IMIO · bsuttor · Nov 25, 2025 · Nov 25, 2025 · Nov 25, 2025 · bsuttor
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,7 +1,8 @@
 ## 1.4.1 (unreleased)
 
 
-- Nothing changed yet.
+- WEB-4331 : Set Allowed Groups with environment variable
+  [remdub]
 
 
 ## 1.4.0 (2025-11-04)

diff --git a/src/pas/plugins/kimug/utils.py b/src/pas/plugins/kimug/utils.py
@@ -6,8 +6,10 @@
 from zope.annotation.interfaces import IAnnotations
 from zope.component.hooks import setSite
 
+import ast
 import logging
 import os
+import re
 import requests
 import time
 import transaction
@@ -72,6 +74,8 @@ def set_oidc_settings(context):
             "plone.external_logout_url", "acl_users/oidc/logout"
         )
 
+        _set_allowed_groups(oidc)
+
         transaction.commit()
         logger.info("OIDC settings set with set_oidc_settings()")
     else:
@@ -802,3 +806,23 @@ def remove_authentic_users(context=None) -> None:
     )
     portal_membership.deleteMembers(users_to_delete, delete_localroles=0)
     transaction.commit()
+
+
+def _set_allowed_groups(oidc) -> None:
+    """Set allowed groups from environment variable."""
+    varenv_allowed_groups = os.environ.get("keycloak_allowed_groups", None)
+
+    # varenv set by puppet is an unquoted string representation of a list, e.g. "[group1, group2]"
+    # we need to convert it to a tuple
+
+    if varenv_allowed_groups is not None:
+        # add quotes around each group name
+        varenv_allowed_groups = re.sub(
+            r"\b([A-Za-z_][A-Za-z0-9_]*)\b", r'"\1"', varenv_allowed_groups
+        )
+        # convert string representation of list to tuple
+        oidc.allowed_groups = ast.literal_eval(varenv_allowed_groups)
+        oidc.allowed_groups = tuple(oidc.allowed_groups)
+        logger.info(f"Set allowed groups to: {varenv_allowed_groups}")
+    else:
+        logger.info("No environment variable for allowed groups set. Not changing.")
diff --git a/tests/utils/test_utils.py b/tests/utils/test_utils.py
@@ -2,6 +2,8 @@
 from plone import api
 from zope.annotation.interfaces import IAnnotations
 
+import os
+
 
 class TestUtils:
     def test_toggle_authentication_plugins(self, portal):
@@ -66,3 +68,33 @@ def test_toggle_authentication_plugins(self, portal):
         )
         # 3.1 All authentication plugins should still be enabled.
         assert all_plugins.get("active") == initially_enabled_plugins
+
+    def test_set_allowed_groups(self, portal):
+        """Test set_allowed_groups method."""
+
+        oidc = utils.get_plugin()
+
+        # 1. No environment variable set: allowed groups should not change
+        current_allowed_groups = oidc.allowed_groups
+
+        os.environ.pop("keycloak_allowed_groups", None)
+
+        utils._set_allowed_groups(oidc)
+
+        assert oidc.allowed_groups == current_allowed_groups
+
+        # 2. Typical scenario: set allowed groups from environment variable
+
+        os.environ["keycloak_allowed_groups"] = "[group1, group2, group3]"
+
+        utils._set_allowed_groups(oidc)
+
+        assert oidc.allowed_groups == ("group1", "group2", "group3")
+
+        # 3. Empty allowed groups from environment variable
+
+        os.environ["keycloak_allowed_groups"] = "[]"
+
+        utils._set_allowed_groups(oidc)
+
+        assert oidc.allowed_groups == ()