consistent docstrings, config for services/spawner oauth_roles

2025-10-12 12:33:02 +00:00 · 2021-04-29 12:58:16 +02:00
parent 7022a4c558
commit 1337a53a9f
4 changed files with 30 additions and 10 deletions
--- a/jupyterhub/services/service.py
+++ b/jupyterhub/services/service.py
@@ -192,9 +192,15 @@ class Service(LoggingConfigurable):

    oauth_roles = List(
        help="""OAuth allowed roles.
-    
-    List of roles that are passed to generated tokens if the service act as an OAuth client
-    on behalf of users"""
+
+        This sets the maximum and default roles
+        assigned to oauth tokens issued for this service
+        (i.e. tokens stored in browsers after authenticating with the server),
+        defining what actions the service can take on behalf of logged-in users.
+
+        Default is an empty list, meaning minimal permissions to identify users,
+        no actions can be taken on their behalf.
+      """
    ).tag(input=True)

    api_token = Unicode(
--- a/jupyterhub/spawner.py
+++ b/jupyterhub/spawner.py
@@ -219,10 +219,19 @@ class Spawner(LoggingConfigurable):
    oauth_client_id = Unicode()
    handler = Any()

-    allowed_roles = List(
-        help="""OAuth allowed roles for single-user servers
-    """
-    ).tag(input=True)
+    oauth_roles = Union(
+        [Callable(), List()],
+        help="""Allowed roles for oauth tokens.
+
+        This sets the maximum and default roles
+        assigned to oauth tokens issued by a single-user server's
+        oauth client (i.e. tokens stored in browsers after authenticating with the server),
+        defining what actions the server can take on behalf of logged-in users.
+
+        Default is an empty list, meaning minimal permissions to identify users,
+        no actions can be taken on their behalf.
+    """,
+    ).tag(config=True)

    will_resume = Bool(
        False,
--- a/jupyterhub/tests/test_spawner.py
+++ b/jupyterhub/tests/test_spawner.py
@@ -430,5 +430,5 @@ async def test_hub_connect_url(db):

 async def test_spawner_oauth_roles(app):
    allowed_roles = ['lotsa', 'roles']
-    spawner = new_spawner(app.db, allowed_roles=allowed_roles)
-    assert spawner.allowed_roles == allowed_roles
+    spawner = new_spawner(app.db, oauth_roles=allowed_roles)
+    assert spawner.oauth_roles == allowed_roles
--- a/jupyterhub/user.py
+++ b/jupyterhub/user.py
@@ -564,11 +564,16 @@ class User:
            oauth_client = oauth_provider.fetch_by_client_id(client_id)
            # create a new OAuth client + secret on every launch
            # containers that resume will be updated below
+
+            allowed_roles = spawner.oauth_roles
+            if callable(allowed_roles):
+                allowed_roles = allowed_roles(spawner)
+
            oauth_provider.add_client(
                client_id,
                api_token,
                url_path_join(self.url, server_name, 'oauth_callback'),
-                allowed_roles=spawner.allowed_roles,
+                allowed_roles=allowed_roles,
                description="Server at %s"
                % (url_path_join(self.base_url, server_name) + '/'),
            )