mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2024-11-08 22:50:26 +00:00
Manage Account memebership for SAML Users
This commit is contained in:
parent
765351c5e9
commit
480989e86a
@ -602,6 +602,32 @@ class Account(db.Model):
|
||||
users.append(User(id=uid).get_user_info_by_id().username)
|
||||
|
||||
self.grant_privileges(users)
|
||||
def add_user(self, user):
|
||||
"""
|
||||
Add a single user to Account by User
|
||||
"""
|
||||
try:
|
||||
au = AccountUser(self.id, user.id)
|
||||
db.session.add(au)
|
||||
db.session.commit()
|
||||
return True
|
||||
except:
|
||||
db.session.rollback()
|
||||
logging.error('Cannot add user privielges on account {0}'.format(self.name))
|
||||
return False
|
||||
|
||||
def remove_user(self, user):
|
||||
"""
|
||||
Remove a single user from Account by User
|
||||
"""
|
||||
try:
|
||||
AccountUser.query.filter(AccountUser.user_id == user.id).filter(AccountUser.account_id == self.id).delete()
|
||||
db.session.commit()
|
||||
return True
|
||||
except:
|
||||
db.session.rollback()
|
||||
logging.error('Cannot revoke user privielges on account {0}'.format(self.name))
|
||||
return False
|
||||
|
||||
|
||||
class Role(db.Model):
|
||||
|
27
app/views.py
27
app/views.py
@ -239,10 +239,10 @@ def saml_authorized():
|
||||
email=session['samlNameId'])
|
||||
user.create_local_user()
|
||||
session['user_id'] = user.id
|
||||
logging.debug("Attributes are: {0}".format(repr(session['samlUserdata'])))
|
||||
email_attribute_name = app.config.get('SAML_ATTRIBUTE_EMAIL', 'email')
|
||||
givenname_attribute_name = app.config.get('SAML_ATTRIBUTE_GIVENNAME', 'givenname')
|
||||
surname_attribute_name = app.config.get('SAML_ATTRIBUTE_SURNAME', 'surname')
|
||||
account_attribute_name = app.config.get('SAML_ATTRIBUTE_ACCOUNT', None)
|
||||
admin_attribute_name = app.config.get('SAML_ATTRIBUTE_ADMIN', None)
|
||||
if email_attribute_name in session['samlUserdata']:
|
||||
user.email = session['samlUserdata'][email_attribute_name][0].lower()
|
||||
@ -250,16 +250,37 @@ def saml_authorized():
|
||||
user.firstname = session['samlUserdata'][givenname_attribute_name][0]
|
||||
if surname_attribute_name in session['samlUserdata']:
|
||||
user.lastname = session['samlUserdata'][surname_attribute_name][0]
|
||||
if admin_attribute_name:
|
||||
user_accounts = set(user.get_account())
|
||||
saml_accounts = []
|
||||
for account_name in session['samlUserdata'].get(account_attribute_name, []):
|
||||
clean_name = ''.join(c for c in account_name.lower() if c in "abcdefghijklmnopqrstuvwxyz0123456789")
|
||||
if len(clean_name) > Account.name.type.length:
|
||||
logging.error("Account name {0} too long. Truncated.".format(clean_name))
|
||||
account = Account.query.filter_by(name=clean_name).first()
|
||||
if not account:
|
||||
account = Account(name=clean_name.lower(), description='', contact='', mail='')
|
||||
account.create_account()
|
||||
history = History(msg='Account {0} created'.format(account.name), created_by='SAML Assertion')
|
||||
history.add()
|
||||
saml_accounts.append(account)
|
||||
saml_accounts = set(saml_accounts)
|
||||
for account in saml_accounts - user_accounts:
|
||||
account.add_user(user)
|
||||
history = History(msg='Adding {0} to account {1}'.format(user.username, account.name), created_by='SAML Assertion')
|
||||
history.add()
|
||||
for account in user_accounts - saml_accounts:
|
||||
account.remove_user(user)
|
||||
history = History(msg='Removing {0} from account {1}'.format(user.username, account.name), created_by='SAML Assertion')
|
||||
history.add()
|
||||
if admin_attribute_name:
|
||||
if 'true' in session['samlUserdata'].get(admin_attribute_name, []):
|
||||
logging.debug("User is an admin")
|
||||
admin_role = Role.query.filter_by(name='Administrator').first().id
|
||||
if user.role_id != admin_role:
|
||||
user.role_id = admin_role
|
||||
history = History(msg='Promoting {0} to administrator'.format(user.username), created_by='SAML Assertion')
|
||||
history.add()
|
||||
else:
|
||||
logging.debug("User is NOT an admin")
|
||||
user_role = Role.query.filter_by(name='User').first().id
|
||||
if user.role_id != user_role:
|
||||
user.role_id = user_role
|
||||
|
@ -137,6 +137,13 @@ SAML_METADATA_CACHE_LIFETIME = 1
|
||||
### the user is set as a non-administrator user.
|
||||
#SAML_ATTRIBUTE_ADMIN = 'https://example.edu/pdns-admin'
|
||||
|
||||
## Attribute to get account names from
|
||||
### Default: Don't control accounts with SAML attribute
|
||||
### If set, the user will be added and removed from accounts to match
|
||||
### what's in the login assertion. Accounts that don't exist will
|
||||
### be created and the user added to them.
|
||||
SAML_ATTRIBUTE_ACCOUNT = 'https://example.edu/pdns-account'
|
||||
|
||||
SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>'
|
||||
SAML_SP_CONTACT_NAME = '<contact name>'
|
||||
SAML_SP_CONTACT_MAIL = '<contact mail>'
|
||||
|
Loading…
Reference in New Issue
Block a user