From a9178a2ac1934f29553da359094f3285c01f2a23 Mon Sep 17 00:00:00 2001 From: spigad Date: Wed, 1 Jun 2022 23:08:18 +0200 Subject: [PATCH] Admins are also users.. always --- .../jupyterhub/jupyterhub_config.py | 31 ++++++++++++------- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/docker/single-node-jupyterhub/jupyterhub/jupyterhub_config.py b/docker/single-node-jupyterhub/jupyterhub/jupyterhub_config.py index c4e84656..7f580b15 100644 --- a/docker/single-node-jupyterhub/jupyterhub/jupyterhub_config.py +++ b/docker/single-node-jupyterhub/jupyterhub/jupyterhub_config.py @@ -72,7 +72,10 @@ def pre_spawn_start(self, user, spawner): spawner.environment["JUPYTERHUB_ACTIVITY_INTERVAL"] = "15" amIAllowed = False - allowed_groups = "" + allowed_groups_user = "" + allowed_groups_admin = "" + matched_groups_user = False + matched_groups_admin = False self.log.info(auth_state["oauth_user"]) @@ -81,16 +84,23 @@ def pre_spawn_start(self, user, spawner): if os.environ.get("OAUTH_GROUPS"): spawner.environment["GROUPS"] = " ".join(auth_state["oauth_user"]["groups"]) - allowed_groups = os.environ["OAUTH_GROUPS"].split(" ") - #allowed_groups_full = os.environ["OAUTH_GROUPS"].split(" ") - #allowed_groups = [ele for ele in allowed_groups_full if not re.search('catchall', ele)] + allowed_groups_user = os.environ["OAUTH_GROUPS"].split(" ") + self.log.info("Allowed groups user") self.log.info(auth_state["oauth_user"]["groups"]) - self.log.info(allowed_groups) - - matched_groups = set(allowed_groups).intersection(set(auth_state["oauth_user"]["groups"])) - if matched_groups: amIAllowed = True + self.log.info(allowed_groups_user) + matched_groups_user = set(allowed_groups).intersection(set(auth_state["oauth_user"]["groups"])) + + if os.environ["ADMIN_OAUTH_GROUPS"] : + allowed_groups_admin = os.environ["ADMIN_OAUTH_GROUPS"].split(" ") + matched_groups_admin = set(allowed_groups_admin).intersection(set(auth_state["oauth_user"]["groups"])) + + self.log.info("Allowed groups user") + self.log.info(allowed_groups_admin) + + if matched_groups_user or matched_groups_admin : amIAllowed = True + if not amIAllowed: err_msg = "Authorization Failed: User is not the owner of the service" if allowed_groups: @@ -133,10 +143,7 @@ async def authenticate(self, handler, data=None): is_admin = False matched_admin_groups = False if os.environ["ADMIN_OAUTH_GROUPS"] : - # allowed_admin_groups_full = os.environ["ADMIN_OAUTH_GROUPS"].split(" ") - # allowed_admin_groups = [ele for ele in allowed_admin_groups_full if not re.search('catchall', ele)] - allowed_admin_groups = os.environ["ADMIN_OAUTH_GROUPS"].split(" ") - + allowed_admin_groups = os.environ["ADMIN_OAUTH_GROUPS"].split(" ") matched_admin_groups = set(allowed_admin_groups).intersection(set(auth_state["oauth_user"]["groups"])) if os.environ.get("OAUTH_SUB") == auth_state["oauth_user"]["sub"] or matched_admin_groups: