Improve account creation/permission handling based on Azure oAuth group membership (#877)

2021-01-31 10:31:56 +00:00 · 2021-01-31 10:31:56 +00:00 · 4c19f95928
parent 3a4efebf95
commit 4c19f95928
1 changed files with 45 additions and 24 deletions
--- a/powerdnsadmin/routes/index.py
+++ b/powerdnsadmin/routes/index.py
@ -282,46 +282,52 @@ def login():
        # Handle account/group creation, if enabled
        if Setting().get('azure_group_accounts_enabled') and mygroups:
            current_app.logger.info('Azure group account sync enabled')
+            name_value = Setting().get('azure_group_accounts_name')
+            description_value = Setting().get('azure_group_accounts_description')
+            select_values = name_value
+            if description_value != '':
+                select_values += ',' + description_value
+
+            mygroups = get_azure_groups(
+                'me/memberOf/microsoft.graph.group?$count=false&$securityEnabled=true&$select={}'.format(select_values))
+
+            description_pattern = Setting().get('azure_group_accounts_description_re')
+            pattern = Setting().get('azure_group_accounts_name_re')
+
+            # Loop through users security groups
            for azure_group in mygroups:
-
-                name_value = Setting().get('azure_group_accounts_name')
-                description_value = Setting().get('azure_group_accounts_description')
-
-                select_values = name_value
-                if description_value != '':
-                    select_values += ',' + description_value
-                azure_group_info = azure.get('groups/{}?$select={}'.format(azure_group, select_values)).text
-                current_app.logger.info('Group name for {}: {}'.format(azure_group, azure_group_info))
-                group_info = json.loads(azure_group_info)
-                if name_value in group_info:
-                    group_name = group_info[name_value]
+                if name_value in azure_group:
+                    group_name = azure_group[name_value]
                    group_description = ''
-                    if description_value in group_info:
-                        group_description = group_info[description_value]
+                    if description_value in azure_group:
+                        group_description = azure_group[description_value]

                        # Do regex search if enabled for group description
-                        description_pattern = Setting().get('azure_group_accounts_description_re')
                        if description_pattern != '':
-                            current_app.logger.info('Matching group description {} against regex {}'.format(group_description, description_pattern))
-                            matches = re.match(description_pattern,group_description)
+                            current_app.logger.info('Matching group description {} against regex {}'.format(
+                                group_description, description_pattern))
+                            matches = re.match(
+                                description_pattern, group_description)
                            if matches:
-                                current_app.logger.info('Group {} matched regexp'.format(group_description))
+                                current_app.logger.info(
+                                    'Group {} matched regexp'.format(group_description))
                                group_description = matches.group(1)
                            else:
                                # Regexp didn't match, continue to next iteration
-                                next
+                                continue

                    # Do regex search if enabled for group name
-                    pattern = Setting().get('azure_group_accounts_name_re')
                    if pattern != '':
-                        current_app.logger.info('Matching group name {} against regex {}'.format(group_name, pattern))  
-                        matches = re.match(pattern,group_name)
+                        current_app.logger.info(
+                            'Matching group name {} against regex {}'.format(group_name, pattern))
+                        matches = re.match(pattern, group_name)
                        if matches:
-                            current_app.logger.info('Group {} matched regexp'.format(group_name))
+                            current_app.logger.info(
+                                'Group {} matched regexp'.format(group_name))
                            group_name = matches.group(1)
                        else:
                            # Regexp didn't match, continue to next iteration
-                            next
+                            continue

                    account = Account()
                    account_id = account.get_id_by_name(account_name=group_name)
@ -512,6 +518,21 @@ def signin_history(username, authenticator, success):
            }),
            created_by='System').add()

+# Get a list of Azure security groups the user is a member of
+def get_azure_groups(uri):
+    azure_info = azure.get(uri).text
+    current_app.logger.info('Azure groups returned: ' + azure_info)
+    grouplookup = json.loads(azure_info)
+    if "value" in grouplookup:
+        mygroups = grouplookup["value"]
+        # If "@odata.nextLink" exists in the results, we need to get more groups
+        if "@odata.nextLink" in grouplookup:
+            # The additional groups are added to the existing array
+            mygroups.extend(get_azure_groups(grouplookup["@odata.nextLink"]))
+    else:
+        mygroups = []
+    return mygroups
+

@index_bp.route('/logout')
 def logout():