Merge pull request #11798 from john-westcott-iv/saml_attr_lists

SAML superuse/auditor working with lists
2026-01-11 10:00:01 -03:30 · 2022-03-01 07:42:35 -05:00 · 2022-03-01 07:42:35 -05:00 · 80c188586c
commit 80c188586c
parent b5cf8f9326 c7a1fb67d0
2 changed files with 19 additions and 4 deletions
--- a/awx/sso/pipeline.py
+++ b/awx/sso/pipeline.py
@ -263,9 +263,14 @@ def _check_flag(user, flag, attributes, user_flags_settings):
        if user_flags_settings.get(is_value_key, None):
            # If so, check and see if the value of the attr matches the required value
            attribute_value = attributes.get(attr_setting, None)
+            attribute_matches = False
            if isinstance(attribute_value, (list, tuple)):
-                attribute_value = attribute_value[0]
-            if attribute_value == user_flags_settings.get(is_value_key):
+                if user_flags_settings.get(is_value_key) in attribute_value:
+                    attribute_matches = True
+            elif attribute_value == user_flags_settings.get(is_value_key):
+                attribute_matches = True
+
+            if attribute_matches:
                logger.debug("Giving %s %s from attribute %s with matching value" % (user.username, flag, attr_setting))
                new_flag = True
            # if they don't match make sure that new_flag is false
--- a/awx/sso/tests/functional/test_pipeline.py
+++ b/awx/sso/tests/functional/test_pipeline.py
@ -447,6 +447,16 @@ class TestSAMLUserFlags:
                {'is_superuser_role': 'test-role-1', 'is_superuser_attr': 'is_superuser', 'is_superuser_value': 'true'},
                (True, True),
            ),
+            # In this test case we will validate that a single attribute (instead of a list) still works
+            (
+                {'is_superuser_attr': 'name_id', 'is_superuser_value': 'test_id'},
+                (True, True),
+            ),
+            # This will be a negative test for a single atrribute
+            (
+                {'is_superuser_attr': 'name_id', 'is_superuser_value': 'junk'},
+                (False, False),
+            ),
        ],
    )
    def test__check_flag(self, user_flags_settings, expected):
@ -457,10 +467,10 @@ class TestSAMLUserFlags:
        attributes = {
            'email': ['noone@nowhere.com'],
            'last_name': ['Westcott'],
-            'is_superuser': ['true'],
+            'is_superuser': ['something', 'else', 'true'],
            'username': ['test_id'],
            'first_name': ['John'],
-            'Role': ['test-role-1'],
+            'Role': ['test-role-1', 'something', 'different'],
            'name_id': 'test_id',
        }