "1234",
+			},
+			settingAutoAssignOrgRole: "Editor",
+			want: &BasicUserInfo{
+				Id:      "1234",
+				Name:    "My Name",
+				Email:   "me@example.com",
+				Login:   "me@example.com",
+				Company: "",
+				Role:    "Editor",
+				Groups:  []string{},
+			},
+		},
 		{
 			name: "Editor role",
 			claims: &azureClaims{
@ -209,6 +232,7 @@ func TestSocialAzureAD_UserInfo(t *testing.T) {
 				Name:              "My Name",
 				ID:                "1234",
 			},
+			settingAutoAssignOrgRole: "Viewer",
 			want: &BasicUserInfo{
 				Id:      "1234",
 				Name:    "My Name",
@ -258,6 +282,8 @@ func TestSocialAzureAD_UserInfo(t *testing.T) {
 				token = token.WithExtra(map[string]interface{}{"id_token": raw})
 			}

+			setting.AutoAssignOrgRole = tt.settingAutoAssignOrgRole
+
 			got, err := s.UserInfo(tt.args.client, token)
 			if (err != nil) != tt.wantErr {
 				t.Errorf("UserInfo() error = %v, wantErr %v", err, tt.wantErr)