add azuread groupfilter

ansibleguy76 · Nov 22, 2023 · 212dc40 · 212dc40
1 parent 4b4273e
commit 212dc40
Show file tree

Hide file tree

Showing 8 changed files with 41 additions and 5 deletions.
diff --git a/client/src/lib/Helpers.js b/client/src/lib/Helpers.js
@@ -28,6 +28,18 @@ var Helpers = {
     var i = size == 0 ? 0 : Math.floor(Math.log(size) / Math.log(1024));
     return (size / Math.pow(1024, i)).toFixed(2) * 1 + ' ' + ['B', 'kB', 'MB', 'GB', 'TB'][i];
   },
+  deepClone(o){
+    if(o===undefined){
+      return o
+    }
+    try{
+      return (JSON.parse(JSON.stringify(o)))
+    }catch(e){
+      console.error("Failed deepcloning - ",e)
+      return undefined
+    }
+
+  },
   evalSandbox(expression){
     // local autonumbering
     function fnGetNumberedName(names,pattern,value,fillgap=false){
@@ -177,7 +189,8 @@ var Helpers = {
             return o
           })
         }
-    }    
+    }   
+    if(expression) 
     return eval(expression)          
   }
 

diff --git a/client/src/views/AzureAd.vue b/client/src/views/AzureAd.vue
@@ -19,6 +19,7 @@
               <div class="mt-2">
                 <BulmaInput :disabled="!azuread.enable" icon="user-tag" v-model="azuread.client_id" label="Client Id" placeholder="" :required="true" :hasError="$v.azuread.client_id.$invalid" :errors="[]" />
                 <BulmaInput :disabled="!azuread.enable" icon="user-secret" v-model="azuread.secret_id" type="password" label="Secret Id" placeholder="" :required="true" :hasError="$v.azuread.secret_id.$invalid" :errors="[]" />
+                <BulmaInput :disabled="!azuread.enable" icon="filter" v-model="azuread.groupfilter" label="Groupname Regex" placeholder="A regular expression to match groups" :required="false" :errors="[]" />
                 <div class="notification is-info-light content">
                   <strong>Required API Permissions</strong><br>
                   <ul>
@@ -67,7 +68,8 @@
           azuread:{
             client_id:"",
             secret_id:"",
-            enable:true
+            enable:true,
+            groupfilter:""
           },
           settings:{
             url:""

diff --git a/client/src/views/Login.vue b/client/src/views/Login.vue
@@ -46,6 +46,7 @@
                   password: ""
               },
               azureAdEnabled:false,
+              azureGroupfilter:"",
               azureGraphUrl:"https://graph.microsoft.com"
           }
       },
@@ -56,6 +57,7 @@
           .then((result)=>{
             if(result.data?.status=='success'){
               this.azureAdEnabled=!!result.data.data.output.azureAdEnabled
+              this.azureGroupfilter=result.data.data.output.azureGroupfilter
               this.azureGraphUrl=result.data.data.output.azureGraphUrl
               if(azuretoken){
                 this.getGroupsAndLogin(azuretoken)
@@ -69,6 +71,7 @@
           })
         },
         getGroupsAndLogin(azuretoken, url = `${this.azureGraphUrl}/v1.0/me/transitiveMemberOf`, allGroups = []) {
+          var ref=this
           const config = {
             headers: {
               Authorization: `Bearer ${azuretoken}`
@@ -84,6 +87,18 @@
                 // If there's a nextLink, make a recursive call to get the next page of data
                 this.getGroupsAndLogin(azuretoken, res.data['@odata.nextLink'], allGroups);
               } else {
+                var validRegex=true
+                var regex
+                try{
+                  regex = new RegExp(ref.azureGroupfilter, 'g');
+                }catch(e){
+                  console.error("MS Entra ID Group filter is not a valid regular expression")
+                  validRegex=false
+                }
+                if(validRegex && ref.azureGroupfilter){
+                  allGroups = allGroups.filter(x => x.match(regex))
+                  console.log("Groups have been filtered")
+                }
                 // No more nextLink, you have all the groups
                 axios.post('/api/v1/auth/azureadoauth2/login', { azuretoken, groups:allGroups })
                   .then((result) => {

diff --git a/server/schema/forms_schema.json b/server/schema/forms_schema.json
@@ -452,6 +452,7 @@
                     "recipients"
                   ]
                 },
+                "hasApproval":{ "type": "boolean"},
                 "approval": {
                   "$id": "/approval",
                   "type": "object",
@@ -487,6 +488,7 @@
             "type": "string",
             "enum": ["ansible", "awx", "git","multistep"]
           },
+          "hasApproval":{ "type": "boolean"},
           "approval":{
             "$ref": "/approval"
           },

diff --git a/server/src/controllers/login.controller.js b/server/src/controllers/login.controller.js
@@ -39,6 +39,7 @@ exports.settings = async function(req,res){
     var settings={}
     // console.log(inspect(azure))
     settings.azureAdEnabled=azure.enable
+    settings.azureGroupfilter=azure.groupfilter
     settings.azureGraphUrl=authConfig.azureGraphUrl
     res.json(new RestResult("success","",settings,""))
   })

diff --git a/server/src/db/create_azuread_table.sql b/server/src/db/create_azuread_table.sql
@@ -3,6 +3,7 @@ DROP TABLE IF EXISTS `azuread`;
 CREATE TABLE `azuread` (
   `client_id` text DEFAULT NULL,
   `secret_id` text DEFAULT NULL,
-  `enable` tinyint(4) DEFAULT NULL
+  `enable` tinyint(4) DEFAULT NULL,
+  `groupfilter` varchar(250) DEFAULT NULL
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
-INSERT INTO AnsibleForms.azuread(client_id,secret_id,enable) VALUES('','',0);
+INSERT INTO AnsibleForms.azuread(client_id,secret_id,enable,groupfilter) VALUES('','',0,'');
diff --git a/server/src/models/azureAd.model.js b/server/src/models/azureAd.model.js
@@ -10,13 +10,14 @@ var AzureAd=function(azuread){
     this.client_id = azuread.client_id;
     this.secret_id = encrypt(azuread.secret_id);
     this.enable = (azuread.enable)?1:0;
+    this.groupfilter = azuread.groupfilter;
 };
 AzureAd.update = function (record) {
   logger.info(`Updating azuread`)
   return mysql.do("UPDATE AnsibleForms.`azuread` set ?", record)
 };
 AzureAd.isEnabled = function(){
-  return mysql.do("SELECT enable FROM AnsibleForms.`azuread` limit 1;")
+  return mysql.do("SELECT enable,groupfilter FROM AnsibleForms.`azuread` limit 1;")
     .then((res)=>{
       if(res.length>0){
         return res[0]

diff --git a/server/src/models/schema.model.js b/server/src/models/schema.model.js
@@ -273,6 +273,7 @@ function patchAll(){
   buffer = fs.readFileSync(`${__dirname}/../db/create_azuread_table.sql`)
   sql = buffer.toString()
   tablePromises.push(addTable("azuread",sql)) // add azuread table
+  tablePromises.push(addColumn("azuread","groupfilter","varchar(250)",true,"NULL"))  // add column to limit azuread groups
   //tablePromises.push(addRecord("settings",["mail_server","mail_port","mail_secure","mail_username","mail_password","mail_from","url"],["''",25,0,"''","''","''","''"]))
   // buffer=fs.readFileSync(`${__dirname}/../db/create_settings_table.sql`)
   // sql=buffer.toString();