Using Roles instead of Keycloak Groups (#548)

* IR Board API

* using roles instead of groups

* roles to groups change

Author: dinesh-aot

compliance-api/src/compliance_api/__init__.py

@@ -130,7 +130,7 @@ def setup_jwt_manager(app_context, jwt_manager):
     def custom_role_callback(claims):
         """Return the roles from claims."""
         # Extract roles from the realm_access claim in the JWT token
-        return claims.get("groups", [])
+        return claims.get("resource_access").get("epic-compliance", {}).get("roles", [])
 
     app_context.config["JWT_ROLE_CALLBACK"] = custom_role_callback
     # if os.getenv("FLASK_ENV") == "development":

compliance-api/src/compliance_api/auth.py

@@ -19,7 +19,6 @@
 from flask_jwt_oidc import JwtManager
 
 from compliance_api.exceptions import PermissionDeniedError
-from compliance_api.utils.constant import GROUP_MAP
 
 
 jwt = (
@@ -56,8 +55,8 @@ def decorated(f):
             @Auth.require
             @wraps(f)
             def wrapper(*args, **kwargs):
-                mapped_groups = _map_permission_to_groups(permissions)
-                if jwt.contains_role(roles=mapped_groups):
+                mapped_permissions = Auth.map_permission_to_groups(permissions)
+                if jwt.contains_role(roles=mapped_permissions):
                     return f(*args, **kwargs)
 
                 raise PermissionDeniedError(
@@ -77,13 +76,13 @@ def has_role(cls, role):
     @classmethod
     def has_permission(cls, permissions):
         """Check to see if the user has right permissions."""
-        mapped_groups = _map_permission_to_groups(permissions)
-        return jwt.contains_role(roles=mapped_groups)
+        mapped_permissions = Auth.map_permission_to_groups(permissions)
+        return jwt.contains_role(roles=mapped_permissions)
 
-
-def _map_permission_to_groups(permissions):
-    """Map the permissions to user groups in keycloak."""
-    return [GROUP_MAP[role] for role in permissions]
+    @staticmethod
+    def map_permission_to_groups(permissions):
+        """Map the permissions to user groups in keycloak."""
+        return [role.value for role in permissions]
 
 
 auth = Auth()

compliance-api/src/compliance_api/utils/constant.py

@@ -1,18 +1,9 @@
 """Constants."""
 
-from .enum import PermissionEnum
-
-
 AUTH_APP = "COMPLIANCE"
 INPUT_DATE_TIME_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ"
 UNAPPROVED_PROJECT_NAME = "Unapproved Project"
 UNAPPROVED_PROJECT_CODE = "UNPRVD"
-GROUP_MAP = {
-    PermissionEnum.SUPERUSER: "/COMPLIANCE/SUPERUSER",
-    PermissionEnum.VIEWER: "/COMPLIANCE/VIEWER",
-    PermissionEnum.USER: "/COMPLIANCE/USER",
-    PermissionEnum.ADMIN: "/COMPLIANCE/ADMIN",
-}
 DELETE_DIC_PARAMS = {"is_active": False, "is_deleted": True}
 OFFICE_NAME = "Environmental Assessment Office"
 OFFICE_BRANCH = "Compliance and Enforcement Branch"

compliance-api/src/compliance_api/utils/enum.py

@@ -37,7 +37,7 @@ class ContextEnum(Enum):
 class PermissionEnum(Enum):
     """Enum for Staff User Permissions."""
 
-    VIEWER = "Viewer"
-    USER = "User"
-    SUPERUSER = "Superuser"
-    ADMIN = "Admin"
+    VIEWER = "viewer"
+    USER = "user"
+    SUPERUSER = "super_user"
+    ADMIN = "admin"

compliance-api/tests/utilities/factory_scenario/token_claim.py

@@ -22,6 +22,7 @@ class TokenJWTClaims(dict, Enum):
         "preferred_username": fake.user_name(),
         "groups": ["/COMPLIANCE/VIEWER"],
         "realm_access": {"roles": []},
+        "resource_access": {"epic-compliance": {"roles": ["viewer"]}},
     }
     super_user = {
         "iss": CONFIG.JWT_OIDC_TEST_ISSUER,
@@ -31,4 +32,5 @@ class TokenJWTClaims(dict, Enum):
         "preferred_username": fake.user_name(),
         "groups": ["/COMPLIANCE/SUPERUSER"],
         "realm_access": {"roles": []},
+        "resource_access": {"epic-compliance": {"roles": ["super_user"]}},
     }

compliance-web/src/hooks/useAuthorization.tsx

@@ -1,16 +1,21 @@
 import { StaffUser } from "@/models/Staff";
 import { jwtDecode, JwtPayload } from "jwt-decode";
 import { useAuth } from "react-oidc-context";
+import { OidcConfig } from "@/utils/config";
 
 interface CustomJwtPayload extends JwtPayload {
-  groups?: string[];
+  resource_access?: {
+    [key: string]: {
+      roles: string[];
+    };
+  };
 }
 
 export const KC_USER_GROUPS = {
-  SUPERUSER: "/COMPLIANCE/SUPERUSER",
-  USER: "/COMPLIANCE/USER",
-  ADMIN: "/COMPLIANCE/ADMIN",
-  VIEWER: "/COMPLIANCE/VIEWER",
+  SUPERUSER: "super_user",
+  USER: "user",
+  ADMIN: "admin",
+  VIEWER: "viewer",
 };
 
 export const useIsRolesAllowed = (
@@ -23,10 +28,15 @@ export const useIsRolesAllowed = (
     return false;
   }
 
-  const { groups = [] } = jwtDecode<CustomJwtPayload>(authUser.access_token);
-
-  // Check if the user has any of the required roles
-  const isRoleAllowed = roles.some((role) => groups.includes(role));
+  const payload = jwtDecode<CustomJwtPayload>(authUser.access_token);
+  
+  // Get roles from resource_access if available
+  const resourceRoles = payload.resource_access?.[OidcConfig.client_id]?.roles || [];
+  
+  // Check if the user has any of the required roles (from groups or resource_access)
+  const isRoleAllowed = roles.some((role) => 
+    resourceRoles.includes(role)
+  );
 
   // Check if the logged-in user is part of the provided users list
   const isUserAllowed =