deblan/PowerDNS-Admin
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Added SAML Autoprovisioning

Browse source
This commit is contained in:
vmarkop 2021-12-08 13:37:17 +02:00
parent d2f35a4059
commit 0f8b8984a2
3 changed files with 81 additions and 47 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
powerdnsadmin/models/setting.py
View file

@ -110,6 +110,10 @@ class Setting(db.Model):
'oidc_oauth_email': 'email', 'oidc_oauth_email': 'email',
'oidc_oauth_account_name_property': '', 'oidc_oauth_account_name_property': '',
'oidc_oauth_account_description_property': '', 'oidc_oauth_account_description_property': '',
'saml_autoprovisioning': False,
'saml_urn_value': '',
'saml_autoprovisioning_attribute': '',
'saml_purge': False,
'forward_records_allow_edit': { 'forward_records_allow_edit': {
'A': True, 'A': True,
'AAAA': True, 'AAAA': True,

7
powerdnsadmin/models/user.py
View file

@ -659,11 +659,11 @@ class User(db.Model):
current_app.logger.warning("Cannot apply autoprovisioning on user: {}".format(e)) current_app.logger.warning("Cannot apply autoprovisioning on user: {}".format(e))
return entitlements return entitlements
def updateUser(self, Entitlements): def updateUser(self, Entitlements, urn_value):
""" """
Update user associations based on ldap attribute Update user associations based on ldap attribute
""" """
entitlements= getCorrectEntitlements(Entitlements) entitlements= getCorrectEntitlements(Entitlements, urn_value)
if len(entitlements)!=0: if len(entitlements)!=0:
self.revoke_privilege(True) self.revoke_privilege(True)
for entitlement in entitlements: for entitlement in entitlements:
@ -702,12 +702,11 @@ class User(db.Model):
if account!=None: if account!=None:
account.add_user(user) account.add_user(user)
def getCorrectEntitlements(Entitlements): def getCorrectEntitlements(Entitlements, urn_value):
""" """
Gather a list of valid records from the ldap attribute given Gather a list of valid records from the ldap attribute given
""" """
from ..models.role import Role from ..models.role import Role
urn_value=Setting().get('urn_value')
urnArgs=[x.lower() for x in urn_value.split(':')] urnArgs=[x.lower() for x in urn_value.split(':')]
entitlements=[] entitlements=[]
for Entitlement in Entitlements: for Entitlement in Entitlements:

35
powerdnsadmin/routes/index.py
View file

@ -504,7 +504,7 @@ def login():
elif len(Entitlements)!=0: elif len(Entitlements)!=0:
if checkForPDAEntries(Entitlements, urn_value): if checkForPDAEntries(Entitlements, urn_value):
user.updateUser(Entitlements) user.updateUser(Entitlements, urn_value)
else: else:
current_app.logger.warning('Not a single powerdns-admin record was found, possibly a typo in the prefix') current_app.logger.warning('Not a single powerdns-admin record was found, possibly a typo in the prefix')
if Setting().get('purge'): if Setting().get('purge'):
@ -924,7 +924,6 @@ def saml_metadata():
resp = make_response(errors.join(', '), 500) resp = make_response(errors.join(', '), 500)
return resp return resp
@index_bp.route('/saml/authorized', methods=['GET', 'POST']) @index_bp.route('/saml/authorized', methods=['GET', 'POST'])
def saml_authorized(): def saml_authorized():
errors = [] errors = []
@ -989,6 +988,7 @@ def saml_authorized():
user.firstname = name[0] user.firstname = name[0]
user.lastname = ' '.join(name[1:]) user.lastname = ' '.join(name[1:])
if not Setting().get('saml_autoprovisioning'):
if group_attribute_name: if group_attribute_name:
user_groups = session['samlUserdata'].get(group_attribute_name, []) user_groups = session['samlUserdata'].get(group_attribute_name, [])
else: else:
@ -1034,6 +1034,31 @@ def saml_authorized():
user.username), user.username),
created_by='SAML Assertion') created_by='SAML Assertion')
history.add() history.add()
elif Setting().get('saml_autoprovisioning'):
urn_value = Setting().get('saml_urn_value') # urn_value for
key = Setting().get('saml_autoprovisioning_attribute')
Entitlements = read_saml_entitlements(urn_value, session['samlUserdata'])
if len(Entitlements)==0 and Setting().get('saml_purge'):
if user.role.name != 'User':
user.role_id = Role.query.filter_by(name='User').first().id
history = History(msg='Demoting {0} to user'.format(
user.username),
created_by='SAML Autoprovision')
history.add()
elif len(Entitlements)!=0:
if checkForPDAEntries(Entitlements, urn_value):
user.updateUser(Entitlements, urn_value)
else:
current_app.logger.warning('Not a single powerdns-admin record was found, possibly a typo in the prefix')
if Setting().get('saml_purge'):
current_app.logger.warning('Procceding to revoke every privilige from ' + user.username + '.' )
if user.role.name != 'User':
user.role_id = Role.query.filter_by(name='User').first().id
history = History(msg='Demoting {0} to user'.format(
user.username),
created_by='SAML Autoprovision')
history.add()
user.plain_text_password = None user.plain_text_password = None
user.update_profile() user.update_profile()
session['authentication_type'] = 'SAML' session['authentication_type'] = 'SAML'
@ -1043,6 +1068,12 @@ def saml_authorized():
else: else:
return render_template('errors/SAML.html', errors=errors) return render_template('errors/SAML.html', errors=errors)
def read_saml_entitlements(urn_value, saml_userdata):
Entitlements = []
if urn_value in saml_userdata:
for k in saml_userdata[urn_value]:
Entitlements.append(k)
return Entitlements
def create_group_to_account_mapping(): def create_group_to_account_mapping():
group_to_account_mapping_string = current_app.config.get( group_to_account_mapping_string = current_app.config.get(