Merge #402 Add OIDC_REQUIRED_SCOPE and fix the test_auth.py to use Authorization header.

2026-05-03 19:23:58 +08:00 · 2017-03-07 09:31:05 +00:00
parent 1104a3ae10 b11ea14358
commit ab59a1eac6
4 changed files with 141 additions and 26 deletions
--- a/module_build_service/auth.py
+++ b/module_build_service/auth.py
@@ -108,11 +108,14 @@ def get_user(request):
    if not data or not "active" in data or not data["active"]:
        raise Unauthorized("OIDC token invalid or expired.")

+    if not "OIDC_REQUIRED_SCOPE" in app.config:
+        raise Unauthorized("OIDC_REQUIRED_SCOPE must be set in server config.")
+
    presented_scopes = data['scope'].split(' ')
    required_scopes = [
        'openid',
        'https://id.fedoraproject.org/scope/groups',
-        'https://mbs.fedoraproject.org/oidc/submit-build',
+        app.config["OIDC_REQUIRED_SCOPE"],
    ]
    for scope in required_scopes:
        if scope not in presented_scopes: