diff --git a/powerdnsadmin/models/setting.py b/powerdnsadmin/models/setting.py index a713d76..d73e34b 100644 --- a/powerdnsadmin/models/setting.py +++ b/powerdnsadmin/models/setting.py @@ -111,7 +111,7 @@ class Setting(db.Model): 'oidc_oauth_account_name_property': '', 'oidc_oauth_account_description_property': '', 'saml_autoprovisioning': False, - 'saml_urn_value': '', + 'saml_urn_prefix': '', 'saml_autoprovisioning_attribute': '', 'saml_purge': False, 'forward_records_allow_edit': { diff --git a/powerdnsadmin/routes/index.py b/powerdnsadmin/routes/index.py index 2fb3b4b..9586966 100644 --- a/powerdnsadmin/routes/index.py +++ b/powerdnsadmin/routes/index.py @@ -1035,9 +1035,9 @@ def saml_authorized(): created_by='SAML Assertion') history.add() elif Setting().get('saml_autoprovisioning'): - urn_value = Setting().get('saml_urn_value') # urn_value for - key = Setting().get('saml_autoprovisioning_attribute') - Entitlements = read_saml_entitlements(urn_value, session['samlUserdata']) + urn_prefix = Setting().get('saml_urn_prefix') + autoprovisioning_attribute = Setting().get('saml_autoprovisioning_attribute') + Entitlements = read_saml_entitlements(urn_prefix, autoprovisioning_attribute, session['samlUserdata']) if len(Entitlements)==0 and Setting().get('saml_purge'): if user.role.name != 'User': user.role_id = Role.query.filter_by(name='User').first().id @@ -1046,8 +1046,8 @@ def saml_authorized(): created_by='SAML Autoprovision') history.add() elif len(Entitlements)!=0: - if checkForPDAEntries(Entitlements, urn_value): - user.updateUser(Entitlements, urn_value) + if checkForPDAEntries(Entitlements, autoprovisioning_attribute): + user.updateUser(Entitlements, autoprovisioning_attribute) else: current_app.logger.warning('Not a single powerdns-admin record was found, possibly a typo in the prefix') if Setting().get('saml_purge'): @@ -1068,11 +1068,13 @@ def saml_authorized(): else: return render_template('errors/SAML.html', errors=errors) -def read_saml_entitlements(urn_value, saml_userdata): +def read_saml_entitlements(urn_prefix, autoprovisioning_attribute, saml_userdata): Entitlements = [] - if urn_value in saml_userdata: - for k in saml_userdata[urn_value]: - Entitlements.append(k) + if autoprovisioning_attribute in saml_userdata: + for k in saml_userdata[autoprovisioning_attribute]: + pref = k.split(":powerdns-admin:")[0] + if pref == urn_prefix: + Entitlements.append(k) return Entitlements def create_group_to_account_mapping():