mirror of
https://github.com/cwinfo/powerdns-admin.git
synced 2024-11-08 22:50:26 +00:00
Merge pull request #1118 from cropalato/master
Fixing AD login if there is a infinity loop in memberOf groups.
This commit is contained in:
commit
c9c82d4244
@ -174,28 +174,6 @@ class User(db.Model):
|
|||||||
current_app.logger.error(e)
|
current_app.logger.error(e)
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def ad_recursive_groups(self, groupDN):
|
|
||||||
"""
|
|
||||||
Recursively list groups belonging to a group. It will allow checking deep in the Active Directory
|
|
||||||
whether a user is allowed to enter or not
|
|
||||||
"""
|
|
||||||
LDAP_BASE_DN = Setting().get('ldap_base_dn')
|
|
||||||
groupSearchFilter = "(&(objectcategory=group)(member=%s))" % ldap.filter.escape_filter_chars(
|
|
||||||
groupDN)
|
|
||||||
result = [groupDN]
|
|
||||||
try:
|
|
||||||
groups = self.ldap_search(groupSearchFilter, LDAP_BASE_DN)
|
|
||||||
for group in groups:
|
|
||||||
result += [group[0][0]]
|
|
||||||
if 'memberOf' in group[0][1]:
|
|
||||||
for member in group[0][1]['memberOf']:
|
|
||||||
result += self.ad_recursive_groups(
|
|
||||||
member.decode("utf-8"))
|
|
||||||
return result
|
|
||||||
except ldap.LDAPError as e:
|
|
||||||
current_app.logger.exception("Recursive AD Group search error")
|
|
||||||
return result
|
|
||||||
|
|
||||||
def is_validate(self, method, src_ip='', trust_user=False):
|
def is_validate(self, method, src_ip='', trust_user=False):
|
||||||
"""
|
"""
|
||||||
Validate user credential
|
Validate user credential
|
||||||
@ -307,7 +285,17 @@ class User(db.Model):
|
|||||||
LDAP_USER_GROUP))
|
LDAP_USER_GROUP))
|
||||||
return False
|
return False
|
||||||
elif LDAP_TYPE == 'ad':
|
elif LDAP_TYPE == 'ad':
|
||||||
user_ldap_groups = []
|
ldap_admin_group_filter, ldap_operator_group, ldap_user_group = "", "", ""
|
||||||
|
if LDAP_ADMIN_GROUP:
|
||||||
|
ldap_admin_group_filter = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_ADMIN_GROUP)
|
||||||
|
if LDAP_OPERATOR_GROUP:
|
||||||
|
ldap_operator_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_OPERATOR_GROUP)
|
||||||
|
if LDAP_USER_GROUP:
|
||||||
|
ldap_user_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_USER_GROUP)
|
||||||
|
searchFilter = "(&({0}={1})(|{2}{3}{4}))".format(LDAP_FILTER_USERNAME, self.username,
|
||||||
|
LDAP_FILTER_GROUP, ldap_admin_group_filter,
|
||||||
|
ldap_operator_group, ldap_user_group)
|
||||||
|
ldap_result = self.ldap_search(searchFilter, LDAP_BASE_DN)
|
||||||
user_ad_member_of = ldap_result[0][0][1].get(
|
user_ad_member_of = ldap_result[0][0][1].get(
|
||||||
'memberOf')
|
'memberOf')
|
||||||
|
|
||||||
@ -317,26 +305,21 @@ class User(db.Model):
|
|||||||
.format(self.username))
|
.format(self.username))
|
||||||
return False
|
return False
|
||||||
|
|
||||||
for group in [
|
user_ad_member_of = [g.decode("utf-8") for g in user_ad_member_of]
|
||||||
g.decode("utf-8")
|
|
||||||
for g in user_ad_member_of
|
|
||||||
]:
|
|
||||||
user_ldap_groups += self.ad_recursive_groups(
|
|
||||||
group)
|
|
||||||
|
|
||||||
if (LDAP_ADMIN_GROUP in user_ldap_groups):
|
if (LDAP_ADMIN_GROUP in user_ad_member_of):
|
||||||
role_name = 'Administrator'
|
role_name = 'Administrator'
|
||||||
current_app.logger.info(
|
current_app.logger.info(
|
||||||
'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'
|
'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin'
|
||||||
.format(self.username,
|
.format(self.username,
|
||||||
LDAP_ADMIN_GROUP))
|
LDAP_ADMIN_GROUP))
|
||||||
elif (LDAP_OPERATOR_GROUP in user_ldap_groups):
|
elif (LDAP_OPERATOR_GROUP in user_ad_member_of):
|
||||||
role_name = 'Operator'
|
role_name = 'Operator'
|
||||||
current_app.logger.info(
|
current_app.logger.info(
|
||||||
'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin'
|
'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin'
|
||||||
.format(self.username,
|
.format(self.username,
|
||||||
LDAP_OPERATOR_GROUP))
|
LDAP_OPERATOR_GROUP))
|
||||||
elif (LDAP_USER_GROUP in user_ldap_groups):
|
elif (LDAP_USER_GROUP in user_ad_member_of):
|
||||||
current_app.logger.info(
|
current_app.logger.info(
|
||||||
'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'
|
'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin'
|
||||||
.format(self.username,
|
.format(self.username,
|
||||||
@ -636,7 +619,7 @@ class User(db.Model):
|
|||||||
for q in query:
|
for q in query:
|
||||||
accounts.append(q[1])
|
accounts.append(q[1])
|
||||||
return accounts
|
return accounts
|
||||||
|
|
||||||
def get_qrcode_value(self):
|
def get_qrcode_value(self):
|
||||||
img = qrc.make(self.get_totp_uri(),
|
img = qrc.make(self.get_totp_uri(),
|
||||||
image_factory=qrc_svg.SvgPathImage)
|
image_factory=qrc_svg.SvgPathImage)
|
||||||
@ -797,11 +780,11 @@ def get_role_names(roles):
|
|||||||
"""
|
"""
|
||||||
roles_list=[]
|
roles_list=[]
|
||||||
for role in roles:
|
for role in roles:
|
||||||
roles_list.append(role.name)
|
roles_list.append(role.name)
|
||||||
return roles_list
|
return roles_list
|
||||||
|
|
||||||
def getUserInfo(DomainsOrAccounts):
|
def getUserInfo(DomainsOrAccounts):
|
||||||
current=[]
|
current=[]
|
||||||
for DomainOrAccount in DomainsOrAccounts:
|
for DomainOrAccount in DomainsOrAccounts:
|
||||||
current.append(DomainOrAccount.name)
|
current.append(DomainOrAccount.name)
|
||||||
return current
|
return current
|
||||||
|
Loading…
Reference in New Issue
Block a user