From 730fcc16808487dd36427384167dcd6b88e46cfe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Oliver=20G=C3=BCnther?= <mail@oliverguenther.de>
Date: Tue, 10 Dec 2024 08:34:48 +0100
Subject: [PATCH] Lax parsing of claims through ENVs

---
 .../openid_connect/configuration_mapper.rb    | 11 +++++-
 .../configuration_mapper_spec.rb              | 39 +++++++++++++++++++
 2 files changed, 49 insertions(+), 1 deletion(-)

diff --git a/modules/openid_connect/app/services/openid_connect/configuration_mapper.rb b/modules/openid_connect/app/services/openid_connect/configuration_mapper.rb
index bd9f5247febe..d2d16bc0af1a 100644
--- a/modules/openid_connect/app/services/openid_connect/configuration_mapper.rb
+++ b/modules/openid_connect/app/services/openid_connect/configuration_mapper.rb
@@ -47,7 +47,7 @@ def call! # rubocop:disable Metrics/AbcSize
         "host" => options["host"],
         "port" => options["port"],
         "scheme" => options["scheme"],
-        "claims" => options["claims"],
+        "claims" => extract_claims(options["claims"]),
         "tenant" => options["tenant"],
         "post_logout_redirect_uri" => options["post_logout_redirect_uri"],
         "limit_self_registration" => options["limit_self_registration"],
@@ -69,6 +69,15 @@ def call! # rubocop:disable Metrics/AbcSize
 
     private
 
+    def extract_claims(claims_value)
+      case claims_value
+      when Hash
+        claims_value.to_json
+      else
+        claims_value.to_s
+      end
+    end
+
     def extract_scope(value)
       return if value.blank?
 
diff --git a/modules/openid_connect/spec/services/openid_connect/configuration_mapper_spec.rb b/modules/openid_connect/spec/services/openid_connect/configuration_mapper_spec.rb
index e8daef6db17e..c308beceff40 100644
--- a/modules/openid_connect/spec/services/openid_connect/configuration_mapper_spec.rb
+++ b/modules/openid_connect/spec/services/openid_connect/configuration_mapper_spec.rb
@@ -136,6 +136,45 @@
     end
   end
 
+  describe "claims" do
+    subject { result["claims"] }
+
+    let(:parsed_hash) do
+      {
+        "id_token" => {
+          "roles" => {
+            "essential" => true,
+            "values" => ["openproject.login"]
+          }
+        }
+      }
+    end
+
+    context "when provided as string" do
+      let(:configuration) { { claims: parsed_hash.to_json } }
+
+      it "outputs as a string", :aggregate_failures do
+        expect(subject).to be_a String
+        expect(JSON.parse(subject)).to eq(parsed_hash)
+      end
+    end
+
+    context "when provided as Hash" do
+      let(:configuration) { { claims: parsed_hash } }
+
+      it "converts to string", :aggregate_failures do
+        expect(subject).to be_a String
+        expect(JSON.parse(subject)).to eq(parsed_hash)
+      end
+    end
+
+    context "when not provided" do
+      let(:configuration) { {} }
+
+      it { is_expected.to be_blank }
+    end
+  end
+
   %w[authorization_endpoint token_endpoint userinfo_endpoint end_session_endpoint jwks_uri].each do |key|
     describe "setting #{key}" do
       subject { result }