Hi I have written a patch for feature #6640
From fd3978884501845099ca6547cd342ead0f833b14 Mon Sep 17 00:00:00 2001 From: Florian Sabonchi <sabon...@posteo.de> Date: Sun, 10 Oct 2021 12:38:50 +0200 Subject: [PATCH] first draft for feature #6640
---
docs/en_US/oauth2.rst | 1 +
web/config.py | 2 ++
web/pgadmin/authenticate/oauth2.py | 19 +++++++++++++++++--
3 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/docs/en_US/oauth2.rst b/docs/en_US/oauth2.rst
index 4cc2628f5..6cf2f5aba 100644
--- a/docs/en_US/oauth2.rst
+++ b/docs/en_US/oauth2.rst
@@ -36,6 +36,7 @@ and modify the values for the following parameters:
"OAUTH2_AUTO_CREATE_USER", "Set the value to *True* if you want to automatically
create a pgAdmin user corresponding to a successfully authenticated Oauth2 user.
Please note that password is not stored in the pgAdmin database."
+ "ALLOWED_ORGANIZATIONS", "Github organizations which are allowed. If the user is in an organization that is not in the list, logging in is not possible."
Redirect URL
============
diff --git a/web/config.py b/web/config.py
index 7a1f4ab1f..ec8ec0959 100644
--- a/web/config.py
+++ b/web/config.py
@@ -719,6 +719,8 @@ OAUTH2_CONFIG = [
'OAUTH2_ICON': None,
# UI button colour, ex: #0000ff
'OAUTH2_BUTTON_COLOR': None,
+ # Allowed github organizations
+ 'ALLOWED_ORGANIZATIONS': [''],
}
]
diff --git a/web/pgadmin/authenticate/oauth2.py b/web/pgadmin/authenticate/oauth2.py
index cc1143e06..866e12680 100644
--- a/web/pgadmin/authenticate/oauth2.py
+++ b/web/pgadmin/authenticate/oauth2.py
@@ -8,11 +8,12 @@
##########################################################################
"""A blueprint module implementing the Oauth2 authentication."""
+import requests as requests
import config
from authlib.integrations.flask_client import OAuth
-from flask import current_app, url_for, session, request,\
+from flask import current_app, url_for, session, request, \
redirect, Flask, flash
from flask_babelex import gettext
from flask_security import login_user, current_user
@@ -91,7 +92,6 @@ class OAuth2Authentication(BaseAuthentication):
def __init__(self):
for oauth2_config in config.OAUTH2_CONFIG:
-
OAuth2Authentication.oauth2_config[
oauth2_config['OAUTH2_NAME']] = oauth2_config
@@ -130,6 +130,17 @@ class OAuth2Authentication(BaseAuthentication):
user, msg = self.__auto_create_user(profile)
if user:
+ organizations = self.get_organizations(profile['organizations_url'])
+
+ for oauth2_config in config.OAUTH2_CONFIG:
+ allowed_organizations = oauth2_config['ALLOWED_ORGANIZATIONS']
+ if allowed_organizations:
+ for organization in organizations:
+ if organization['login'] not in allowed_organizations:
+ return False, gettext("You are in an organization "
+ "that is not on the "
+ "whitelist")
+
user = db.session.query(User).filter_by(
username=profile['email'], auth_source=OAUTH2).first()
current_app.login_manager.logout_view = \
@@ -137,6 +148,10 @@ class OAuth2Authentication(BaseAuthentication):
return login_user(user), None
return False, msg
+ def get_organizations(self, organizations_url: str):
+ organizations = requests.get(organizations_url)
+ return organizations.json()
+
def get_user_profile(self):
session['oauth2_token'] = self.oauth2_clients[
self.oauth2_current_client].authorize_access_token()
--
2.25.1
OpenPGP_0x9B79A5A968AF5F8F.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
