[pull] main from keephq:main

docs/deployment/authentication/oauth2-proxy-gitlab.mdx

@@ -149,9 +149,9 @@ backend:
       value: x-auth-request-groups
     - name: KEEP_OAUTH2_PROXY_AUTO_CREATE_USER
       value: true
-    - name: KEEP_OAUTH2_PROXY_ADMIN_ROLE
-      vakue: <your gitlab group that will have admin role in your keep ui>
-    - name: KEEP_OAUTH2_PROXY_NOC_ROLE
+    - name: KEEP_OAUTH2_PROXY_ADMIN_ROLES
+      value: <your gitlab group that will have admin role in your keep ui>
+    - name: KEEP_OAUTH2_PROXY_NOC_ROLES
       value: <your gitlab group that wont have access to your keep ui>
 
 frontend:

docs/deployment/authentication/oauth2proxy-auth.mdx

@@ -34,6 +34,6 @@ To start Keep with Oauth2Proxy authentication, set the following environment var
 | KEEP_OAUTH2_PROXY_USER_HEADER | Header for the authenticated user's email | Yes | x-forwarded-email |
 | KEEP_OAUTH2_PROXY_ROLE_HEADER | Header for the authenticated user's role | Yes | x-forwarded-groups |
 | KEEP_OAUTH2_PROXY_AUTO_CREATE_USER | Automatically create user if not exists | No | true |
-| KEEP_OAUTH2_PROXY_ADMIN_ROLE | Role name for admin users | No | admin |
-| KEEP_OAUTH2_PROXY_NOC_ROLE | Role name for NOC (Network Operations Center) users | No | noc |
-| KEEP_OAUTH2_PROXY_WEBHOOK_ROLE | Role name for webhook users | No | webhook |
+| KEEP_OAUTH2_PROXY_ADMIN_ROLES | Role names for admin users | No | admin |
+| KEEP_OAUTH2_PROXY_NOC_ROLES | Role names for NOC (Network Operations Center) users | No | noc |
+| KEEP_OAUTH2_PROXY_WEBHOOK_ROLES | Role names for webhook users | No | webhook |

keep/identitymanager/identity_managers/oauth2proxy/oauth2proxy_authverifier.py

@@ -30,11 +30,16 @@ def __init__(self, *args, **kwargs):
         self.auto_create_user = config(
             "KEEP_OAUTH2_PROXY_AUTO_CREATE_USER", default=True
         )
-        self.role_mappings = {
-            config("KEEP_OAUTH2_PROXY_ADMIN_ROLE", default=""): "admin",
-            config("KEEP_OAUTH2_PROXY_NOC_ROLE", default=""): "noc",
-            config("KEEP_OAUTH2_PROXY_WEBHOOK_ROLE", default=""): "webhook",
-        }
+        self.role_mappings = {}
+        for env_var, target_role in [
+            ("KEEP_OAUTH2_PROXY_ADMIN_ROLES", "admin"),
+            ("KEEP_OAUTH2_PROXY_NOC_ROLES", "noc"),
+            ("KEEP_OAUTH2_PROXY_WEBHOOK_ROLES", "webhook"),
+        ]:
+            roles_str = config(env_var, default="")
+            roles = [role.strip() for role in roles_str.split(",") if role.strip()]
+            for role in roles:
+                self.role_mappings[role] = target_role
         self.logger.info("Oauth2proxy Auth Verifier initialized")
 
     def authenticate(

tests/test_auth.py

@@ -348,9 +348,9 @@ def test_oauth_proxy(db_session, client, test_app):
             "AUTH_TYPE": "OAUTH2PROXY",
             "KEEP_OAUTH2_PROXY_USER_HEADER": "x-forwarded-email",
             "KEEP_OAUTH2_PROXY_USER_ROLE": "X-Forwarded-Groups",
-            "KEEP_OAUTH2_PROXY_ADMIN_ROLE": "team-platform@example.com",
-            "KEEP_OAUTH2_PROXY_NOC_ROLE": "dept-engineering-product@example.com",
-            "KEEP_OAUTH2_PROXY_WEBHOOK_ROLE": "foo@example.com",
+            "KEEP_OAUTH2_PROXY_ADMIN_ROLES": "team-platform@example.com, another-team@example.com",
+            "KEEP_OAUTH2_PROXY_NOC_ROLES": "dept-engineering-product@example.com",
+            "KEEP_OAUTH2_PROXY_WEBHOOK_ROLES": "foo@example.com",
             "KEEP_OAUTH2_PROXY_AUTO_CREATE_USER": "true",
         },
     ],
@@ -362,7 +362,7 @@ def test_oauth_proxy2(db_session, client, test_app):
         "/auth/users",
         headers={
             "x-forwarded-email": "shahar",
-            "x-forwarded-groups": "all@example.com,aws@example.com,dept-engineering-product@example.com,team-platform@example.com",
+            "x-forwarded-groups": "all@example.com,aws@example.com,dept-engineering-product@example.com,team-platform@example.com,another-team@example.com",
         },
         json={"email": "shahar", "role": "admin"},
     )