mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2025-01-07 10:55:40 +00:00
Improve account creation/permission handling based on Azure oAuth group membership (#877)
This commit is contained in:
parent
3a4efebf95
commit
4c19f95928
@ -282,46 +282,52 @@ def login():
|
||||
# Handle account/group creation, if enabled
|
||||
if Setting().get('azure_group_accounts_enabled') and mygroups:
|
||||
current_app.logger.info('Azure group account sync enabled')
|
||||
name_value = Setting().get('azure_group_accounts_name')
|
||||
description_value = Setting().get('azure_group_accounts_description')
|
||||
select_values = name_value
|
||||
if description_value != '':
|
||||
select_values += ',' + description_value
|
||||
|
||||
mygroups = get_azure_groups(
|
||||
'me/memberOf/microsoft.graph.group?$count=false&$securityEnabled=true&$select={}'.format(select_values))
|
||||
|
||||
description_pattern = Setting().get('azure_group_accounts_description_re')
|
||||
pattern = Setting().get('azure_group_accounts_name_re')
|
||||
|
||||
# Loop through users security groups
|
||||
for azure_group in mygroups:
|
||||
|
||||
name_value = Setting().get('azure_group_accounts_name')
|
||||
description_value = Setting().get('azure_group_accounts_description')
|
||||
|
||||
select_values = name_value
|
||||
if description_value != '':
|
||||
select_values += ',' + description_value
|
||||
azure_group_info = azure.get('groups/{}?$select={}'.format(azure_group, select_values)).text
|
||||
current_app.logger.info('Group name for {}: {}'.format(azure_group, azure_group_info))
|
||||
group_info = json.loads(azure_group_info)
|
||||
if name_value in group_info:
|
||||
group_name = group_info[name_value]
|
||||
if name_value in azure_group:
|
||||
group_name = azure_group[name_value]
|
||||
group_description = ''
|
||||
if description_value in group_info:
|
||||
group_description = group_info[description_value]
|
||||
if description_value in azure_group:
|
||||
group_description = azure_group[description_value]
|
||||
|
||||
# Do regex search if enabled for group description
|
||||
description_pattern = Setting().get('azure_group_accounts_description_re')
|
||||
if description_pattern != '':
|
||||
current_app.logger.info('Matching group description {} against regex {}'.format(group_description, description_pattern))
|
||||
matches = re.match(description_pattern,group_description)
|
||||
current_app.logger.info('Matching group description {} against regex {}'.format(
|
||||
group_description, description_pattern))
|
||||
matches = re.match(
|
||||
description_pattern, group_description)
|
||||
if matches:
|
||||
current_app.logger.info('Group {} matched regexp'.format(group_description))
|
||||
current_app.logger.info(
|
||||
'Group {} matched regexp'.format(group_description))
|
||||
group_description = matches.group(1)
|
||||
else:
|
||||
# Regexp didn't match, continue to next iteration
|
||||
next
|
||||
continue
|
||||
|
||||
# Do regex search if enabled for group name
|
||||
pattern = Setting().get('azure_group_accounts_name_re')
|
||||
if pattern != '':
|
||||
current_app.logger.info('Matching group name {} against regex {}'.format(group_name, pattern))
|
||||
matches = re.match(pattern,group_name)
|
||||
current_app.logger.info(
|
||||
'Matching group name {} against regex {}'.format(group_name, pattern))
|
||||
matches = re.match(pattern, group_name)
|
||||
if matches:
|
||||
current_app.logger.info('Group {} matched regexp'.format(group_name))
|
||||
current_app.logger.info(
|
||||
'Group {} matched regexp'.format(group_name))
|
||||
group_name = matches.group(1)
|
||||
else:
|
||||
# Regexp didn't match, continue to next iteration
|
||||
next
|
||||
continue
|
||||
|
||||
account = Account()
|
||||
account_id = account.get_id_by_name(account_name=group_name)
|
||||
@ -512,6 +518,21 @@ def signin_history(username, authenticator, success):
|
||||
}),
|
||||
created_by='System').add()
|
||||
|
||||
# Get a list of Azure security groups the user is a member of
|
||||
def get_azure_groups(uri):
|
||||
azure_info = azure.get(uri).text
|
||||
current_app.logger.info('Azure groups returned: ' + azure_info)
|
||||
grouplookup = json.loads(azure_info)
|
||||
if "value" in grouplookup:
|
||||
mygroups = grouplookup["value"]
|
||||
# If "@odata.nextLink" exists in the results, we need to get more groups
|
||||
if "@odata.nextLink" in grouplookup:
|
||||
# The additional groups are added to the existing array
|
||||
mygroups.extend(get_azure_groups(grouplookup["@odata.nextLink"]))
|
||||
else:
|
||||
mygroups = []
|
||||
return mygroups
|
||||
|
||||
|
||||
@index_bp.route('/logout')
|
||||
def logout():
|
||||
|
Loading…
Reference in New Issue
Block a user