diff --git a/dojo/context_processors.py b/dojo/context_processors.py index c0bbb250469..9da80ff0b8e 100644 --- a/dojo/context_processors.py +++ b/dojo/context_processors.py @@ -17,6 +17,9 @@ def globalize_vars(request): "AZUREAD_TENANT_OAUTH2_GET_GROUPS": settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS, "AZUREAD_TENANT_OAUTH2_GROUPS_FILTER": settings.AZUREAD_TENANT_OAUTH2_GROUPS_FILTER, "AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS": settings.AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS, + "KEYCLOAK_TENANT_OAUTH2_GET_GROUPS": settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS, + "KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER": settings.AZUREAD_TENANT_OAUTH2_GROUPS_FILTER, + "KEYCLOAK_TENANT_OAUTH2_CLEANUP_GROUPS": settings.AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS, "KEYCLOAK_ENABLED": settings.KEYCLOAK_OAUTH2_ENABLED, "SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT": settings.SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT, "GITHUB_ENTERPRISE_ENABLED": settings.GITHUB_ENTERPRISE_OAUTH2_ENABLED, diff --git a/dojo/group/utils.py b/dojo/group/utils.py index 2ddf5e57a2d..e0167bc0192 100644 --- a/dojo/group/utils.py +++ b/dojo/group/utils.py @@ -41,7 +41,7 @@ def group_post_save_handler(sender, **kwargs): group.save() user = get_current_user() - if user and not settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS: + if user and not settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS and not settings.KEYCLOAK_TENANT_OAUTH2_GET_GROUPS: # Add the current user as the owner of the group member = Dojo_Group_Member() member.user = user diff --git a/dojo/pipeline.py b/dojo/pipeline.py index 7ad8bf3ca4f..2868e587148 100644 --- a/dojo/pipeline.py +++ b/dojo/pipeline.py @@ -7,6 +7,7 @@ from django.conf import settings from dojo.models import Product, Product_Member, Product_Type, Role, Dojo_Group, Dojo_Group_Member from social_core.backends.azuread_tenant import AzureADTenantOAuth2 +from social_core.backends.open_id_connect import OpenIdConnectAuth from social_core.backends.google import GoogleOAuth2 from dojo.authorization.roles_permissions import Permissions, Roles from dojo.product.queries import get_authorized_products @@ -66,19 +67,26 @@ def modify_permissions(backend, uid, user=None, social=None, *args, **kwargs): def update_keycloak_groups(backend, uid, user=None, social=None, *args, **kwargs): - if settings.KEYCLOAK_OAUTH2_ENABLED: #need another setting to enable syncing + if settings.KEYCLOAK_OAUTH2_ENABLED and settings.KEYCLOAK_TENANT_OAUTH2_GET_GROUPS and isinstance(backend, OpenIdConnectAuth): soc = user.social_auth.order_by("-created").first() token = soc.extra_data['access_token'] - print("accesstoken: " + str(token)) - print("response raw: " + str(kwargs['response'])) + #print("accesstoken: " + str(token)) + #print("response raw: " + str(kwargs['response'])) + group_names = [] if 'groups' not in kwargs['response'] or kwargs['response']['groups'] == "": logger.warning("No groups in response. Stopping to update groups of user based on azureAD") return - group_IDs = kwargs['response']['groups'] # probably need another setting with a regex ? - if len(group_IDs) > 0: - assign_user_to_groups(user, group_IDs, 'Keycloak') - if settings.AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS: - cleanup_old_groups_for_user(user, group_IDs) + group_ids = kwargs['response']['groups'] # probably need another setting with a regex ? + for group_from_response in group_ids: + if settings.KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER == "" or re.search(settings.KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER, group_from_response): + group_names.append(group_from_response) + else: + logger.debug("Skipping group " + group_from_response + " due to KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER " + settings.KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER) + + if len(group_names) > 0: + assign_user_to_groups(user, group_names, 'Keycloak') + if settings.KEYCLOAK_TENANT_OAUTH2_CLEANUP_GROUPS: + cleanup_old_groups_for_user(user, group_names) def update_azure_groups(backend, uid, user=None, social=None, *args, **kwargs): if settings.AZUREAD_TENANT_OAUTH2_ENABLED and settings.AZUREAD_TENANT_OAUTH2_GET_GROUPS and isinstance(backend, AzureADTenantOAuth2): diff --git a/dojo/settings/settings.dist.py b/dojo/settings/settings.dist.py index 9574e5a3c6a..81518c60f35 100644 --- a/dojo/settings/settings.dist.py +++ b/dojo/settings/settings.dist.py @@ -123,6 +123,9 @@ DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_GET_GROUPS=(bool, False), DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_GROUPS_FILTER=(str, ''), DD_SOCIAL_AUTH_AZUREAD_TENANT_OAUTH2_CLEANUP_GROUPS=(bool, True), + DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GET_GROUPS=(bool, False), + DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_CLEANUP_GROUPS=(bool, True), + DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GROUPS_FILTER=(str, ''), DD_SOCIAL_AUTH_GITLAB_OAUTH2_ENABLED=(bool, False), DD_SOCIAL_AUTH_GITLAB_PROJECT_AUTO_IMPORT=(bool, False), DD_SOCIAL_AUTH_GITLAB_PROJECT_IMPORT_TAGS=(bool, False), @@ -639,6 +642,10 @@ def generate_url(scheme, double_slashes, user, password, host, port, path, param SOCIAL_AUTH_OIDC_SECRET = env('DD_SOCIAL_AUTH_KEYCLOAK_SECRET') SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT = env('DD_SOCIAL_AUTH_KEYCLOAK_LOGIN_BUTTON_TEXT') +KEYCLOAK_TENANT_OAUTH2_GET_GROUPS = env('DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GET_GROUPS') +KEYCLOAK_TENANT_OAUTH2_CLEANUP_GROUPS = env('DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_CLEANUP_GROUPS') +KEYCLOAK_TENANT_OAUTH2_GROUPS_FILTER = env('DD_SOCIAL_AUTH_KEYCLOAK_OAUTH2_GROUPS_FILTER') + # SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY = env('DD_SOCIAL_AUTH_KEYCLOAK_PUBLIC_KEY') # SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL = env('DD_SOCIAL_AUTH_KEYCLOAK_AUTHORIZATION_URL') # SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL = env('DD_SOCIAL_AUTH_KEYCLOAK_ACCESS_TOKEN_URL')