feat: add DEFAULT_GROUPS ignoring

2025-01-30 20:56:39 +00:00 · 2025-01-18 17:44:31 +04:00 · 2025-01-18 17:44:31 +04:00 · 482d48d923
parent df23a31a01
commit 482d48d923
1 changed files with 18 additions and 14 deletions
--- a/selfprivacy_api/repositories/users/kanidm_user_repository.py
+++ b/selfprivacy_api/repositories/users/kanidm_user_repository.py
@ -28,13 +28,14 @@ from selfprivacy_api.repositories.users.abstract_user_repository import (
    AbstractUserRepository,
 )

+DOMAIN = get_domain()

 REDIS_TOKEN_KEY = "kanidm:token"
+redis = RedisPool().get_connection()

 KANIDM_URL = "https://127.0.0.1:3013"
 ADMIN_GROUPS = ["sp.admins"]
-
-redis = RedisPool().get_connection()
+DEFAULT_GROUPS = [f"idm_all_persons@{DOMAIN}", f"idm_all_accounts@{DOMAIN}"] 

 logger = logging.getLogger(__name__)

@ -62,18 +63,18 @@ class KanidmAdminToken:

    @staticmethod
    def get() -> str:
-        kanidm_admin_token = str(redis.get(REDIS_TOKEN_KEY))
+        kanidm_admin_token = redis.get(REDIS_TOKEN_KEY)

-        if kanidm_admin_token is None or not KanidmAdminToken._is_token_valid(
-            kanidm_admin_token
-        ):
-            kanidm_admin_password = (
-                KanidmAdminToken._reset_and_save_idm_admin_password()
-            )
+        if kanidm_admin_token:
+            if KanidmAdminToken._is_token_valid(kanidm_admin_token):  # type: ignore
+                return kanidm_admin_token  # type: ignore

-            kanidm_admin_token = KanidmAdminToken._create_and_save_token(
-                kanidm_admin_password=kanidm_admin_password
-            )
+        logging.warning("Kanidm admin token is missing or invalid. Regenerating.")
+
+        kanidm_admin_password = KanidmAdminToken._reset_and_save_idm_admin_password()
+        kanidm_admin_token = KanidmAdminToken._create_and_save_token(
+            kanidm_admin_password=kanidm_admin_password
+        )

        return kanidm_admin_token

@ -511,14 +512,17 @@ class KanidmUserRepository(AbstractUserRepository):

        attrs = user_data["attrs"]  # type: ignore

+        directmemberof = [item for item in attrs.get("directmemberof", []) if item not in DEFAULT_GROUPS]
+        memberof = [item for item in attrs.get("memberof", []) if item not in DEFAULT_GROUPS]
+
        return UserDataUser(
            username=attrs["name"][0],
            user_type=KanidmUserRepository._check_user_origin_by_memberof(
                memberof=attrs.get("memberof", [])
            ),
            ssh_keys=[],  # Actions layer will fill this field
-            directmemberof=attrs.get("directmemberof", []),
-            memberof=attrs.get("memberof", []),
+            directmemberof=directmemberof,
+            memberof=memberof,
            displayname=attrs.get("displayname", [None])[0],
            email=attrs.get("mail", [None])[0],
        )