Skip to content

Commit

Permalink
Update authorization funcs
Browse files Browse the repository at this point in the history
  • Loading branch information
@GeorgianaElena
GeorgianaElena committed Apr 12, 2023
1 parent 4d1d970 commit 3484ede
Show file tree
Hide file tree
Showing 3 changed files with 14 additions and 6 deletions.
7 changes: 5 additions & 2 deletions oauthenticator/generic.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,7 +116,7 @@ def get_user_groups(self, user_info):

async def user_is_authorized(self, auth_model):
user_info = auth_model["auth_state"][self.user_auth_state_key]
if not self.allowed_users and (self.allowed_groups or self.admin_groups):
if self.allowed_groups:
self.log.info(
f"Validating if user claim groups match any of {self.allowed_groups}"
)
Expand All @@ -125,8 +125,11 @@ async def user_is_authorized(self, auth_model):
if not groups:
return False

all_allowed_groups = self.allowed_groups
if self.admin_groups:
all_allowed_groups += self.admin_groups
if not self.user_groups_in_allowed_groups(
groups, self.allowed_groups + self.admin_groups
groups, all_allowed_groups
):
return False

Expand Down
6 changes: 4 additions & 2 deletions oauthenticator/google.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -124,7 +124,7 @@ async def user_is_authorized(self, auth_model):
403, f"Google account domain @{user_email_domain} not authorized."
)

if not self.allowed_users and (self.allowed_google_groups or self.admin_google_groups):
if self.allowed_google_groups:
google_groups = self._google_groups_for_user(user_email, user_email_domain)
if not google_groups:
return False
Expand All @@ -134,7 +134,9 @@ async def user_is_authorized(self, auth_model):
# Check if user is a member of any allowed or admin groups.
allowed_groups_per_domain = self.allowed_google_groups.get(
user_email_domain, []
) + self.admin_google_groups.get(user_email_domain, [])
)
if self.admin_google_groups:
allowed_groups_per_domain += self.admin_google_groups.get(user_email_domain, [])
if not allowed_groups_per_domain:
return False
else:
Expand Down
7 changes: 5 additions & 2 deletions oauthenticator/openshift.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -110,11 +110,14 @@ async def user_is_authorized(self, auth_model):
user_groups = set(auth_model['auth_state']['openshift_user']['groups'])
username = auth_model['name']

if not self.allowed_users and (self.allowed_groups or self.admin_groups):
if self.allowed_groups:
msg = f"username:{username} User not in any of the allowed/admin groups"
# User is authorized if either in allowed_groups or in admin_groups
all_allowed_groups = self.allowed_groups
if self.admin_groups:
all_allowed_groups = all_allowed_groups.unions(self.admin_groups)
if not self.user_groups_in_allowed_groups(
user_groups, self.allowed_groups.union(self.admin_groups)
user_groups, all_allowed_groups
):
self.log.warning(msg)
return False
Expand Down

0 comments on commit 3484ede

Please sign in to comment.