use command separated list for envs (#2157)

* use command separated list for envs w/ burnettk * mention new variable is comman separated w/ burnettk * fixes for scopes w/ burnettk --------- Co-authored-by: jasquat <jasquat@users.noreply.github.com>
2025-01-27 01:40:48 +00:00 · 2024-11-25 16:57:58 -05:00 · 2024-11-25 16:57:58 -05:00 · 4c01492bc4
commit 4c01492bc4
parent 4cbe586b58
3 changed files with 22 additions and 1 deletions
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/init.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/init.py
@ -109,6 +109,25 @@ def _check_extension_api_configs(app: Flask) -> None:
        )


+def _set_up_open_id_scopes(app: Flask) -> None:
+    scopes = app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES"].split(",")
+    if os.environ.get("SPIFFWORKFLOW_BACKEND_OPENID_SCOPE") is not None:
+        app.logger.warning(
+            "SPIFFWORKFLOW_BACKEND_OPENID_SCOPE is deprecated. "
+            "Please use SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES instead which expects a comma separated list like: profile,email"
+        )
+        if os.environ.get("SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES") is None:
+            scopes = app.config["SPIFFWORKFLOW_BACKEND_OPENID_SCOPE"].split(" ")
+    if (
+        os.environ.get("SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES") is None
+        and app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_IS_AUTHORITY_FOR_USER_GROUPS"]
+        and "groups" not in scopes
+    ):
+        scopes.append("groups")
+
+    app.config["SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES"] = scopes
+
+
 # see the message in the ConfigurationError below for why we are checking this.
 # we really do not want this to raise when there is not a problem, so there are lots of return statements littered throughout.
 def _check_for_incompatible_frontend_and_backend_urls(app: Flask) -> None:
@ -271,3 +290,4 @@ def setup_config(app: Flask) -> None:
    _check_for_incompatible_frontend_and_backend_urls(app)
    _check_extension_api_configs(app)
    _setup_cipher(app)
+    _set_up_open_id_scopes(app)
--- a/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/default.py
@ -123,6 +123,7 @@ config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_NBF", default=True)
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_VERIFY_AZP", default=True)
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_LEEWAY", default=5)
 config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_INTERNAL_URL_IS_VALID_ISSUER", default=False)
+config_from_env("SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES", default="openid,profile,email")

 # Open ID server
 # use "http://localhost:7000/openid" for running with simple openid
--- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
+++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authentication_service.py
@ -300,7 +300,7 @@ class AuthenticationService:
            + f"?state={state}&"
            + "response_type=code&"
            + f"client_id={self.client_id(authentication_identifier)}&"
-            + f"scope={current_app.config['SPIFFWORKFLOW_BACKEND_OPENID_SCOPE']}&"
+            + f"scope={' '.join(current_app.config['SPIFFWORKFLOW_BACKEND_OPEN_ID_SCOPES'])}&"
            + f"redirect_uri={redirect_url_to_use}"
        )
        return login_redirect_url