From 715c6b76cda3abba9e311049f0b925a17286c5b3 Mon Sep 17 00:00:00 2001
From: Josh Matthews <josh@sol1.com.au>
Date: Mon, 23 May 2022 14:38:16 +1000
Subject: [PATCH 1/2] added code to raise user to operator on SAML auth if in
 the right group

---
 powerdnsadmin/routes/index.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py
index f9a5649..a18cc20 100644
--- a/powerdnsadmin/routes/index.py
+++ b/powerdnsadmin/routes/index.py
@@ -1008,6 +1008,8 @@ def saml_authorized():
                                                       None)
         admin_group_name = current_app.config.get('SAML_GROUP_ADMIN_NAME',
                                                   None)
+        operator_group_name = current_app.config.get('SAML_GROUP_OPERATOR_NAME',
+                                                  None)
         group_to_account_mapping = create_group_to_account_mapping()
 
         if email_attribute_name in session['samlUserdata']:
@@ -1061,6 +1063,8 @@ def saml_authorized():
             uplift_to_admin(user)
         elif admin_group_name in user_groups:
             uplift_to_admin(user)
+        elif operator_group_name in user_groups:
+            uplift_to_operator(user)
         elif admin_attribute_name or group_attribute_name:
             if user.role.name != 'User':
                 user.role_id = Role.query.filter_by(name='User').first().id
@@ -1117,6 +1121,14 @@ def uplift_to_admin(user):
                           created_by='SAML Assertion')
         history.add()
 
+def uplift_to_operator(user):
+    if user.role.name != 'Operator':
+        user.role_id = Role.query.filter_by(name='Operator').first().id
+        history = History(msg='Promoting {0} to operator'.format(
+            user.username),
+                          created_by='SAML Assertion')
+        history.add()
+
 
 @index_bp.route('/saml/sls')
 def saml_logout():

From 2020055ab2c0ef4647e354c6025c7dcd2b735f0c Mon Sep 17 00:00:00 2001
From: Josh Matthews <josh@sol1.com.au>
Date: Mon, 23 May 2022 14:39:29 +1000
Subject: [PATCH 2/2] added code to pull the operator and admin groups from
 SAML auth requests

---
 configs/development.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/configs/development.py b/configs/development.py
index 2c2e63d..401c121 100644
--- a/configs/development.py
+++ b/configs/development.py
@@ -113,6 +113,14 @@ SAML_ENABLED = False
 # ###  the user is set as a non-administrator user.
 # #SAML_ATTRIBUTE_ADMIN = 'https://example.edu/pdns-admin'
 
+## Attribute to get admin status for groups with the IdP
+# ### Default: Don't set administrator group with SAML attributes
+#SAML_GROUP_ADMIN_NAME = 'GroupName'
+
+## Attribute to get operator status for groups with the IdP
+# ### Default: Don't set operator group with SAML attributes
+#SAML_GROUP_OPERATOR_NAME = 'GroupName'
+
 # ## Attribute to get account names from
 # ### Default: Don't control accounts with SAML attribute
 # ### If set, the user will be added and removed from accounts to match