[pull] master from kevoreilly:master#495
Merged
Merged
Conversation
…RF trusted origins to guac_settings
…aring stale sessions
allauth's openid_connect provider stores extra_data as
{"id_token": <jwt>, "userinfo": {...claims...}} — the claims (email,
groups, preferred_username, sub) live under "userinfo", not at the top
level. The adapter read them flat, so with the openid_connect provider
email came back blank (403 "An email address is required to sign in." on
the SSO callback), the groups claim was empty (no role mapping via
admin_groups/superadmin_groups), and the username fell back to sub.
Add a _claims() helper that returns extra["userinfo"] when present and
falls back to the dict itself otherwise (providers that store claims
flat are unaffected), and route _extract_groups, _apply_idp_roles_and_email,
pre_social_login, and save_user through it. pre_social_login also falls
back to sociallogin.user.email so domain validation still works when the
claim only surfaces after the social login is populated.
…back) - Gate the userinfo unwrap on "id_token" (always top-level for the openid_connect provider) so _claims is idempotent — a second call on already-flattened claims, or a flat provider's data, returns it unchanged. - Simplify the pre_social_login email fallback from nested getattr to a plain sociallogin.user.email guard.
# Conflicts: # web/web/guac_settings.py
… DB connections - Security Hardening (Libvirt Snapshots): - Transitioned domainsnapshot XML generation in 'views.py' from raw string formatting to safe programmatic XML construction using 'xml.etree.ElementTree' to prevent XML Injection. - Implemented strict alphanumeric/dash/underscore regex validation on snapshot names in both create and delete endpoints. - ASGI Event Loop Concurrency (Guacamole WebSocket): - Wrapped blocking libvirt client calls (lookupByName, state, close) in 'consumers.py' in a synchronous helper function executed on a threadpool via 'sync_to_async' to prevent stalling the main ASGI loop. - Concurrency & DB Connection Leaks: - Added 'db.session.remove()' to the finally block of 'bg_revert_and_start' background worker thread in 'views.py' to ensure thread-local SQLAlchemy sessions are cleanly returned to the pool. - Configuration & Lints: - Parsed 'vnc_console_new_tab' string config in 'context_processors.py' to a boolean to prevent string values from evaluating as truthy in templates. - Resolved PEP-8 lints in 'views.py' (removed logging f-strings, stripped trailing spaces, used '.is_(None)' for DB queries, and fixed undefined 'machine' variable scope).
Add Direct VNC Hypervisor Console and VM Lifecycle/Snapshot Management via Guacamole
allauth: read OIDC claims from nested userinfo in extra_data
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )