use command separated list for envs (#2157)

* use command separated list for envs w/ burnettk * mention new variable is comman separated w/ burnettk * fixes for scopes w/ burnettk --------- Co-authored-by: jasquat <[email protected]>
sartography · Nov 25, 2024 · 4c01492 · 4c01492
1 parent 4cbe586
commit 4c01492
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 1 deletion.
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/__init__.py
@@ -109,6 +109,25 @@ def _check_extension_api_configs(app: Flask) -> None:
         )
 
 
+def _set_up_open_id_scopes(app: Flask) -> None:
+    scopes = app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES"].split(",")
+    if os.environ.get("SPIFFWORKFLOW_BACKEND_OPENID_SCOPE") is not None:
+        app.logger.warning(
+            "SPIFFWORKFLOW_BACKEND_OPENID_SCOPE is deprecated. "
+            "Please use SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES instead which expects a comma separated list like: profile,email"
+        )
+        if os.environ.get("SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES") is None:
+            scopes = app.config["SPIFFWORKFLOW_BACKEND_OPENID_SCOPE"].split(" ")
+    if (
+        os.environ.get("SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES") is None
+        and app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS"]
+        and "groups" not in scopes
+    ):
+        scopes.append("groups")
+
+    app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES"] = scopes
+
+
 # see the message in the ConfigurationError below for why we are checking this.
 # we really do not want this to raise when there is not a problem, so there are lots of return statements littered throughout.
 def _check_for_incompatible_frontend_and_backend_urls(app: Flask) -> None:
@@ -271,3 +290,4 @@ def setup_config(app: Flask) -> None:
     _check_for_incompatible_frontend_and_backend_urls(app)
     _check_extension_api_configs(app)
     _setup_cipher(app)
+    _set_up_open_id_scopes(app)
diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@@ -123,6 +123,7 @@ def config_from_env(variable_name: str, *, default: str | bool | int | None = No
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_AZP", default=True)
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_LEEWAY", default=5)
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_INTERNAL_URL_IS_VALID_ISSUER", default=False)
+config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES", default="openid,profile,email")
 
 # Open ID server
 # use "http://localhost:7000/openid" for running with simple openid

diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@@ -300,7 +300,7 @@ def get_login_redirect_url(self, state: str, authentication_identifier: str, red
             + f"?state={state}&"
             + "response_type=code&"
             + f"client_id={self.client_id(authentication_identifier)}&"
-            + f"scope={current_app.config['SPIFFWORKFLOW_BACKEND_OPENID_SCOPE']}&"
+            + f"scope={' '.join(current_app.config['SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES'])}&"
             + f"redirect_uri={redirect_url_to_use}"
         )
         return login_redirect_url