Merge pull request #424 from ImMin5/master

Add user_groups info at token payload
cloudforet-io · Jan 3, 2025 · 9bf3bc3 · 9bf3bc3
2 parents 76a9ece + ca170f7
commit 9bf3bc3
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/src/spaceone/identity/lib/key_generator.py b/src/spaceone/identity/lib/key_generator.py
@@ -40,6 +40,7 @@ def generate_token(
         role_type: str = None,
         workspace_id: str = None,
         permissions: list = None,
+        users_group: list = None,
         projects: list = None,
         injected_params: dict = None,
         identity_base_url: str = None,
@@ -72,6 +73,9 @@ def generate_token(
         if projects and len(projects) > 0:
             payload["projects"] = projects
 
+        if users_group and len(users_group) > 0:
+            payload["user_groups"] = users_group
+
         if injected_params:
             payload["injected_params"] = injected_params
 
@@ -98,6 +102,7 @@ def _print_key(payload: dict):
             f'iat: {payload.get("iat")}, '
             f'jti: {payload.get("jti")}, '
             f'projects: {payload.get("projects")},'
+            f'user_groups: {payload.get("user_groups")},'
             f'permissions: {payload.get("permissions")},'
             f'injected_params: {payload.get("injected_params")},'
             f'identity_base_url: {payload.get("identity_base_url")},'

diff --git a/src/spaceone/identity/manager/token_manager/base.py b/src/spaceone/identity/manager/token_manager/base.py
@@ -47,6 +47,7 @@ def issue_token(
         timeout=None,
         permissions=None,
         projects=None,
+        user_groups=None,
         app_id=None,
     ):
         if self.is_authenticated is False:
@@ -78,6 +79,7 @@ def issue_token(
             workspace_id=workspace_id,
             permissions=permissions,
             projects=projects,
+            users_group=user_groups,
             identity_base_url=identity_base_url,
         )
 
@@ -156,7 +158,9 @@ def check_verify_code(user_id, domain_id, verify_code):
     @staticmethod
     def _generate_verify_code(length: int = 6) -> str:
         first_digit = str(secrets.randbelow(9) + 1)
-        remaining_digits = ''.join(str(secrets.randbelow(10)) for _ in range(length - 1))
+        remaining_digits = "".join(
+            str(secrets.randbelow(10)) for _ in range(length - 1)
+        )
         verify_code = first_digit + remaining_digits
         return verify_code
 

diff --git a/src/spaceone/identity/service/token_service.py b/src/spaceone/identity/service/token_service.py
@@ -24,6 +24,7 @@
 from spaceone.identity.manager.role_manager import RoleManager
 from spaceone.identity.manager.system_manager import SystemManager
 from spaceone.identity.manager.token_manager.base import TokenManager
+from spaceone.identity.manager.user_group_manager import UserGroupManager
 from spaceone.identity.manager.user_manager import UserManager
 from spaceone.identity.manager.workspace_manager import WorkspaceManager
 from spaceone.identity.model.app.database import App
@@ -44,6 +45,7 @@ def __init__(self, *args, **kwargs):
         self.domain_mgr = DomainManager()
         self.domain_secret_mgr = DomainSecretManager()
         self.user_mgr = UserManager()
+        self.user_group_mgr = UserGroupManager()
         self.app_mgr = AppManager()
         self.rb_mgr = RoleBindingManager()
         self.role_mgr = RoleManager()
@@ -254,6 +256,14 @@ def grant(self, params: TokenGrantRequest) -> Union[GrantTokenResponse, dict]:
         else:
             user_projects = None
 
+        # get user groups in workspace
+        if params.scope == "WORKSPACE":
+            user_groups = self._get_user_groups_in_workspace(
+                domain_id, params.workspace_id, user_vo.user_id
+            )
+        else:
+            user_groups = None
+
         token_info = token_mgr.issue_token(
             private_jwk,
             refresh_private_jwk,
@@ -262,6 +272,7 @@ def grant(self, params: TokenGrantRequest) -> Union[GrantTokenResponse, dict]:
             workspace_id=params.workspace_id,
             permissions=permissions,
             projects=user_projects,
+            user_groups=user_groups,
             app_id=app_id,  # todo : remove
         )
 
@@ -392,6 +403,16 @@ def _get_user_projects_in_project_group(
         user_projects = list(set(user_projects))
         return user_projects
 
+    def _get_user_groups_in_workspace(
+        self, domain_id: str, workspace_id: str, user_id: str
+    ) -> list:
+        user_group_vos = self.user_group_mgr.filter_user_groups(
+            domain_id=domain_id, workspace_id=workspace_id, users=[user_id]
+        )
+        user_groups = [user_group_vo.user_group_id for user_group_vo in user_group_vos]
+
+        return user_groups
+
     def _get_user_projects(
         self, user_id: str, workspace_id: str, domain_id: str
     ) -> List[str]: