From 06ad22a6590975d3da1f1e1756a07873fe0d6d50 Mon Sep 17 00:00:00 2001
From: Kristi Nikolla <kristi@nikolla.me>
Date: Wed, 3 Nov 2021 12:02:06 -0400
Subject: [PATCH] [mokey_oidc plugin] Handle groups claim as list

The groups claim can be sent over as a list. The mokey_oidc plugin
is unable to deal with that, as it assumes the input for groups
is always a string.

Only call split if the claim is a string.
---
 coldfront/plugins/mokey_oidc/auth.py | 22 ++++++++++++++--------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/coldfront/plugins/mokey_oidc/auth.py b/coldfront/plugins/mokey_oidc/auth.py
index 716297c56..354e6e817 100644
--- a/coldfront/plugins/mokey_oidc/auth.py
+++ b/coldfront/plugins/mokey_oidc/auth.py
@@ -24,6 +24,13 @@ def _sync_groups(self, user, groups):
 
         user.userprofile.is_pi = is_pi
 
+    def _parse_groups_from_claims(self, claims):
+        groups = claims.get('groups', []) or []
+        if isinstance(groups, str):
+            groups = groups.split(';')
+
+        return groups
+
     def create_user(self, claims):
         email = claims.get('email')
         username = claims.get('uid')
@@ -39,8 +46,8 @@ def create_user(self, claims):
         user.first_name = claims.get('first', '')
         user.last_name = claims.get('last', '')
 
-        groups = claims.get('groups', '')
-        self._sync_groups(user, groups.split(';'))
+        groups = self._parse_groups_from_claims(claims)
+        self._sync_groups(user, groups)
 
         user.save()
 
@@ -55,8 +62,8 @@ def update_user(self, user, claims):
         else:
             logger.warn("Failed to update email. Could not find email for user %s in mokey oidc id_token claims: %s", username, claims)
 
-        groups = claims.get('groups', '')
-        self._sync_groups(user, groups.split(';'))
+        groups = self._parse_groups_from_claims(claims)
+        self._sync_groups(user, groups)
 
         user.save()
 
@@ -78,17 +85,16 @@ def verify_claims(self, claims):
         if len(ALLOWED_GROUPS) == 0 and len(DENY_GROUPS) == 0:
             return verified and True
 
-        groups = claims.get('groups', '')
-        group_list = groups.split(';')
+        groups = self._parse_groups_from_claims(claims)
         
         if len(ALLOWED_GROUPS) > 0:
             for g in ALLOWED_GROUPS:
-                if g not in group_list:
+                if g not in groups:
                     return False
 
         if len(DENY_GROUPS) > 0:
             for g in DENY_GROUPS:
-                if g in group_list:
+                if g in groups:
                     return False
     
         return verified and True