Merge #338 Add and handle OIDC scope for MBS permissions.

2026-02-12 17:44:59 +08:00 · 2017-02-20 13:42:18 +00:00
parent 52ace7f671 ef14008927
commit ffd3fe460d
2 changed files with 12 additions and 2 deletions
--- a/contrib/submit_build.py
+++ b/contrib/submit_build.py
@@ -78,9 +78,8 @@ if not token:
        'nonce': random.randint(100, 10000),
        'scope': ' '.join([
            'openid',
-            'profile',
-            'email',
            'https://id.fedoraproject.org/scope/groups',
+            'https://mbs.fedoraproject.org/oidc/submit-build',
        ]),
        'client_id': 'mbs-authorizer',
    }) + "&redirect_uri=http://localhost:13747/"
--- a/module_build_service/auth.py
+++ b/module_build_service/auth.py
@@ -102,6 +102,17 @@ def get_user(request):
    if not "active" in data or not data["active"]:
        raise Unauthorized("OIDC token invalid or expired.")

+    presented_scopes = data['scope'].split(' ')
+    required_scopes = [
+        'openid',
+        'https://id.fedoraproject.org/scope/groups',
+        'https://mbs.fedoraproject.org/oidc/submit-build',
+    ]
+    for scope in required_scopes:
+        if scope not in presented_scopes:
+            raise Unauthorized("Required OIDC scope %r not present: %r" % (
+                scope, presented_scopes))
+
    try:
        extended_data = _get_user_info(token)
    except Exception as e: