Mirrors/blakeblackshear.frigate
1
0
Fork 0
mirror of https://github.com/blakeblackshear/frigate.git synced 2025-09-05 17:51:36 +02:00
Code Issues Projects Releases Wiki Activity

Ensure group claim uses the configured separator character

Browse Source
This commit is contained in:
Josh Hawkins 2025-09-01 14:38:36 -05:00
parent 55160f9235
commit 61416f5fdb
1 changed files with 34 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
frigate/api/auth.py
View File

@ -282,28 +282,45 @@ def auth(request: Request):
if role_header: if role_header:
raw_value = request.headers.get(role_header, "") raw_value = request.headers.get(role_header, "")
if proxy_config.header_map.role_map and raw_value: if proxy_config.header_map.role_map and raw_value:
# treat as group claim # treat as group claim split by the configured separator
groups = [ groups = [
g.strip() g.strip()
for g in raw_value.replace(" ", ",").split(",") for g in raw_value.split(proxy_config.separator)
if g.strip() if g.strip()
] ]
for (
candidate_role, # collect all roles whose mapped groups intersect the provided groups
required_groups, matched_roles = {
) in proxy_config.header_map.role_map.items(): role_name
if any(group in groups for group in required_groups): for role_name, required_groups in proxy_config.header_map.role_map.items()
role = candidate_role if any(group in groups for group in required_groups)
break }
elif raw_value:
normalized_role = raw_value.strip().lower() if matched_roles:
if normalized_role in VALID_ROLES: # choose by VALID_ROLES priority (eg, 'admin' before 'viewer')
role = normalized_role role = next(
else: (r for r in VALID_ROLES if r in matched_roles),
logger.warning( proxy_config.default_role,
f"Provided proxy role header contains invalid value '{raw_value}'. Using default role '{proxy_config.default_role}'." )
else:
logger.info(
f"No role_map match for groups '{raw_value}'. Using default role '{proxy_config.default_role}'."
)
elif raw_value:
# no role map specified, so header may contain role name(s) directly
roles_from_header = [
r.strip().lower()
for r in raw_value.split(proxy_config.separator)
if r.strip()
]
role = next(
(r for r in VALID_ROLES if r in roles_from_header),
proxy_config.default_role,
)
if role == proxy_config.default_role and roles_from_header:
logger.warning(
f"Provided proxy role header values '{raw_value}' did not contain a valid role. Using default role '{proxy_config.default_role}'."
) )
role = proxy_config.default_role
success_response.headers["remote-role"] = role success_response.headers["remote-role"] = role
return success_response return success_response