From 62a5bdd9929dc7f4a374d23a8692245880b3ce22 Mon Sep 17 00:00:00 2001
From: Didier 'OdyX' Raboud <didier.raboud@liip.ch>
Date: Wed, 28 Aug 2024 16:05:19 +0200
Subject: [PATCH] [IMP] auth_oidc: Add AuthOauthProviderGroupLine

Thanks to https://github.com/OCA/server-auth/pull/372/commits/4204bd8df1d8a13f996d3c735c072d4da84450b5

@hbrunn & @26hpredraglazarevic
---
 auth_oidc/__manifest__.py               |  6 +++++-
 auth_oidc/models/auth_oauth_provider.py | 17 +++++++++++++++++
 auth_oidc/security/ir.model.access.csv  |  2 ++
 auth_oidc/views/auth_oauth_provider.xml |  6 ++++++
 4 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 auth_oidc/security/ir.model.access.csv

diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index 5e046a73f3..eca3f9b238 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -16,6 +16,10 @@
     "summary": "Allow users to login through OpenID Connect Provider",
     "external_dependencies": {"python": ["python-jose"]},
     "depends": ["auth_oauth"],
-    "data": ["views/auth_oauth_provider.xml", "data/auth_oauth_data.xml"],
+    "data": [
+        "views/auth_oauth_provider.xml",
+        "data/auth_oauth_data.xml",
+        "security/ir.model.access.csv",
+    ],
     "demo": ["demo/local_keycloak.xml"],
 }
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index 2e2275e320..00c5cb0104 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -47,6 +47,11 @@ class AuthOauthProvider(models.Model):
     )
     jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
     groups_field = fields.Char(help="Token field that stores the groups' mapping")
+    group_line_ids = fields.One2many(
+        "auth.oauth.provider.group_line",
+        "provider_id",
+        string="Group maps",
+    )
 
     @tools.ormcache("self.jwks_uri", "kid")
     def _get_keys(self, kid):
@@ -105,3 +110,15 @@ def _decode_id_token(self, access_token, id_token, kid):
         if error:
             raise error
         return {}
+
+
+class AuthOauthProviderGroupLine(models.Model):
+    _name = "auth.oauth.provider.group_line"
+    _description = "Mapping OAuth-provided groups with Odoo groups"
+
+    provider_id = fields.Many2one("auth.oauth.provider", required=True)
+    oauth_group_name = fields.Char(
+        required=True,
+        help="Group name as passed in the Access Token from the IdP",
+    )
+    group_id = fields.Many2one("res.groups", required=True)
diff --git a/auth_oidc/security/ir.model.access.csv b/auth_oidc/security/ir.model.access.csv
new file mode 100644
index 0000000000..503e4c7529
--- /dev/null
+++ b/auth_oidc/security/ir.model.access.csv
@@ -0,0 +1,2 @@
+id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
+access_auth_oauth_provider_group_line,auth_oauth_provider,model_auth_oauth_provider_group_line,base.group_system,1,1,1,1
diff --git a/auth_oidc/views/auth_oauth_provider.xml b/auth_oidc/views/auth_oauth_provider.xml
index 31a5c12051..41fb0b2d28 100644
--- a/auth_oidc/views/auth_oauth_provider.xml
+++ b/auth_oidc/views/auth_oauth_provider.xml
@@ -18,6 +18,12 @@
             <field name="validation_endpoint" position="after">
                 <field name="token_endpoint" />
                 <field name="groups_field" />
+                <field name="group_line_ids">
+                    <tree>
+                        <field name="oauth_group_name" />
+                        <field name="group_id" />
+                    </tree>
+                </field>
                 <field name="jwks_uri" />
             </field>
         </field>