From 9316c6629149441fdf2c24418586d78f67d72978 Mon Sep 17 00:00:00 2001 From: vmarkop Date: Wed, 15 Dec 2021 17:30:57 +0200 Subject: [PATCH] Added SAML Autoprovisioning settings in config --- configs/development.py | 31 +++++++++++++++++++++++++++++++ powerdnsadmin/routes/index.py | 4 +++- 2 files changed, 34 insertions(+), 1 deletion(-) diff --git a/configs/development.py b/configs/development.py index 2c2e63d..40fcc62 100644 --- a/configs/development.py +++ b/configs/development.py @@ -147,6 +147,37 @@ SAML_ENABLED = False # #SAML_LOGOUT_URL = 'https://google.com' # #SAML_ASSERTION_ENCRYPTED = True +# SAML_WANT_MESSAGE_SIGNED + +# SAML Autoprovisioning +# If toggled on, the PDA Role and the associations of users found in the local db +# will be directly updated from the SAML IDP every time they log in. +# NOTE: This feature and the assertion of "Admin / Account" attributes are mutually exclusive. +# If used, the values for Admin/Account given above will be ignored. +SAML_AUTOPROVISIONING = True +# The urn value of the attribute in the SAML Authn Response where PDA will look +# for a new Role and/or new associations to domains/accounts. +# Example: urn:oid:1.3.6.1.4.1.5923.1.1.1.7 +# The record syntax for this attribute inside the SAML Response must look like: +# prefix:powerdns-admin:PDA-Role, to provision an Administrator or Operator, or +# prefix:powerdns-admin:User::, provision a User +# who has access to one or more Domains and belongs to one or more Accounts. +# the "prefix" is given in the next attribute +SAML_AUTOPROVISIONING_ATTRIBUTE = 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7' +# The prefix used before the static keyword "powerdns-admin" for your entitlements +# in the SAML Response. Must be a valid URN. +# Example: urn:mace:example.com +SAML_URN_PREFIX = 'urn:mace:example.com' +# If toggled on, SAML logins that have no valid "powerdns-admin" records +# to their autoprovisioning field, will lose all their associations +# with any domain or account, also reverting to a User in the process, +# despite their current role in the local db. +# If toggled off, in the same scenario they get to keep +# their existing associations and their current Role. +### CAUTION: Enabling this feature will revoke existing users' access to their +# associated domains unless they have their autoprovisioning field prepopulated. +SAML_PURGE = False + # Remote authentication settings diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py index 78e065d..205e319 100644 --- a/powerdnsadmin/routes/index.py +++ b/powerdnsadmin/routes/index.py @@ -1049,19 +1049,21 @@ def saml_authorized(): user.username), created_by='SAML Autoprovision') history.add() + user.revoke_privilege(True) elif len(Entitlements)!=0: if checkForPDAEntries(Entitlements, urn_prefix): user.updateUser(Entitlements, urn_prefix) else: current_app.logger.warning('Not a single powerdns-admin record was found, possibly a typo in the prefix') if Setting().get('saml_purge'): - current_app.logger.warning('Procceding to revoke every privilige from ' + user.username + '.' ) + current_app.logger.warning('Procceding to revoke every privilege from ' + user.username + '.' ) if user.role.name != 'User': user.role_id = Role.query.filter_by(name='User').first().id history = History(msg='Demoting {0} to user'.format( user.username), created_by='SAML Autoprovision') history.add() + user.revoke_privilege(True) user.plain_text_password = None user.update_profile()