Check that a user belongs to the correct SHM domain when registering with an SRE #2292
+52
−8
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Coverage report
Click to see where and how coverage changed
This report was generated by python-coverage-comment-action |
||||||||||||||||||||||||||||||||||||||||||||||||
craddm
changed the title
JimMadge
reviewed
Nov 28, 2024
JimMadge
reviewed
Nov 28, 2024
JimMadge
requested changes
Nov 28, 2024
Comment on lines
+159
to
+163
| logger.error( | ||
| f"User [green]'{username}'[/green]'s principal domain name is [blue]'{user_domain}'[/blue].\n" | ||
| f"SRE [yellow]'{sre}'[/yellow] belongs to SHM domain [blue]'{shm_config.shm.fqdn}'[/blue].\n" | ||
| "The user's principal domain name must match the domain of the SRE to be registered." | ||
| ) |
There was a problem hiding this comment.
I think we've had problems with multi-line log messages before (although we might strip those characters). Could you check the output?
There was a problem hiding this comment.
Looks like this in the log file:
Seems fine to me
There was a problem hiding this comment.
The problem there is we have lines in the log file which are not in the log format which will make it difficult to parse.
We could,
- Join the lines in the log file
- Make each of these a different message
- Put this output to stdout but a shorter summary to the log
Co-authored-by: Jim Madge <[email protected]>
JimMadge
reviewed
Nov 28, 2024
Comment on lines
+167
to
+168
| f"Username '{username}' does not belong to this Data Safe Haven deployment.\n" | ||
| "Please use 'dsh users add' to create this user." |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
…with SRE
✅ Checklist
Enable foobar integrationrather than515 foobar).develop.🚦 Depends on
Adds a check of the user's principal name when registering with an SRE. If the domain in the principal name does not match the FQDN of the SHM that the SRE is linked to, the user will not be added to the SRE's security group and an error will be printed explaining why.
Example output:
🌂 Related issues
Relates to #2275
Does not close #2275, as that also encompasses the
addcommand, whereas this PR only handles registering users🔬 Tests
Tested locally