diff --git a/oauthenticator/generic.py b/oauthenticator/generic.py index 31eb0d9e..b3166a90 100644 --- a/oauthenticator/generic.py +++ b/oauthenticator/generic.py @@ -100,9 +100,7 @@ def get_user_groups(self, user_info): groups = self.claim_groups_key(user_info) else: try: - groups = reduce( - dict.get, self.claim_groups_key.split("."), user_info - ) + groups = reduce(dict.get, self.claim_groups_key.split("."), user_info) except TypeError: # This happens if a nested key does not exist (reduce trying to call None.get) self.log.error( @@ -127,7 +125,9 @@ async def user_is_authorized(self, auth_model): if not groups: return False - if not self.user_groups_in_allowed_groups(groups, self.allowed_groups + self.admin_groups): + if not self.user_groups_in_allowed_groups( + groups, self.allowed_groups + self.admin_groups + ): return False return True diff --git a/oauthenticator/google.py b/oauthenticator/google.py index 2a30a50f..00b2dd9c 100644 --- a/oauthenticator/google.py +++ b/oauthenticator/google.py @@ -143,7 +143,9 @@ async def user_is_authorized(self, auth_model): auth_model['auth_state']['google_user']['google_groups'] = google_groups # Check if user is a member of any allowed or admin groups. - allowed_groups_per_domain = self.allowed_google_groups.get(user_email_domain, []) + self.admin_google_groups.get(user_email_domain, []) + allowed_groups_per_domain = self.allowed_google_groups.get( + user_email_domain, [] + ) + self.admin_google_groups.get(user_email_domain, []) if not allowed_groups_per_domain: return False else: @@ -153,7 +155,6 @@ async def user_is_authorized(self, auth_model): return True - async def update_auth_model(self, auth_model): username = auth_model["name"] admin_status = True if username in self.admin_users else None @@ -163,7 +164,9 @@ async def update_auth_model(self, auth_model): if user_email_domain in self.admin_google_groups.keys(): # Check if user is a member of any admin groups. - google_groups = self._google_groups_for_user(user_email, user_email_domain) + google_groups = self._google_groups_for_user( + user_email, user_email_domain + ) if google_groups: auth_model['admin'] = self.user_groups_in_allowed_groups( google_groups, self.admin_google_groups[user_email_domain] diff --git a/oauthenticator/openshift.py b/oauthenticator/openshift.py index c2ee6fd3..d0812271 100644 --- a/oauthenticator/openshift.py +++ b/oauthenticator/openshift.py @@ -101,7 +101,9 @@ async def update_auth_model(self, auth_model): # Check if user has been marked as admin by membership in self.admin_groups if not admin_status and self.admin_groups: - auth_model['admin'] = self.user_groups_in_allowed_groups(user_groups, self.admin_groups) + auth_model['admin'] = self.user_groups_in_allowed_groups( + user_groups, self.admin_groups + ) return auth_model @@ -116,7 +118,9 @@ async def user_is_authorized(self, auth_model): if self.allowed_groups or self.admin_groups: msg = f"username:{username} User not in any of the allowed/admin groups" # User is authorized if either in allowed_groups or in admin_groups - if not self.user_groups_in_allowed_groups(user_groups, self.allowed_groups.union(self.admin_groups)): + if not self.user_groups_in_allowed_groups( + user_groups, self.allowed_groups.union(self.admin_groups) + ): self.log.warning(msg) return False diff --git a/oauthenticator/tests/test_openshift.py b/oauthenticator/tests/test_openshift.py index 60658b42..c1951bc1 100644 --- a/oauthenticator/tests/test_openshift.py +++ b/oauthenticator/tests/test_openshift.py @@ -93,6 +93,7 @@ async def test_openshift_in_allowed_groups_and_is_not_admin(openshift_client): assert sorted(user_info) == ['admin', 'auth_state', 'name'] assert user_info['admin'] == False + async def test_openshift_not_in_admin_users_but_not_in_admin_groups(openshift_client): authenticator = OpenShiftOAuthenticator() authenticator.allowed_groups = {'group1'}