Add support for additional ID token claim checks for OAuth 2 authentication. #6736

2025-02-25 18:55:31 -06:00 · 2023-09-05 07:58:18 +02:00
parent e5c249e81c
commit 02eaf787e9
4 changed files with 136 additions and 0 deletions
--- a/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
+++ b/web/pgadmin/browser/tests/test_oauth2_with_mocking.py
@@ -33,6 +33,11 @@ class Oauth2LoginMockTestCase(BaseTestGenerator):
            oauth2_provider='github',
            flag=2
        )),
+        ('Oauth2 Authentication', dict(
+            auth_source=['oauth2'],
+            oauth2_provider='auth-with-additional-claim-check',
+            flag=3
+        )),
    ]

    @classmethod
@@ -61,6 +66,25 @@ class Oauth2LoginMockTestCase(BaseTestGenerator):
                'OAUTH2_SCOPE': 'email profile',
                'OAUTH2_ICON': 'fa-github',
                'OAUTH2_BUTTON_COLOR': '#3253a8',
+            },
+            {
+                'OAUTH2_NAME': 'auth-with-additional-claim-check',
+                'OAUTH2_DISPLAY_NAME': 'Additional Authorization',
+                'OAUTH2_CLIENT_ID': 'testclientid',
+                'OAUTH2_CLIENT_SECRET': 'testclientsec',
+                'OAUTH2_TOKEN_URL':
+                    'https://dummy.com/123/oauth2/v2.0/token',
+                'OAUTH2_AUTHORIZATION_URL':
+                    'https://dummy.com/123/oauth2/v2.0/authorize',
+                'OAUTH2_API_BASE_URL': 'https://graph.dummy.com/v1.0/',
+                'OAUTH2_USERINFO_ENDPOINT': 'me',
+                'OAUTH2_SCOPE': 'openid email profile',
+                'OAUTH2_ICON': 'briefcase',
+                'OAUTH2_BUTTON_COLOR': '#0000ff',
+                'OAUTH2_ADDITIONAL_CLAIMS': {
+                    'groups': ['123','456'],
+                    'wids': ['789']
+                }
            }
        ]

@@ -75,6 +99,8 @@ class Oauth2LoginMockTestCase(BaseTestGenerator):
            self.test_external_authentication()
        elif self.flag == 2:
            self.test_oauth2_authentication()
+        elif self.flag == 3:
+            self.test_oauth2_authentication_with_additional_claims_success()

    def test_external_authentication(self):
        """
@@ -127,6 +153,44 @@ class Oauth2LoginMockTestCase(BaseTestGenerator):
        respdata = 'Gravatar image for %s' % profile['email']
        self.assertTrue(respdata in res.data.decode('utf8'))

+    def test_oauth2_authentication_with_additional_claims_success(self):
+        """
+        Ensure that when an oauth2 config has a dict OAUTH2_ADDITIONAL_CLAIMS,
+        any match of the OAUTH2_ADDITIONAL_CLAIMS dict will allow user login.
+        """
+
+        profile = self.mock_user_profile_with_additional_claims()
+
+        # Mock Oauth2 Authenticate
+        AuthSourceRegistry._registry[OAUTH2].authenticate = MagicMock(
+            return_value=[True, ''])
+
+        AuthSourceManager.update_auth_sources = MagicMock()
+
+        # Create AuthSourceManager object
+        auth_obj = AuthSourceManager({}, [OAUTH2])
+        auth_source = AuthSourceRegistry.get(OAUTH2)
+        auth_obj.set_source(auth_source)
+        auth_obj.set_current_source(auth_source.get_source_name())
+
+        # Check the login with Oauth2
+        res = self.tester.login(email=None, password=None,
+                                _follow_redirects=True,
+                                headers=None,
+                                extra_form_data=dict(
+                                    oauth2_button=self.oauth2_provider)
+                                )
+
+        respdata = 'Gravatar image for %s' % profile['email']
+        self.assertTrue(respdata in res.data.decode('utf8'))
+
+    def mock_user_profile_with_additional_claims(self):
+        profile = {'email': 'oauth2@gmail.com', 'wids': ['789']}
+
+        AuthSourceRegistry._registry[OAUTH2].get_user_profile = MagicMock(
+            return_value=profile)
+        return profile
+
    def mock_user_profile(self):
        profile = {'email': 'oauth2@gmail.com'}