Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Miscellaneous updates #262

Merged
merged 12 commits into from
Dec 13, 2022
Next Next commit
Touch up docstrings
  • Loading branch information
kelvinqian00 committed Dec 13, 2022
commit 01a1ef06cfa01fb1897fe0feabadd732d4d58c1b
8 changes: 4 additions & 4 deletions src/main/lrsql/admin/interceptors/oidc.clj
Original file line number Diff line number Diff line change
@@ -7,7 +7,7 @@

(def validate-oidc-identity
"If the context has OIDC token claims, parses out data for OIDC admin identity.
If claims are invalid, return a 401. If no clams are present, a no-op."
If claims are invalid, return a 401. If no clams are present, a no-op."
(interceptor
{:name ::validate-oidc-identity
:enter
@@ -29,7 +29,7 @@
;; Currently only applied when OIDC is used.
(def authorize-oidc-request
"If an admin identity is present, check if it has the proper scope(s) for the
given action. No-op with no identity."
given action. No-op with no identity."
(interceptor
{:name ::authorize-oidc-request
:enter
@@ -57,8 +57,8 @@

(def ensure-oidc-identity
"If an admin identity is present, create or return the user, validating the
issuer. On success, inject the account ID and disable subsequent JWT
interceptors. No-op with no identity."
issuer. On success, inject the account ID and disable subsequent JWT
interceptors. No-op with no identity."
(interceptor
{:name ::ensure-oidc-identity
:enter
20 changes: 10 additions & 10 deletions src/main/lrsql/init/oidc.clj
Original file line number Diff line number Diff line change
@@ -43,7 +43,7 @@

(defn get-configuration
"Given webserver config, return an openid configuration if one is specified
via :oidc-issuer."
via :oidc-issuer."
[{:keys [oidc-issuer
oidc-verify-remote-issuer]
:or {oidc-verify-remote-issuer true}
@@ -163,8 +163,8 @@

(defn resolve-authority-claims
"Given claims from an Access Token derive and add:
* :lrsql/resolved-client-id - a reliable client id to use in the authority
template."
* :lrsql/resolved-client-id - a reliable client id to use in the authority
template."
[{:keys [aud
azp
client_id]
@@ -302,8 +302,8 @@

(defn admin-ui-interceptors
"Given webserver and LRS configs, return a vector of interceptors to apply to
Admin UI routes. If webserver oidc-client-id is not specified, returns an
empty vector."
Admin UI routes. If webserver oidc-client-id is not specified, returns an
empty vector."
[{:keys [oidc-issuer
oidc-client-id
oidc-enable-local-admin]
@@ -341,10 +341,10 @@

(defn interceptors
"Given webserver and LRS configs, return a map with three (possibly empty)
vectors of interceptors:
:resource-interceptors - API-side OIDC token support.
:admin-interceptors - Validation and authn for admin resources.
:admin-ui-interceptors - Inject OIDC client configuration."
vectors of interceptors:
* `:resource-interceptors` - API-side OIDC token support.
* `:admin-interceptors` - Validation and authn for admin resources.
* `:admin-ui-interceptors` - Inject OIDC client configuration."
[webserver-config
lrs-config]
(let [resource (resource-interceptors webserver-config)]
@@ -364,7 +364,7 @@

(defn enable-local-admin?
"Given a webserver configuration, determine if local admin account routes
should be enabled."
should be enabled."
[{:keys [oidc-issuer
oidc-enable-local-admin]}]
(if (not-empty oidc-issuer)
8 changes: 4 additions & 4 deletions src/main/lrsql/util/oidc.clj
Original file line number Diff line number Diff line change
@@ -135,10 +135,10 @@

(defn token-auth-admin-identity
"For the given context, return a valid OIDC admin auth identity from token
claims.
args:
ctx - Pedestal context that may contain claims.
scope-prefix - Prefix to add to expected scopes."
claims.
args:
* `ctx` - Pedestal context that may contain claims.
* `scope-prefix` - Prefix to add to expected scopes."
[ctx
scope-prefix]
(when (:com.yetanalytics.pedestal-oidc/token ctx)