diff --git a/docs/deployment/authentication/oauth2-proxy-gitlab.mdx b/docs/deployment/authentication/oauth2-proxy-gitlab.mdx index 76966fce7b..fd35f2f573 100644 --- a/docs/deployment/authentication/oauth2-proxy-gitlab.mdx +++ b/docs/deployment/authentication/oauth2-proxy-gitlab.mdx @@ -149,9 +149,9 @@ backend: value: x-auth-request-groups - name: KEEP_OAUTH2_PROXY_AUTO_CREATE_USER value: true - - name: KEEP_OAUTH2_PROXY_ADMIN_ROLE - vakue: - - name: KEEP_OAUTH2_PROXY_NOC_ROLE + - name: KEEP_OAUTH2_PROXY_ADMIN_ROLES + value: + - name: KEEP_OAUTH2_PROXY_NOC_ROLES value: frontend: diff --git a/docs/deployment/authentication/oauth2proxy-auth.mdx b/docs/deployment/authentication/oauth2proxy-auth.mdx index 1099db5e2d..5969988c66 100644 --- a/docs/deployment/authentication/oauth2proxy-auth.mdx +++ b/docs/deployment/authentication/oauth2proxy-auth.mdx @@ -34,6 +34,6 @@ To start Keep with Oauth2Proxy authentication, set the following environment var | KEEP_OAUTH2_PROXY_USER_HEADER | Header for the authenticated user's email | Yes | x-forwarded-email | | KEEP_OAUTH2_PROXY_ROLE_HEADER | Header for the authenticated user's role | Yes | x-forwarded-groups | | KEEP_OAUTH2_PROXY_AUTO_CREATE_USER | Automatically create user if not exists | No | true | -| KEEP_OAUTH2_PROXY_ADMIN_ROLE | Role name for admin users | No | admin | -| KEEP_OAUTH2_PROXY_NOC_ROLE | Role name for NOC (Network Operations Center) users | No | noc | -| KEEP_OAUTH2_PROXY_WEBHOOK_ROLE | Role name for webhook users | No | webhook | +| KEEP_OAUTH2_PROXY_ADMIN_ROLES | Role names for admin users | No | admin | +| KEEP_OAUTH2_PROXY_NOC_ROLES | Role names for NOC (Network Operations Center) users | No | noc | +| KEEP_OAUTH2_PROXY_WEBHOOK_ROLES | Role names for webhook users | No | webhook | diff --git a/keep/identitymanager/identity_managers/oauth2proxy/oauth2proxy_authverifier.py b/keep/identitymanager/identity_managers/oauth2proxy/oauth2proxy_authverifier.py index 0b328e2348..b454579f0f 100644 --- a/keep/identitymanager/identity_managers/oauth2proxy/oauth2proxy_authverifier.py +++ b/keep/identitymanager/identity_managers/oauth2proxy/oauth2proxy_authverifier.py @@ -30,11 +30,16 @@ def __init__(self, *args, **kwargs): self.auto_create_user = config( "KEEP_OAUTH2_PROXY_AUTO_CREATE_USER", default=True ) - self.role_mappings = { - config("KEEP_OAUTH2_PROXY_ADMIN_ROLE", default=""): "admin", - config("KEEP_OAUTH2_PROXY_NOC_ROLE", default=""): "noc", - config("KEEP_OAUTH2_PROXY_WEBHOOK_ROLE", default=""): "webhook", - } + self.role_mappings = {} + for env_var, target_role in [ + ("KEEP_OAUTH2_PROXY_ADMIN_ROLES", "admin"), + ("KEEP_OAUTH2_PROXY_NOC_ROLES", "noc"), + ("KEEP_OAUTH2_PROXY_WEBHOOK_ROLES", "webhook"), + ]: + roles_str = config(env_var, default="") + roles = [role.strip() for role in roles_str.split(",") if role.strip()] + for role in roles: + self.role_mappings[role] = target_role self.logger.info("Oauth2proxy Auth Verifier initialized") def authenticate( diff --git a/tests/test_auth.py b/tests/test_auth.py index 020ceb3c2d..fe8dce9546 100644 --- a/tests/test_auth.py +++ b/tests/test_auth.py @@ -348,9 +348,9 @@ def test_oauth_proxy(db_session, client, test_app): "AUTH_TYPE": "OAUTH2PROXY", "KEEP_OAUTH2_PROXY_USER_HEADER": "x-forwarded-email", "KEEP_OAUTH2_PROXY_USER_ROLE": "X-Forwarded-Groups", - "KEEP_OAUTH2_PROXY_ADMIN_ROLE": "team-platform@example.com", - "KEEP_OAUTH2_PROXY_NOC_ROLE": "dept-engineering-product@example.com", - "KEEP_OAUTH2_PROXY_WEBHOOK_ROLE": "foo@example.com", + "KEEP_OAUTH2_PROXY_ADMIN_ROLES": "team-platform@example.com, another-team@example.com", + "KEEP_OAUTH2_PROXY_NOC_ROLES": "dept-engineering-product@example.com", + "KEEP_OAUTH2_PROXY_WEBHOOK_ROLES": "foo@example.com", "KEEP_OAUTH2_PROXY_AUTO_CREATE_USER": "true", }, ], @@ -362,7 +362,7 @@ def test_oauth_proxy2(db_session, client, test_app): "/auth/users", headers={ "x-forwarded-email": "shahar", - "x-forwarded-groups": "all@example.com,aws@example.com,dept-engineering-product@example.com,team-platform@example.com", + "x-forwarded-groups": "all@example.com,aws@example.com,dept-engineering-product@example.com,team-platform@example.com,another-team@example.com", }, json={"email": "shahar", "role": "admin"}, )