Added SAML Autoprovisioning settings in config

configs/development.py

@@ -147,6 +147,37 @@ SAML_ENABLED = False
 # #SAML_LOGOUT_URL = 'https://google.com'
 
 # #SAML_ASSERTION_ENCRYPTED = True
+# SAML_WANT_MESSAGE_SIGNED
+
+# SAML Autoprovisioning
+# If toggled on, the PDA Role and the associations of users found in the local db
+# will be directly updated from the SAML IDP every time they log in.
+# NOTE: This feature and the assertion of "Admin / Account" attributes are mutually exclusive.
+# If used, the values for Admin/Account given above will be ignored.
+SAML_AUTOPROVISIONING = True
+# The urn value of the attribute in the SAML Authn Response where PDA will look
+# for a new Role and/or new associations to domains/accounts.
+# Example: urn:oid:1.3.6.1.4.1.5923.1.1.1.7
+# The record syntax for this attribute inside the SAML Response must look like:
+# prefix:powerdns-admin:PDA-Role, to provision an Administrator or Operator, or
+# prefix:powerdns-admin:User:<domain>:<account>, provision a User
+# who has access to one or more Domains and belongs to one or more Accounts.
+# the "prefix" is given in the next attribute
+SAML_AUTOPROVISIONING_ATTRIBUTE = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7'
+# The prefix used before the static keyword "powerdns-admin" for your entitlements
+# in the SAML Response. Must be a valid URN.
+# Example: urn:mace:example.com
+SAML_URN_PREFIX = 'urn:mace:example.com'
+# If toggled on, SAML logins that have no valid "powerdns-admin" records
+# to their autoprovisioning field, will lose all their associations
+# with any domain or account, also reverting to a User in the process,
+# despite their current role in the local db.
+# If toggled off, in the same scenario they get to keep
+# their existing associations and their current Role.
+### CAUTION: Enabling this feature will revoke existing users' access to their
+# associated domains unless they have their autoprovisioning field prepopulated.
+SAML_PURGE = False
+
 
 # Remote authentication settings
 

powerdnsadmin/routes/index.py

@@ -1049,19 +1049,21 @@ def saml_authorized():
                         user.username),
                                     created_by='SAML Autoprovision')
                     history.add()
+                user.revoke_privilege(True)
             elif len(Entitlements)!=0:
                 if checkForPDAEntries(Entitlements, urn_prefix):
                     user.updateUser(Entitlements, urn_prefix)
                 else:
                     current_app.logger.warning('Not a single powerdns-admin record was found, possibly a typo in the prefix')
                     if Setting().get('saml_purge'):
-                        current_app.logger.warning('Procceding to revoke every privilige from ' +  user.username + '.' )
+                        current_app.logger.warning('Procceding to revoke every privilege from ' +  user.username + '.' )
                         if user.role.name != 'User':
                             user.role_id = Role.query.filter_by(name='User').first().id
                             history = History(msg='Demoting {0} to user'.format(
                                 user.username),
                                             created_by='SAML Autoprovision')
                             history.add()
+                        user.revoke_privilege(True)
 
         user.plain_text_password = None
         user.update_profile()