From 21ab12deada1db26d9496d4599371337539babd7 Mon Sep 17 00:00:00 2001 From: Ricardo Melo Date: Fri, 1 Oct 2021 17:48:42 -0400 Subject: [PATCH] Fixing AD login if there is a infinity loop in memberOf groups. --- powerdnsadmin/models/user.py | 38 ++++++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/powerdnsadmin/models/user.py b/powerdnsadmin/models/user.py index 72491a3..11b6291 100644 --- a/powerdnsadmin/models/user.py +++ b/powerdnsadmin/models/user.py @@ -304,36 +304,46 @@ class User(db.Model): LDAP_USER_GROUP)) return False elif LDAP_TYPE == 'ad': - user_ldap_groups = [] + if LDAP_ADMIN_GROUP: + ldap_admin_group_filter = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_ADMIN_GROUP) + else: + ldap_admin_group_filter = "" + if LDAP_OPERATOR_GROUP: + ldap_operator_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_OPERATOR_GROUP) + else: + ldap_operator_group = "" + if LDAP_USER_GROUP: + ldap_user_group = "(memberOf:1.2.840.113556.1.4.1941:={0})".format(LDAP_USER_GROUP) + else: + ldap_user_group = "" + searchFilter = "(&({0}={1})(|{2}{3}{4}))".format(LDAP_FILTER_USERNAME, self.username, LDAP_FILTER_GROUP, ldap_admin_group_filter, ldap_operator_group, ldap_user_group) + ldap_result = self.ldap_search(searchFilter, LDAP_BASE_DN) + + user_ad_member_of = ldap_result[0][0][1].get( 'memberOf') - if not user_ad_member_of: current_app.logger.error( 'User {0} does not belong to any group while LDAP_GROUP_SECURITY_ENABLED is ON' .format(self.username)) return False - for group in [ - g.decode("utf-8") - for g in user_ad_member_of - ]: - user_ldap_groups += self.ad_recursive_groups( - group) + for i in range(len(user_ad_member_of)): + user_ad_member_of[i] = user_ad_member_of[i].decode("utf-8") - if (LDAP_ADMIN_GROUP in user_ldap_groups): + if (LDAP_ADMIN_GROUP in user_ad_member_of): role_name = 'Administrator' current_app.logger.info( 'User {0} is part of the "{1}" group that allows admin access to PowerDNS-Admin' .format(self.username, LDAP_ADMIN_GROUP)) - elif (LDAP_OPERATOR_GROUP in user_ldap_groups): + elif (LDAP_OPERATOR_GROUP in user_ad_member_of): role_name = 'Operator' current_app.logger.info( 'User {0} is part of the "{1}" group that allows operator access to PowerDNS-Admin' .format(self.username, LDAP_OPERATOR_GROUP)) - elif (LDAP_USER_GROUP in user_ldap_groups): + elif (LDAP_USER_GROUP in user_ad_member_of): current_app.logger.info( 'User {0} is part of the "{1}" group that allows user access to PowerDNS-Admin' .format(self.username, @@ -786,14 +796,12 @@ def get_role_names(roles): """ roles_list=[] for role in roles: - roles_list.append(role.name) + roles_list.append(role.name) return roles_list - + def getUserInfo(DomainsOrAccounts): current=[] for DomainOrAccount in DomainsOrAccounts: current.append(DomainOrAccount.name) return current - -