Merge remote-tracking branch 'origin/dev' into dev

This commit is contained in:
Matt Scott 2023-03-18 19:20:47 -04:00
commit 1918f713e1
3 changed files with 61 additions and 67 deletions

View File

@ -5,6 +5,7 @@ import bcrypt
import pyotp import pyotp
import ldap import ldap
import ldap.filter import ldap.filter
from collections import OrderedDict
from flask import current_app from flask import current_app
from flask_login import AnonymousUserMixin from flask_login import AnonymousUserMixin
from sqlalchemy import orm from sqlalchemy import orm
@ -254,82 +255,82 @@ class User(db.Model):
if LDAP_TYPE == 'ldap': if LDAP_TYPE == 'ldap':
groupSearchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_GROUPNAME, ldap_username, LDAP_FILTER_GROUP) groupSearchFilter = "(&({0}={1}){2})".format(LDAP_FILTER_GROUPNAME, ldap_username, LDAP_FILTER_GROUP)
current_app.logger.debug('Ldap groupSearchFilter {0}'.format(groupSearchFilter)) current_app.logger.debug('Ldap groupSearchFilter {0}'.format(groupSearchFilter))
if (self.ldap_search(groupSearchFilter, if (LDAP_ADMIN_GROUP and self.ldap_search(groupSearchFilter, LDAP_ADMIN_GROUP)):
LDAP_ADMIN_GROUP)):
role_name = 'Administrator' role_name = 'Administrator'
current_app.logger.info( current_app.logger.info(
'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin' 'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'
.format(self.username, .format(self.username, LDAP_ADMIN_GROUP))
LDAP_ADMIN_GROUP)) elif (LDAP_OPERATOR_GROUP and self.ldap_search(groupSearchFilter, LDAP_OPERATOR_GROUP)):
elif (self.ldap_search(groupSearchFilter,
LDAP_OPERATOR_GROUP)):
role_name = 'Operator' role_name = 'Operator'
current_app.logger.info( current_app.logger.info(
'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin' 'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin'
.format(self.username, .format(self.username, LDAP_OPERATOR_GROUP))
LDAP_OPERATOR_GROUP)) elif (LDAP_USER_GROUP and self.ldap_search(groupSearchFilter, LDAP_USER_GROUP)):
elif (self.ldap_search(groupSearchFilter,
LDAP_USER_GROUP)):
current_app.logger.info( current_app.logger.info(
'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin' 'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'
.format(self.username, .format(self.username, LDAP_USER_GROUP))
LDAP_USER_GROUP))
else: else:
current_app.logger.error( current_app.logger.error(
'User {0} is not part of the "{1}", "{2}" or "{3}" groups that allow access to PowerDNS-Admin' 'User {0} is not part of any security groups that allow access to PowerDNS-Admin'
.format(self.username,
LDAP_ADMIN_GROUP,
LDAP_OPERATOR_GROUP,
LDAP_USER_GROUP))
return False
elif LDAP_TYPE == 'ad':
ldap_admin_group_filter, ldap_operator_group, ldap_user_group = "", "", ""
if LDAP_ADMIN_GROUP:
ldap_admin_group_filter = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_ADMIN_GROUP)
if LDAP_OPERATOR_GROUP:
ldap_operator_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_OPERATOR_GROUP)
if LDAP_USER_GROUP:
ldap_user_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_USER_GROUP)
searchFilter = "(&({0}={1})(|{2}{3}{4}))".format(LDAP_FILTER_USERNAME, self.username,
ldap_admin_group_filter,
ldap_operator_group, ldap_user_group)
ldap_result = self.ldap_search(searchFilter, LDAP_BASE_DN)
user_ad_member_of = ldap_result[0][0][1].get(
'memberOf')
if not user_ad_member_of:
current_app.logger.error(
'User {0} does not belong to any group while LDAP_GROUP_SECURITY_ENABLED is ON'
.format(self.username)) .format(self.username))
return False return False
elif LDAP_TYPE == 'ad':
ldap_group_security_roles = OrderedDict(
Administrator=LDAP_ADMIN_GROUP,
Operator=LDAP_OPERATOR_GROUP,
User=LDAP_USER_GROUP,
)
user_dn = ldap_result[0][0][0]
sf_groups = ""
user_ad_member_of = [g.decode("utf-8") for g in user_ad_member_of] for group in ldap_group_security_roles.values():
if not group:
continue
if (LDAP_ADMIN_GROUP in user_ad_member_of): sf_groups += f"(distinguishedName={group})"
role_name = 'Administrator'
current_app.logger.info( sf_member_user = f"(member:1.2.840.113556.1.4.1941:={user_dn})"
'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin' search_filter = f"(&(|{sf_groups}){sf_member_user})"
.format(self.username, current_app.logger.debug(f"LDAP groupSearchFilter '{search_filter}'")
LDAP_ADMIN_GROUP))
elif (LDAP_OPERATOR_GROUP in user_ad_member_of): ldap_user_groups = [
role_name = 'Operator' group[0][0]
current_app.logger.info( for group in self.ldap_search(
'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin' search_filter,
.format(self.username, LDAP_BASE_DN
LDAP_OPERATOR_GROUP)) )
elif (LDAP_USER_GROUP in user_ad_member_of): ]
current_app.logger.info(
'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin' if not ldap_user_groups:
.format(self.username,
LDAP_USER_GROUP))
else:
current_app.logger.error( current_app.logger.error(
'User {0} is not part of the "{1}", "{2}" or "{3}" groups that allow access to PowerDNS-Admin' f"User '{self.username}' "
.format(self.username, "does not belong to any group "
LDAP_ADMIN_GROUP, "while LDAP_GROUP_SECURITY_ENABLED is ON"
LDAP_OPERATOR_GROUP, )
LDAP_USER_GROUP))
return False return False
current_app.logger.debug(
"LDAP User security groups "
f"for user '{self.username}': "
" ".join(ldap_user_groups)
)
for role, ldap_group in ldap_group_security_roles.items():
# Continue when groups is not defined or
# user is'nt member of LDAP group
if not ldap_group or not ldap_group in ldap_user_groups:
continue
role_name = role
current_app.logger.info(
f"User '{self.username}' member of "
f"the '{ldap_group}' group that allows "
f"'{role}' access to to PowerDNS-Admin"
)
# Stop loop on first found
break
else: else:
current_app.logger.error('Invalid LDAP type') current_app.logger.error('Invalid LDAP type')
return False return False

View File

@ -528,7 +528,6 @@ def clear_session():
session.pop('google_token', None) session.pop('google_token', None)
session.pop('authentication_type', None) session.pop('authentication_type', None)
session.pop('remote_user', None) session.pop('remote_user', None)
session.clear()
logout_user() logout_user()

View File

@ -1772,12 +1772,6 @@
$('#ldap_filter_username').prop('required', true); $('#ldap_filter_username').prop('required', true);
$('#ldap_filter_groupname').prop('required', true); $('#ldap_filter_groupname').prop('required', true);
if ($('#ldap_sg_on').is(":checked")) {
$('#ldap_admin_group').prop('required', true);
$('#ldap_operator_group').prop('required', true);
$('#ldap_user_group').prop('required', true);
}
if ($('#autoprovisioning_on').is(":checked")) { if ($('#autoprovisioning_on').is(":checked")) {
$('#autoprovisioning_attribute').prop('required', true); $('#autoprovisioning_attribute').prop('required', true);
$('#urn_value').prop('required', true); $('#urn_value').prop('required', true);