NeoAnd/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2025-08-25 00:36:11 -06:00
Code Issues Actions 4 Packages Projects Releases Wiki Activity

11508 review changes, add additional logging and error checking

Browse Source
This commit is contained in:
Arthur 2023-08-08 16:36:40 +07:00
parent 1d02196e0a
commit 7a63c7c89d
1 changed files with 32 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
netbox/netbox/authentication.py
View File

@ -48,6 +48,8 @@ AUTH_BACKEND_ATTRS = {
'salesforce-oauth2': ('Salesforce', 'salesforce'), 'salesforce-oauth2': ('Salesforce', 'salesforce'),
} }
BASE_MICROSOFT_GRAPH_URL = 'https://graph.microsoft.com/v1.0/'
def get_auth_backend_display(name): def get_auth_backend_display(name):
""" """
@ -389,31 +391,27 @@ def user_default_groups_handler(backend, user, response, *args, **kwargs):
logger.info(f"No valid group assignments for {user} - REMOTE_AUTH_DEFAULT_GROUPS may be incorrectly set?") logger.info(f"No valid group assignments for {user} - REMOTE_AUTH_DEFAULT_GROUPS may be incorrectly set?")
class AuthFailed(Exception):
pass
def azuread_map_groups(response, user, backend, *args, **kwargs): def azuread_map_groups(response, user, backend, *args, **kwargs):
''' '''
Map Azure AD group ID to Netbox group Map Azure AD group ID to Netbox group
Also set is_superuser or is_staff based on config map Also set is_superuser or is_staff based on config map
''' '''
logger = logging.getLogger('netbox.auth.azuread_map_groups')
if not getattr(settings, "SOCIAL_AUTH_AZUREAD_MAP_GROUP_PERMS", False): if not getattr(settings, "SOCIAL_AUTH_AZUREAD_MAP_GROUP_PERMS", False):
return return
flags_by_group = getattr(settings, "SOCIAL_AUTH_AZUREAD_USER_FLAGS_BY_GROUP", False) if not hasattr(settings, "SOCIAL_AUTH_AZUREAD_USER_FLAGS_BY_GROUP"):
if not flags_by_group:
raise ImproperlyConfigured( raise ImproperlyConfigured(
"Azure group mapping has been configured, but SOCIAL_AUTH_AZUREAD_USER_FLAGS_BY_GROUP is not defined." "Azure group mapping has been configured, but SOCIAL_AUTH_AZUREAD_USER_FLAGS_BY_GROUP is not defined."
) )
group_mapping = getattr(settings, "SOCIAL_AUTH_AZUREAD_GROUP_MAP", False) if not hasattr(settings, "SOCIAL_AUTH_AZUREAD_GROUP_MAP"):
if not group_mapping:
raise ImproperlyConfigured( raise ImproperlyConfigured(
"Azure group mapping has been configured, but SOCIAL_AUTH_AZUREAD_GROUP_MAP is not defined." "Azure group mapping has been configured, but SOCIAL_AUTH_AZUREAD_GROUP_MAP is not defined."
) )
url = 'https://graph.microsoft.com/v1.0/me' flags_by_group = getattr(settings, "SOCIAL_AUTH_AZUREAD_USER_FLAGS_BY_GROUP")
group_mapping = getattr(settings, "SOCIAL_AUTH_AZUREAD_GROUP_MAP")
access_token = response.get('access_token') access_token = response.get('access_token')
headers = { headers = {
@ -422,17 +420,24 @@ def azuread_map_groups(response, user, backend, *args, **kwargs):
'Authorization': f'Bearer {access_token}', 'Authorization': f'Bearer {access_token}',
} }
try:
# Query Microsoft Graph API to get user-id for following API
response = requests.get( response = requests.get(
url, f'{BASE_MICROSOFT_GRAPH_URL}me',
headers=headers, headers=headers,
) )
uid = response.json().get('id') uid = response.json().get('id')
url = f"https://graph.microsoft.com/v1.0/users/{uid}/memberOf"
# Call Graph API to get groups for current user
response = requests.get( response = requests.get(
url, f"{BASE_MICROSOFT_GRAPH_URL}users/{uid}/memberOf",
headers=headers, headers=headers,
) )
except Exception as e:
logger.error(f"Azure group mapping error getting groups for user {user} from Microsoft Graph API: {e}")
raise e
# Set groups and permissions based on returned group list
is_superuser = False is_superuser = False
is_staff = False is_staff = False
values = response.json().get('value', []) values = response.json().get('value', [])
@ -443,17 +448,23 @@ def azuread_map_groups(response, user, backend, *args, **kwargs):
group_id = value.get('id', None) group_id = value.get('id', None)
if group_id in flags_by_group['is_superuser']: if group_id in flags_by_group['is_superuser']:
logger.info(f"Azure group mapping - setting superuser status for: {user}.")
is_superuser = True is_superuser = True
if group_id in flags_by_group['is_staff']: if group_id in flags_by_group['is_staff']:
logger.info(f"Azure group mapping - setting staff status for: {user}.")
is_staff = True is_staff = True
if group_id in group_mapping: if group_id in group_mapping:
group = Group.objects.get(name=group_mapping[group_id]) group_name = group_mapping[group_id]
group = Group.objects.get(name=group_name)
if group: if group:
group.user_set.add(user) group.user_set.add(user)
logger.info(f"Azure group mapping - adding group {group_name} to user: {user}.")
else: else:
logger.info(f"Azure group mapping - group: {group_mapping[group_id]} not found.") logger.info(f"Azure group mapping - group: {group_name} not found.")
else:
logger.info(f"Azure group mapping - no Microsoft graph groups returned for user {user}.")
user.is_superuser = is_superuser user.is_superuser = is_superuser
user.is_staff = is_staff user.is_staff = is_staff