From 2a52d8a481862d255bb55579940381e2ddee4b3d Mon Sep 17 00:00:00 2001
From: Helmut Merz <helmutm@cy55.de>
Date: Sun, 6 Apr 2025 22:39:10 +0200
Subject: [PATCH] auth: user info -> principal

---
 scopes/server/auth.py  | 17 +++++++++++++++--
 scopes/tests/config.py | 19 +++++++++++++++++++
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/scopes/server/auth.py b/scopes/server/auth.py
index 6c58d1a..038485e 100644
--- a/scopes/server/auth.py
+++ b/scopes/server/auth.py
@@ -9,6 +9,7 @@ from urllib.parse import urlencode
 from zope.authentication.interfaces import IAuthentication, IPrincipal
 from zope.interface import implementer
 from zope.publisher.interfaces import Unauthorized
+from zope.security.interfaces import IGroupAwarePrincipal
 
 from scopes.server.browser import DefaultView, register
 from scopes.storage.folder import DummyFolder, Root
@@ -51,13 +52,21 @@ JwtAuthentication = OidcAuthentication  # old name - still used?
 authentication = OidcAuthentication(None)
 
 
-@implementer(IPrincipal)
+@implementer(IGroupAwarePrincipal)
 class Principal:
 
     def __init__(self, id, data):
         self.id = id
         self.data = data
 
+    @property
+    def title(self):
+        return self.data['name']
+
+    @property
+    def groups(self):
+        return self.data.get('groups', [])
+
     def asDict(self):
         data = self.data.copy()
         data['id'] = self.id
@@ -85,7 +94,7 @@ class Authenticator(DummyFolder):
         data = self.loadSession()
         print('*** authenticate', data)
         if data and 'userid' in data:
-            id = data.pop('userid')
+            id = self.params['principal_prefix'] + data.pop('userid')
             return Principal(id, data)
         return None
 
@@ -133,10 +142,14 @@ class Authenticator(DummyFolder):
         userInfo = requests.get(self.params['userinfo_url'], headers=headers)
         userData = userInfo.json()
         print('*** user data', userData)
+        groupInfo = userData.get('urn:zitadel:iam:org:project:roles', {})
+        print('*** group info', groupInfo)
+        groupInfo = userData.get('urn:zitadel:iam:org:project:roles')
         ndata = dict(
                 userid=userData['preferred_username'],
                 name=userData['name'],
                 email=userData['email'],
+                groups=groupInfo.keys(),
                 access_token=tdata['access_token'],
         )
         self.storeSession(ndata)
diff --git a/scopes/tests/config.py b/scopes/tests/config.py
index 4a19f36..f992b58 100644
--- a/scopes/tests/config.py
+++ b/scopes/tests/config.py
@@ -1,9 +1,12 @@
 # py-scopes/tests/config.py
 
+from os import getenv
+
 #from scopes.server.app import demo_app, zope_app
 
 # server / app settings
 server_port = '8999'
+base_url = 'testing:'
 #app = zope_app
 
 # storage settings
@@ -15,3 +18,19 @@ dbuser = None
 dbpassword = None
 dbschema = None
 
+# authentication settings
+oidc_provider = 'testing:'
+oidc_client_id = getenv('OIDC_CLIENT_ID', '12345')
+oidc_params = dict(
+    auth_url=getenv('OIDC_PROVIDER_URL', oidc_provider + '/oauth/v2/authorize'),
+    token_url=getenv('OIDC_TOKEN_URL', oidc_provider + '/oauth/v2/token'),
+    userinfo_url=getenv('OIDC_USERINFO_URL', oidc_provider + '/oidc/v1/userinfo'),
+    callback_url=getenv('OIDC_CALLBACK_URL', base_url + '/auth_callback'),
+    client_id=oidc_client_id,
+    principal_prefix=getenv('OIDC_PRINCIPAL_PREFIX', 'loops.'),
+    cookie_name=getenv('OIDC_COOKIE_NAME', 'oidc_' + oidc_client_id),
+    cookie_domain=getenv('OIDC_COOKIE_DOMAIN', None),
+    cookie_lifetime=getenv('OIDC_COOKIE_LIFETIME', '86400'),
+    cookie_crypt=getenv('OIDC_COOKIE_CRYPT', None)
+)
+