Add config option to check if roles are present (#11414)

2025-12-26 05:48:36 +08:00 · 2025-11-21 16:56:19 -05:00 · 2025-11-21 16:56:19 -05:00 · b9b8d27135
commit b9b8d27135
parent da8a4b1179
2 changed files with 15 additions and 0 deletions
--- a/enterprise/server/auth/constants.py
+++ b/enterprise/server/auth/constants.py
@ -30,3 +30,11 @@ JIRA_DC_CLIENT_SECRET = os.getenv('JIRA_DC_CLIENT_SECRET', '').strip()
 JIRA_DC_BASE_URL = os.getenv('JIRA_DC_BASE_URL', '').strip()
 JIRA_DC_ENABLE_OAUTH = os.getenv('JIRA_DC_ENABLE_OAUTH', '1') in ('1', 'true')
 AUTH_URL = os.getenv('AUTH_URL', '').rstrip('/')
+ROLE_CHECK_ENABLED = os.getenv('ROLE_CHECK_ENABLED', 'false').lower() in (
+    '1',
+    'true',
+    't',
+    'yes',
+    'y',
+    'on',
+)
--- a/enterprise/server/routes/auth.py
+++ b/enterprise/server/routes/auth.py
@ -12,6 +12,7 @@ from server.auth.constants import (
    KEYCLOAK_CLIENT_ID,
    KEYCLOAK_REALM_NAME,
    KEYCLOAK_SERVER_URL_EXT,
+    ROLE_CHECK_ENABLED,
 )
 from server.auth.gitlab_sync import schedule_gitlab_repo_sync
 from server.auth.saas_user_auth import SaasUserAuth
@ -133,6 +134,12 @@ async def keycloak_callback(

    user_info = await token_manager.get_user_info(keycloak_access_token)
    logger.debug(f'user_info: {user_info}')
+    if ROLE_CHECK_ENABLED and 'roles' not in user_info:
+        return JSONResponse(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            content={'error': 'Missing required role'},
+        )
+
    if 'sub' not in user_info or 'preferred_username' not in user_info:
        return JSONResponse(
            status_code=status.HTTP_400_BAD_REQUEST,