mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2025-01-07 10:55:40 +00:00
Improve account creation/permission handling based on Azure oAuth group membership (#877)
This commit is contained in:
jodygilbert
GitHub
parent
3a4efebf95
commit
4c19f95928
@ -282,46 +282,52 @@ def login():
|
|||||||
# Handle account/group creation, if enabled
|
# Handle account/group creation, if enabled
|
||||||
if Setting().get('azure_group_accounts_enabled') and mygroups:
|
if Setting().get('azure_group_accounts_enabled') and mygroups:
|
||||||
current_app.logger.info('Azure group account sync enabled')
|
current_app.logger.info('Azure group account sync enabled')
|
||||||
|
name_value = Setting().get('azure_group_accounts_name')
|
||||||
|
description_value = Setting().get('azure_group_accounts_description')
|
||||||
|
select_values = name_value
|
||||||
|
if description_value != '':
|
||||||
|
select_values += ',' + description_value
|
||||||
|
|
||||||
|
mygroups = get_azure_groups(
|
||||||
|
'me/memberOf/microsoft.graph.group?$count=false&$securityEnabled=true&$select={}'.format(select_values))
|
||||||
|
|
||||||
|
description_pattern = Setting().get('azure_group_accounts_description_re')
|
||||||
|
pattern = Setting().get('azure_group_accounts_name_re')
|
||||||
|
|
||||||
|
# Loop through users security groups
|
||||||
for azure_group in mygroups:
|
for azure_group in mygroups:
|
||||||
|
if name_value in azure_group:
|
||||||
name_value = Setting().get('azure_group_accounts_name')
|
group_name = azure_group[name_value]
|
||||||
description_value = Setting().get('azure_group_accounts_description')
|
|
||||||
|
|
||||||
select_values = name_value
|
|
||||||
if description_value != '':
|
|
||||||
select_values += ',' + description_value
|
|
||||||
azure_group_info = azure.get('groups/{}?$select={}'.format(azure_group, select_values)).text
|
|
||||||
current_app.logger.info('Group name for {}: {}'.format(azure_group, azure_group_info))
|
|
||||||
group_info = json.loads(azure_group_info)
|
|
||||||
if name_value in group_info:
|
|
||||||
group_name = group_info[name_value]
|
|
||||||
group_description = ''
|
group_description = ''
|
||||||
if description_value in group_info:
|
if description_value in azure_group:
|
||||||
group_description = group_info[description_value]
|
group_description = azure_group[description_value]
|
||||||
|
|
||||||
# Do regex search if enabled for group description
|
# Do regex search if enabled for group description
|
||||||
description_pattern = Setting().get('azure_group_accounts_description_re')
|
|
||||||
if description_pattern != '':
|
if description_pattern != '':
|
||||||
current_app.logger.info('Matching group description {} against regex {}'.format(group_description, description_pattern))
|
current_app.logger.info('Matching group description {} against regex {}'.format(
|
||||||
matches = re.match(description_pattern,group_description)
|
group_description, description_pattern))
|
||||||
|
matches = re.match(
|
||||||
|
description_pattern, group_description)
|
||||||
if matches:
|
if matches:
|
||||||
current_app.logger.info('Group {} matched regexp'.format(group_description))
|
current_app.logger.info(
|
||||||
|
'Group {} matched regexp'.format(group_description))
|
||||||
group_description = matches.group(1)
|
group_description = matches.group(1)
|
||||||
else:
|
else:
|
||||||
# Regexp didn't match, continue to next iteration
|
# Regexp didn't match, continue to next iteration
|
||||||
next
|
continue
|
||||||
|
|
||||||
# Do regex search if enabled for group name
|
# Do regex search if enabled for group name
|
||||||
pattern = Setting().get('azure_group_accounts_name_re')
|
|
||||||
if pattern != '':
|
if pattern != '':
|
||||||
current_app.logger.info('Matching group name {} against regex {}'.format(group_name, pattern))
|
current_app.logger.info(
|
||||||
matches = re.match(pattern,group_name)
|
'Matching group name {} against regex {}'.format(group_name, pattern))
|
||||||
|
matches = re.match(pattern, group_name)
|
||||||
if matches:
|
if matches:
|
||||||
current_app.logger.info('Group {} matched regexp'.format(group_name))
|
current_app.logger.info(
|
||||||
|
'Group {} matched regexp'.format(group_name))
|
||||||
group_name = matches.group(1)
|
group_name = matches.group(1)
|
||||||
else:
|
else:
|
||||||
# Regexp didn't match, continue to next iteration
|
# Regexp didn't match, continue to next iteration
|
||||||
next
|
continue
|
||||||
|
|
||||||
account = Account()
|
account = Account()
|
||||||
account_id = account.get_id_by_name(account_name=group_name)
|
account_id = account.get_id_by_name(account_name=group_name)
|
||||||
@ -512,6 +518,21 @@ def signin_history(username, authenticator, success):
|
|||||||
}),
|
}),
|
||||||
created_by='System').add()
|
created_by='System').add()
|
||||||
|
|
||||||
|
# Get a list of Azure security groups the user is a member of
|
||||||
|
def get_azure_groups(uri):
|
||||||
|
azure_info = azure.get(uri).text
|
||||||
|
current_app.logger.info('Azure groups returned: ' + azure_info)
|
||||||
|
grouplookup = json.loads(azure_info)
|
||||||
|
if "value" in grouplookup:
|
||||||
|
mygroups = grouplookup["value"]
|
||||||
|
# If "@odata.nextLink" exists in the results, we need to get more groups
|
||||||
|
if "@odata.nextLink" in grouplookup:
|
||||||
|
# The additional groups are added to the existing array
|
||||||
|
mygroups.extend(get_azure_groups(grouplookup["@odata.nextLink"]))
|
||||||
|
else:
|
||||||
|
mygroups = []
|
||||||
|
return mygroups
|
||||||
|
|
||||||
|
|
||||||
@index_bp.route('/logout')
|
@index_bp.route('/logout')
|
||||||
def logout():
|
def logout():
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user