From a66568b58d14aae925425b1717216dbcd0f45e5b Mon Sep 17 00:00:00 2001
From: ftsell <dev@ftsell.de>
Date: Mon, 13 Nov 2023 15:13:27 +0100
Subject: [PATCH] implement synchronization of mafiasi admin status via oidc

---
 src/.env.dev                                  |  1 +
 .../links/user_mapping.py                     | 20 +++++++++++++++++++
 src/mafiasi_link_shortener/settings.py        |  6 ++++--
 3 files changed, 25 insertions(+), 2 deletions(-)
 create mode 100644 src/mafiasi_link_shortener/links/user_mapping.py

diff --git a/src/.env.dev b/src/.env.dev
index 1f95855..6852dc2 100644
--- a/src/.env.dev
+++ b/src/.env.dev
@@ -4,3 +4,4 @@ SHORTLINK_ALLOWED_HOSTS=localhost,127.0.0.1,::1
 SHORTLINK_DB=sqlite://./db.sqlite3
 SHORTLINK_OPENID_CLIENT_ID=dev-client-confidential
 SHORTLINK_OPENID_CLIENT_SECRET=B18WWl7b6c8UJ0LpQGdhd3FwVjeWco84
+SHORTLINK_OPENID_ADMIN_GROUPS=.*
diff --git a/src/mafiasi_link_shortener/links/user_mapping.py b/src/mafiasi_link_shortener/links/user_mapping.py
new file mode 100644
index 0000000..f21ee2c
--- /dev/null
+++ b/src/mafiasi_link_shortener/links/user_mapping.py
@@ -0,0 +1,20 @@
+from django.conf import settings
+from simple_openid_connect.integrations.django.user_mapping import (
+    FederatedUserData,
+    UserMapper,
+)
+
+from mafiasi_link_shortener.links import models
+
+
+class MafiasiUserMapper(UserMapper):
+    def automap_user_attrs(
+        self, user: models.MafiasiUser, user_data: FederatedUserData
+    ) -> None:
+        super().automap_user_attrs(user, user_data)
+
+        if hasattr(user_data, "groups"):
+            for group in user_data.groups:
+                if settings.OPENID_ADMIN_GROUPS.fullmatch(group) is not None:
+                    user.is_superuser = True
+                    user.is_staff = True
diff --git a/src/mafiasi_link_shortener/settings.py b/src/mafiasi_link_shortener/settings.py
index 77d0417..1aa8a47 100644
--- a/src/mafiasi_link_shortener/settings.py
+++ b/src/mafiasi_link_shortener/settings.py
@@ -9,7 +9,7 @@
 For the full list of settings and their values, see
 https://docs.djangoproject.com/en/3.1/ref/settings/
 """
-
+import re
 from pathlib import Path
 
 import sentry_sdk
@@ -138,9 +138,11 @@
 OPENID_ISSUER = env.str(
     "SHORTLINK_OPENID_ISSUER", default="https://identity.mafiasi.de/realms/mafiasi"
 )
-OPENID_SCOPE = "openid shortlinks"
+OPENID_SCOPE = "openid groups shortlinks"
 OPENID_CLIENT_ID = env.str("SHORTLINK_OPENID_CLIENT_ID")
 OPENID_CLIENT_SECRET = env.str("SHORTLINK_OPENID_CLIENT_SECRET")
+OPENID_USER_MAPPER = "mafiasi_link_shortener.links.user_mapping.MafiasiUserMapper"
+OPENID_ADMIN_GROUPS = re.compile(env.str("SHORTLINK_OPENID_ADMIN_GROUPS"))
 
 # rest framework
 REST_FRAMEWORK = {