Implement OIDC groups mapping

Author: manuel-sommer

dojo/pipeline.py

@@ -7,6 +7,7 @@
 from django.conf import settings
 from social_core.backends.azuread_tenant import AzureADTenantOAuth2
 from social_core.backends.google import GoogleOAuth2
+from social_core.backends.open_id_connect import OpenIdConnectAuth
 
 from dojo.authorization.roles_permissions import Permissions, Roles
 from dojo.models import Dojo_Group, Dojo_Group_Member, Product, Product_Member, Product_Type, Role
@@ -106,6 +107,31 @@ def update_azure_groups(backend, uid, user=None, social=None, *args, **kwargs):
             cleanup_old_groups_for_user(user, group_names)
 
 
+def update_oidc_groups(backend, uid, user=None, social=None, *args, **kwargs):
+    if settings.OIDC_AUTH_ENABLED and settings.DD_SOCIAL_AUTH_OIDC_GET_GROUPS and isinstance(backend, OpenIdConnectAuth):
+        response = kwargs.get("response", {})
+        group_names = response.get("groups", [])
+
+        if not group_names:
+            logger.warning("No 'groups' claim found in Dex OIDC response. Skipping group assignment.")
+            return
+        logger.debug(f"Dex OIDC groups received: {group_names}")
+        filtered_group_names = []
+        group_filter = getattr(settings, "OIDC_GROUPS_FILTER", None)
+        for group_name in group_names:
+            try:
+                if group_filter and not re.search(group_filter, group_name):
+                    logger.debug(f"Skipping group '{group_name}' due to OIDC_GROUPS_FILTER: {group_filter}")
+                    continue
+                filtered_group_names.append(group_name)
+            except Exception as e:
+                logger.error(f"Error processing group '{group_name}': {e}")
+        if filtered_group_names:
+            assign_user_to_groups(user, filtered_group_names, Dojo_Group.OIDC)
+        if getattr(settings, "OIDC_CLEANUP_GROUPS", False):
+            cleanup_old_groups_for_user(user, filtered_group_names)
+
+
 def is_group_id(group):
     return bool(re.search(r"^[a-zA-Z0-9]{8,}-[a-zA-Z0-9]{4,}-[a-zA-Z0-9]{4,}-[a-zA-Z0-9]{4,}-[a-zA-Z0-9]{12,}$", group))
 

dojo/settings/settings.dist.py

@@ -116,6 +116,9 @@
     DD_SOCIAL_LOGIN_AUTO_REDIRECT=(bool, False),  # auto-redirect if there is only one social login method
     DD_SOCIAL_AUTH_TRAILING_SLASH=(bool, True),
     DD_SOCIAL_AUTH_OIDC_AUTH_ENABLED=(bool, False),
+    DD_SOCIAL_AUTH_OIDC_GET_GROUPS=(bool, False),
+    DD_SOCIAL_AUTH_OIDC_GROUPS_FILTER=(str, ""),
+    DD_SOCIAL_AUTH_OIDC_CLEANUP_GROUPS=(bool, True),
     DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT=(str, ""),
     DD_SOCIAL_AUTH_OIDC_ID_KEY=(str, ""),
     DD_SOCIAL_AUTH_OIDC_KEY=(str, ""),
@@ -562,6 +565,7 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
     "social_core.pipeline.social_auth.load_extra_data",
     "social_core.pipeline.user.user_details",
     "dojo.pipeline.update_azure_groups",
+    "dojo.pipeline.update_oidc_groups",
     "dojo.pipeline.update_product_access",
 )
 
@@ -618,6 +622,9 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param
 
 # Mandatory settings
 OIDC_AUTH_ENABLED = env("DD_SOCIAL_AUTH_OIDC_AUTH_ENABLED")
+OIDC_GET_GROUPS = env("DD_SOCIAL_AUTH_OIDC_GET_GROUPS")
+OIDC_GROUPS_FILTER = env("DD_SOCIAL_AUTH_OIDC_GROUPS_FILTER")
+OIDC_CLEANUP_GROUPS = env("DD_SOCIAL_AUTH_OIDC_CLEANUP_GROUPS")
 SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env("DD_SOCIAL_AUTH_OIDC_OIDC_ENDPOINT")
 SOCIAL_AUTH_OIDC_KEY = env("DD_SOCIAL_AUTH_OIDC_KEY")
 SOCIAL_AUTH_OIDC_SECRET = env("DD_SOCIAL_AUTH_OIDC_SECRET")