diff --git a/jupyterhub/tests/test_spawner.py b/jupyterhub/tests/test_spawner.py index daed0e58..2081abc0 100644 --- a/jupyterhub/tests/test_spawner.py +++ b/jupyterhub/tests/test_spawner.py @@ -428,7 +428,22 @@ async def test_hub_connect_url(db): ) -async def test_spawner_oauth_roles(app): - allowed_roles = ['lotsa', 'roles'] - spawner = new_spawner(app.db, oauth_roles=allowed_roles) - assert spawner.oauth_roles == allowed_roles +async def test_spawner_oauth_roles(app, user): + allowed_roles = ["admin", "user"] + spawner = user.spawners[''] + spawner.oauth_roles = allowed_roles + # exercise start/stop which assign roles to oauth client + await spawner.user.spawn() + oauth_client = spawner.orm_spawner.oauth_client + assert sorted(role.name for role in oauth_client.allowed_roles) == allowed_roles + await spawner.user.stop() + + +async def test_spawner_oauth_roles_bad(app, user): + allowed_roles = ["user", "nosuchrole"] + spawner = user.spawners[''] + spawner.oauth_roles = allowed_roles + # exercise start/stop which assign roles + # raises ValueError if we try to assign a role that doesn't exist + with pytest.raises(ValueError): + await spawner.user.spawn() diff --git a/jupyterhub/user.py b/jupyterhub/user.py index e9b933a5..039f4d11 100644 --- a/jupyterhub/user.py +++ b/jupyterhub/user.py @@ -622,6 +622,19 @@ class User: if callable(allowed_roles): allowed_roles = allowed_roles(spawner) + # allowed_roles config is a list of strings + # oauth provider.allowed_roles is a list of orm.Roles + if allowed_roles: + allowed_role_names = allowed_roles + allowed_roles = list( + self.db.query(orm.Role).filter(orm.Role.name.in_(allowed_roles)) + ) + if len(allowed_roles) != len(allowed_role_names): + missing_roles = set(allowed_role_names).difference( + {role.name for role in allowed_roles} + ) + raise ValueError(f"No such role(s): {', '.join(missing_roles)}") + oauth_client = oauth_provider.add_client( client_id, api_token,