Lax parsing of claims through ENVs

opf · Dec 10, 2024 · 730fcc1 · 730fcc1
1 parent 88f9fe5
commit 730fcc1
Show file tree

Hide file tree

Showing 2 changed files with 49 additions and 1 deletion.
diff --git a/modules/openid_connect/app/services/openid_connect/configuration_mapper.rb b/modules/openid_connect/app/services/openid_connect/configuration_mapper.rb
@@ -47,7 +47,7 @@ def call! # rubocop:disable Metrics/AbcSize
         "host" => options["host"],
         "port" => options["port"],
         "scheme" => options["scheme"],
-        "claims" => options["claims"],
+        "claims" => extract_claims(options["claims"]),
         "tenant" => options["tenant"],
         "post_logout_redirect_uri" => options["post_logout_redirect_uri"],
         "limit_self_registration" => options["limit_self_registration"],
@@ -69,6 +69,15 @@ def call! # rubocop:disable Metrics/AbcSize
 
     private
 
+    def extract_claims(claims_value)
+      case claims_value
+      when Hash
+        claims_value.to_json
+      else
+        claims_value.to_s
+      end
+    end
+
     def extract_scope(value)
       return if value.blank?
 

diff --git a/modules/openid_connect/spec/services/openid_connect/configuration_mapper_spec.rb b/modules/openid_connect/spec/services/openid_connect/configuration_mapper_spec.rb
@@ -136,6 +136,45 @@
     end
   end
 
+  describe "claims" do
+    subject { result["claims"] }
+
+    let(:parsed_hash) do
+      {
+        "id_token" => {
+          "roles" => {
+            "essential" => true,
+            "values" => ["openproject.login"]
+          }
+        }
+      }
+    end
+
+    context "when provided as string" do
+      let(:configuration) { { claims: parsed_hash.to_json } }
+
+      it "outputs as a string", :aggregate_failures do
+        expect(subject).to be_a String
+        expect(JSON.parse(subject)).to eq(parsed_hash)
+      end
+    end
+
+    context "when provided as Hash" do
+      let(:configuration) { { claims: parsed_hash } }
+
+      it "converts to string", :aggregate_failures do
+        expect(subject).to be_a String
+        expect(JSON.parse(subject)).to eq(parsed_hash)
+      end
+    end
+
+    context "when not provided" do
+      let(:configuration) { {} }
+
+      it { is_expected.to be_blank }
+    end
+  end
+
   %w[authorization_endpoint token_endpoint userinfo_endpoint end_session_endpoint jwks_uri].each do |key|
     describe "setting #{key}" do
       subject { result }