SIEM-13800 OIDC iris groups

source/app/blueprints/pages/login/login_routes.py

@@ -346,14 +346,33 @@ def oidc_authorise():
         if usergroup_field is not None and not user_group:
             return response_error("Required user group information missing in OIDC response", 403)
         if user_group:
+            groups_list = get_groups_list()
+            group_name_to_id = {
+                group.group_name: group.group_id for group in groups_list
+            }
+
+            group_id_set = {g.group_id for g in groups_list}
+
             if not userroles_mapping_field:
-                groups_list = get_groups_list()
-                group_name_to_id = {
-                    group.group_name: group.group_id for group in groups_list
-                }
+                new_user_group = [
+                    group_name_to_id[group_name]
+                    for group_name in user_group
+                    if group_name in group_name_to_id
+                ]
             else:
-                group_name_to_id = json.loads(userroles_mapping_field)
-            new_user_group = [group_name_to_id[group_name] for group_name in user_group if group_name in group_name_to_id]
+                roles_to_group = json.loads(userroles_mapping_field)
+                new_user_group = []
+                for role_name in user_group:
+                    if role_name not in roles_to_group:
+                        continue
+                    mapped_group = roles_to_group[role_name]
+                    try:
+                        group_id = int(mapped_group)
+                        if group_id in group_id_set:
+                            new_user_group.append(group_id)
+                    except (ValueError, TypeError):
+                        if mapped_group in group_name_to_id:
+                            new_user_group.append(group_name_to_id[mapped_group])
             if not new_user_group:
                 return response_error("User role not in IRIS", 403)
             update_user_groups(user.id, new_user_group)

source/app/configuration.py

@@ -369,7 +369,7 @@ def _parse_float(value):
 
 class Config:
     # Handled by bumpversion
-    IRIS_VERSION = "v2.5.0-beta.1-dev-pr8" # DO NOT EDIT THIS LINE MANUALLY
+    IRIS_VERSION = "v2.5.0-beta.1-dev-pr9" # DO NOT EDIT THIS LINE MANUALLY
 
     if os.environ.get('IRIS_DEMO_VERSION') is not None and os.environ.get('IRIS_DEMO_VERSION') != 'None':
         IRIS_VERSION = os.environ.get('IRIS_DEMO_VERSION')

source/app/iris_engine/utils/tracker.py

@@ -48,7 +48,7 @@ def track_activity(message, caseid=None, ctx_less=False, user_input=False, displ
     ua.activity_date = datetime.utcnow()
     ua.activity_desc = message.capitalize()
 
-    if iris_current_user.is_authenticated:
+    if iris_current_user and iris_current_user.is_authenticated:
         logger.info(f"{iris_current_user.user} [#{iris_current_user.id}] :: Case {caseid} :: {ua.activity_desc}")
     else:
         logger.info(f"Anonymous :: Case {caseid} :: {ua.activity_desc}")

source/app/post_init.py

@@ -1390,6 +1390,9 @@ def run(self):
 
                 self._logger.info('Running DB migration')
 
+                db.session.close()
+                db.engine.dispose()
+
                 alembic_cfg = Config(file_='app/alembic.ini')
                 alembic_cfg.set_main_option('sqlalchemy.url', self._configuration['SQLALCHEMY_DATABASE_URI'])
                 command.upgrade(alembic_cfg, 'head')