[mokey_oidc plugin] Handle groups claim as list

The groups claim can be sent over as a list. The mokey_oidc plugin is unable to deal with that, as it assumes the input for groups is always a string. Only call split if the claim is a string.
ubccr · Nov 3, 2021 · 06ad22a · 06ad22a
1 parent 580a7df
commit 06ad22a
Showing 1 changed file with 14 additions and 8 deletions.
diff --git a/coldfront/plugins/mokey_oidc/auth.py b/coldfront/plugins/mokey_oidc/auth.py
@@ -24,6 +24,13 @@ def _sync_groups(self, user, groups):
 
         user.userprofile.is_pi = is_pi
 
+    def _parse_groups_from_claims(self, claims):
+        groups = claims.get('groups', []) or []
+        if isinstance(groups, str):
+            groups = groups.split(';')
+
+        return groups
+
     def create_user(self, claims):
         email = claims.get('email')
         username = claims.get('uid')
@@ -39,8 +46,8 @@ def create_user(self, claims):
         user.first_name = claims.get('first', '')
         user.last_name = claims.get('last', '')
 
-        groups = claims.get('groups', '')
-        self._sync_groups(user, groups.split(';'))
+        groups = self._parse_groups_from_claims(claims)
+        self._sync_groups(user, groups)
 
         user.save()
 
@@ -55,8 +62,8 @@ def update_user(self, user, claims):
         else:
             logger.warn("Failed to update email. Could not find email for user %s in mokey oidc id_token claims: %s", username, claims)
 
-        groups = claims.get('groups', '')
-        self._sync_groups(user, groups.split(';'))
+        groups = self._parse_groups_from_claims(claims)
+        self._sync_groups(user, groups)
 
         user.save()
 
@@ -78,17 +85,16 @@ def verify_claims(self, claims):
         if len(ALLOWED_GROUPS) == 0 and len(DENY_GROUPS) == 0:
             return verified and True
 
-        groups = claims.get('groups', '')
-        group_list = groups.split(';')
+        groups = self._parse_groups_from_claims(claims)
 
         if len(ALLOWED_GROUPS) > 0:
             for g in ALLOWED_GROUPS:
-                if g not in group_list:
+                if g not in groups:
                     return False
 
         if len(DENY_GROUPS) > 0:
             for g in DENY_GROUPS:
-                if g in group_list:
+                if g in groups:
                     return False
 
         return verified and True