feat: admins only feature flag

2023-04-17 18:27:23 +02:00
parent 2835682455
commit bae57efaa6
4 changed files with 61 additions and 2 deletions
--- a/keycloak_collective_portal/config.py
+++ b/keycloak_collective_portal/config.py
@ -12,7 +12,9 @@ KEYCLOAK_CLIENT_ID = environ.get("KEYCLOAK_CLIENT_ID")
 KEYCLOAK_CLIENT_SECRET = environ.get("KEYCLOAK_CLIENT_SECRET")
 KEYCLOAK_DOMAIN = environ.get("KEYCLOAK_DOMAIN")
 KEYCLOAK_REALM = environ.get("KEYCLOAK_REALM")
-KEYCLOAK_SCOPES = environ.get("KEYCLOAK_SCOPES", "openid profile email")
+KEYCLOAK_SCOPES = environ.get("KEYCLOAK_SCOPES", "openid profile email groups")
+KEYCLOAK_GROUPS_KEY = environ.get("KEYCLOAK_GROUPS_KEY", "groups")
+KEYCLOAK_ADMINS_GROUP = environ.get("KEYCLOAK_ADMINS_GROUP", "Administrators")
 KEYCLOAK_BASE_URL = f"https://{KEYCLOAK_DOMAIN}/realms/{KEYCLOAK_REALM}/protocol/openid-connect"  # noqa

 # Redis connection details, our main storage
@ -39,5 +41,15 @@ elif LOG_LEVEL == "debug":
 else:
    APP_LOG_LEVEL = logging.INFO

+
+def to_bool(env_var):
+    """Parse a bool from the environment."""
+    return environ.get(env_var, "False").lower() in ("true", "1", "t")
+
+
 # Automatically log folks in or show the default log in page?
-AUTOMATICALLY_LOG_IN = environ.get("AUTOMATICALLY_LOG_IN", False)
+AUTOMATICALLY_LOG_IN = to_bool("AUTOMATICALLY_LOG_IN")
+
+# Feature flags
+# Only admins can log in to the interface
+FEATURE_FLAG_ADMINS_ONLY = to_bool("FEATURE_FLAG_ADMINS_ONLY")
--- a/keycloak_collective_portal/routes/root.py
+++ b/keycloak_collective_portal/routes/root.py
@ -15,7 +15,26 @@ router = APIRouter()
 async def home(
    request: Request, user=Depends(get_user), invites=Depends(get_invites)
 ):
+    from keycloak_collective_portal.config import (
+        FEATURE_FLAG_ADMINS_ONLY,
+        KEYCLOAK_ADMINS_GROUP,
+        KEYCLOAK_GROUPS_KEY,
+    )
+
    context = {"request": request, "user": user, "invites": invites}
+
+    if FEATURE_FLAG_ADMINS_ONLY:
+        context["message"] = "only admins can access this service"
+        if KEYCLOAK_GROUPS_KEY not in user:
+            return request.app.state.templates.TemplateResponse(
+                "invalid.html", context=context
+            )
+
+        if KEYCLOAK_ADMINS_GROUP not in user[KEYCLOAK_GROUPS_KEY]:
+            return request.app.state.templates.TemplateResponse(
+                "invalid.html", context=context
+            )
+
    return request.app.state.templates.TemplateResponse(
        "admin.html", context=context
    )