Update where admin status is set and considered

oauthenticator/bitbucket.py

@@ -49,17 +49,12 @@ async def _fetch_user_teams(self, access_token, token_type):
 
     async def update_auth_model(self, auth_model):
         """
-        Set the admin status based on finding the username in `admin_users` and
-        fetch user teams if `allowed_teams` is configured.
+        Fetch and store `user_teams` in auth state if `allowed_teams` is
+        configured.
         """
-        access_token = auth_model["auth_state"]["token_response"]["access_token"]
-        token_type = auth_model["auth_state"]["token_response"]["token_type"]
-
-        username = auth_model["name"]
-        if username in self.admin_users:
-            auth_model["admin"] = True
-
         if self.allowed_teams:
+            access_token = auth_model["auth_state"]["token_response"]["access_token"]
+            token_type = auth_model["auth_state"]["token_response"]["token_type"]
             user_teams = await self._fetch_user_teams(access_token, token_type)
             auth_model["auth_state"]["user_teams"] = user_teams
 

oauthenticator/generic.py

@@ -118,18 +118,17 @@ def get_user_groups(self, user_info):
 
     async def update_auth_model(self, auth_model):
         """
-        Set the admin status based on finding the username in `admin_users` or
-        finding a user group part of `admin_groups`.
+        Update admin status based on `admin_groups` if its configured.
         """
-        user_info = auth_model["auth_state"][self.user_auth_state_key]
-
-        username = auth_model["name"]
-        if username in self.admin_users:
-            auth_model["admin"] = True
-        elif self.admin_groups:
-            # if admin_groups is configured, we must either set or unset admin
-            # status and never leave it at None, otherwise removing a user from
-            # the admin_groups won't have an effect
+        if auth_model["admin"]:
+            return auth_model
+
+        if self.admin_groups:
+            # if admin_groups is configured and the user wasn't part of
+            # admin_users, we must set the admin status to True or False,
+            # otherwise removing a user from the admin_groups won't have an
+            # effect
+            user_info = auth_model["auth_state"][self.user_auth_state_key]
             user_groups = self.get_user_groups(user_info)
             auth_model["admin"] = any(user_groups & self.admin_groups)
 

oauthenticator/openshift.py

@@ -88,18 +88,14 @@ def user_info_to_username(self, user_info):
 
     async def update_auth_model(self, auth_model):
         """
-        Set the admin status based on finding the username in `admin_users` or
-        finding a user group part of `admin_groups`.
+        Update admin status based on `admin_groups` if its configured.
         """
-        user_info = auth_model["auth_state"][self.user_auth_state_key]
-
-        username = auth_model["name"]
-        if username in self.admin_users:
-            auth_model["admin"] = True
-        elif self.admin_groups:
-            # if admin_groups is configured, we must either set or unset admin
-            # status and never leave it at None, otherwise removing a user from
-            # the admin_groups won't have an effect
+        if self.admin_groups:
+            # if admin_groups is configured and the user wasn't part of
+            # admin_users, we must set the admin status to True or False,
+            # otherwise removing a user from the admin_groups won't have an
+            # effect
+            user_info = auth_model["auth_state"][self.user_auth_state_key]
             user_groups = set(user_info["groups"])
             auth_model["admin"] = any(user_groups & self.admin_groups)