From 770dc1d3c9e373c05523e754cb09341fa1e8d268 Mon Sep 17 00:00:00 2001 From: Adam Williamson Date: Dec 25 2023 00:05:15 +0000 Subject: openidcp: allow setting default attribute mapping at install This was not wired up to the install script, so it could only be set by the IPA helper. In some circumstances it might be nice to set it explicitly on the command line (e.g. when setting up a Bodhi development environment without using IPA). Signed-off-by: Adam Williamson --- diff --git a/ipsilon/helpers/ipa.py b/ipsilon/helpers/ipa.py index 19b2aea..cfa6ad4 100644 --- a/ipsilon/helpers/ipa.py +++ b/ipsilon/helpers/ipa.py @@ -154,7 +154,7 @@ class Installer(EnvHelpersInstaller): opts['info_sssd'] = 'yes' if not any(lm in opts['lm_order'] for lm in ('form', 'pam')): opts['lm_order'].append('pam') - if opts['openidc'] == 'yes': + if opts['openidc'] == 'yes' and not opts['openidc_default_attribute_mapping']: opts['openidc_default_attribute_mapping'] = [ ["*", "*"], ["_groups", "groups"], diff --git a/ipsilon/providers/openidcp.py b/ipsilon/providers/openidcp.py index d4d94c3..3bb3d8f 100644 --- a/ipsilon/providers/openidcp.py +++ b/ipsilon/providers/openidcp.py @@ -267,6 +267,8 @@ class Installer(ProviderInstaller): help='Salt to use for pairwise subject subjects') group.add_argument('--openidc-extensions', default='', help='List of OpenID Connect Extensions to enable') + group.add_argument('--openidc-default-attribute-mapping', default='', + help='OpenID Connect default attribute mapping (JSON list)') def configure(self, opts, changes): if opts['openidc'] != 'yes': @@ -319,7 +321,11 @@ class Installer(ProviderInstaller): 'idp subject salt': subject_salt} opt_dam = opts.get('openidc_default_attribute_mapping') if opt_dam: - config['default attribute mapping'] = json.dumps(opt_dam) + if isinstance(opt_dam, str): + config['default attribute mapping'] = opt_dam + else: + config['default attribute mapping'] = json.dumps(opt_dam) + po.save_plugin_config(config) # Update global config to add login plugin