Page MenuHomeSoftware Heritage

django: Add keycloak realm roles in user permissions set
ClosedPublic

Authored by anlambert on Apr 22 2021, 6:20 PM.

Details

Summary

Keycloak also allow to define user roles at realm level to define
permissions at a global level not tight to a client.

Include these extra roles in the user permissions set from the
decoded token content.

As a consequence, some parameters of the keycloak_oidc_factory
function got renamed, this will break swh-deposit and swh-web tests but
I will push diffs to fix that (D5579, D5580)

Related to T3213

Diff Detail

Repository
rDAUTH Common authentication libraries
Branch
realm-roles-support
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 20939
Build 32496: Phabricator diff pipeline on jenkinsJenkins console · Jenkins
Build 32495: arc lint + arc unit

Event Timeline

Build is green

Patch application report for D5578 (id=19934)

Rebasing onto 6266fa2c15...

Current branch diff-target is up to date.
Changes applied before test
commit bb90bd23c924deb9e87b354a22982f050edfd09d
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Thu Apr 22 18:15:29 2021 +0200

    django: Add keycloak realm roles in user permissions set
    
    Keycloak also allow to define user roles at realm level to define
    permissions at a global level not tight to a client.
    
    Include these extra roles in the user permissions set from the
    decoded token content.
    
    Related to T3213

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/78/ for more details.

This revision is now accepted and ready to land.Apr 22 2021, 6:37 PM