api: properly compute authorization based on ccchh role

2026-05-14 16:41:16 +02:00 · 2026-05-14 16:41:16 +02:00 · bf0c085739
commit bf0c085739
parent 188002b3f3
3 changed files with 10 additions and 8 deletions
--- a/api/src/dooris_api/init.py
+++ b/api/src/dooris_api/init.py
@ -19,7 +19,7 @@ def main():
    )
    argp.add_argument(
        "--openid-scope",
-        default=os.environ.get("DOORIS_OPENID_SCOPE", "openid profile"),
+        default=os.environ.get("DOORIS_OPENID_SCOPE", "openid profile ccchh-roles"),
        help="The Keycloak OpenID isser to use for authentication",
    )
    argp.add_argument(
--- a/api/src/dooris_api/app.py
+++ b/api/src/dooris_api/app.py
@ -71,6 +71,7 @@ async def get_user_info(
            current_user.id_token.exp, UTC
        ),
        username=current_user.id_token.preferred_username,
+        ccchh_roles=current_user.ccchh_roles,
    )


@ -117,7 +118,7 @@ async def login_init(
    response_class=RedirectResponse,
    status_code=302,
 )
-async def login_callback(req: Request, resp: Response, oidc_client: deps.OpenidClient):
+async def login_callback(req: Request, resp: Response, oidc_client: deps.OpenidClient) -> str:
    # check that the user is currently in an authenticating state
    # these cookies are set by the login_init() view
    if (
@ -167,7 +168,7 @@ async def login_callback(req: Request, resp: Response, oidc_client: deps.OpenidC
 )
 async def logout(
    resp: Response, oidc_client: deps.OpenidClient, current_user: deps.CurrentUser
-):
+) -> str:
    deps.clear_auth_state(resp)
    return oidc_client.initiate_logout(
        RpInitiatedLogoutRequest(
@ -253,7 +254,7 @@ async def operate_lock(
 ) -> None:
    if not current_user.may_operate_locks:
        raise exceptions.HttpProblemException.forbidden_to_operate(req.url)
-    # TODO: Validate that the user is authorized
+
    # find appropriate lock from ccujack
    for i_lock, lock_channels in ccujack.locks:
        if i_lock.identifier == lock_id:
--- a/api/src/dooris_api/models.py
+++ b/api/src/dooris_api/models.py
@ -33,17 +33,18 @@ class CurrentUser(BaseModel):

    @property
    def ccchh_roles(self) -> List[str]:
-        return []
+        return getattr(self.id_token, "ccchh-roles", [])

    @property
    def may_operate_locks(self) -> bool:
-        return True
+        return "intern@" in self.ccchh_roles


 class UserStatus(BaseModel):
    is_authorized: bool
-    guaranteed_session_until: Optional[datetime]
-    username: Optional[str]
+    guaranteed_session_until: datetime
+    username: str
+    ccchh_roles: List[str]


 class LockStatus(BaseModel):