Extend the Remote User Auth backend with REMOTE_GROUPS ability (#311)

Extend the Remote User Auth backend with the ability to pass remote user groups via a configurable request header similar to the REMOTE_USER header. Refs #37. If enabled the feature allows checks the header value against a configured list of group names, including the ability to use UNIX shell-style wildcards.
mozilla · Dec 17, 2018 · c266c95 · c266c95
1 parent 84e6973
commit c266c95
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/redash/authentication/remote_user_auth.py b/redash/authentication/remote_user_auth.py
@@ -31,6 +31,21 @@ def login(org_slug=None):
         logger.error("Cannot use remote user for login when it's not provided in the request (looked in headers['" + settings.REMOTE_USER_HEADER + "'])")
         return redirect(url_for('redash.index', next=next_path, org_slug=org_slug))
 
+    # Check if there is a header of user groups and if yes
+    # check it against a list of allowed user groups from the settings
+    if settings.REMOTE_GROUPS_ENABLED:
+        remote_groups = settings.set_from_string(
+            request.headers.get(settings.REMOTE_GROUPS_HEADER) or ''
+        )
+        allowed_groups = settings.REMOTE_GROUPS_ALLOWED
+        if not allowed_groups.intersection(remote_groups):
+            logger.error(
+                "User groups provided in the %s header are not "
+                "matching the allowed groups.",
+                settings.REMOTE_GROUPS_HEADER
+            )
+            return redirect(url_for('redash.index', next=next_path))
+
     logger.info("Logging in " + email + " via remote user")
 
     user = create_and_login_user(current_org, email, email)

diff --git a/redash/settings/__init__.py b/redash/settings/__init__.py
@@ -84,6 +84,13 @@ def all_settings():
 REMOTE_USER_LOGIN_ENABLED = parse_boolean(os.environ.get("REDASH_REMOTE_USER_LOGIN_ENABLED", "false"))
 REMOTE_USER_HEADER = os.environ.get("REDASH_REMOTE_USER_HEADER", "X-Forwarded-Remote-User")
 
+# When enabled this will match the given remote groups request header with a
+# configured list of allowed user groups using UNIX shell-style wildcards such
+# as * and ?.
+REMOTE_GROUPS_ENABLED = parse_boolean(os.environ.get("REDASH_REMOTE_GROUPS_ENABLED", "false"))
+REMOTE_GROUPS_HEADER = os.environ.get("REDASH_REMOTE_GROUPS_HEADER", "X-Forwarded-Remote-Groups")
+REMOTE_GROUPS_ALLOWED = set_from_string(os.environ.get("REDASH_REMOTE_GROUPS_ALLOWED", ""))
+
 # If the organization setting auth_password_login_enabled is not false, then users will still be
 # able to login through Redash instead of the LDAP server
 LDAP_LOGIN_ENABLED = parse_boolean(os.environ.get('REDASH_LDAP_LOGIN_ENABLED', 'false'))

diff --git a/redash/settings/helpers.py b/redash/settings/helpers.py
@@ -11,7 +11,7 @@ def array_from_string(s):
     if "" in array:
         array.remove("")
 
-    return array
+    return [item.strip() for item in array]
 
 
 def set_from_string(s):