From 715c6b76cda3abba9e311049f0b925a17286c5b3 Mon Sep 17 00:00:00 2001 From: Josh Matthews Date: Mon, 23 May 2022 14:38:16 +1000 Subject: [PATCH 1/2] added code to raise user to operator on SAML auth if in the right group --- powerdnsadmin/routes/index.py | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py index f9a5649..a18cc20 100644 --- a/powerdnsadmin/routes/index.py +++ b/powerdnsadmin/routes/index.py @@ -1008,6 +1008,8 @@ def saml_authorized(): None) admin_group_name = current_app.config.get('SAML_GROUP_ADMIN_NAME', None) + operator_group_name = current_app.config.get('SAML_GROUP_OPERATOR_NAME', + None) group_to_account_mapping = create_group_to_account_mapping() if email_attribute_name in session['samlUserdata']: @@ -1061,6 +1063,8 @@ def saml_authorized(): uplift_to_admin(user) elif admin_group_name in user_groups: uplift_to_admin(user) + elif operator_group_name in user_groups: + uplift_to_operator(user) elif admin_attribute_name or group_attribute_name: if user.role.name != 'User': user.role_id = Role.query.filter_by(name='User').first().id @@ -1117,6 +1121,14 @@ def uplift_to_admin(user): created_by='SAML Assertion') history.add() +def uplift_to_operator(user): + if user.role.name != 'Operator': + user.role_id = Role.query.filter_by(name='Operator').first().id + history = History(msg='Promoting {0} to operator'.format( + user.username), + created_by='SAML Assertion') + history.add() + @index_bp.route('/saml/sls') def saml_logout(): From 2020055ab2c0ef4647e354c6025c7dcd2b735f0c Mon Sep 17 00:00:00 2001 From: Josh Matthews Date: Mon, 23 May 2022 14:39:29 +1000 Subject: [PATCH 2/2] added code to pull the operator and admin groups from SAML auth requests --- configs/development.py | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/configs/development.py b/configs/development.py index 2c2e63d..401c121 100644 --- a/configs/development.py +++ b/configs/development.py @@ -113,6 +113,14 @@ SAML_ENABLED = False # ### the user is set as a non-administrator user. # #SAML_ATTRIBUTE_ADMIN = 'https://example.edu/pdns-admin' +## Attribute to get admin status for groups with the IdP +# ### Default: Don't set administrator group with SAML attributes +#SAML_GROUP_ADMIN_NAME = 'GroupName' + +## Attribute to get operator status for groups with the IdP +# ### Default: Don't set operator group with SAML attributes +#SAML_GROUP_OPERATOR_NAME = 'GroupName' + # ## Attribute to get account names from # ### Default: Don't control accounts with SAML attribute # ### If set, the user will be added and removed from accounts to match