providers/scim: fix missing user/group filtering on SCIM direct save signals (#5473)

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens L 2023-05-04 02:28:58 +03:00 committed by GitHub
parent 5509bce3d7
commit b99ce890ef
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -1,9 +1,9 @@
"""SCIM Provider tasks""" """SCIM Provider tasks"""
from typing import Any from typing import Any, Optional
from celery.result import allow_join_result from celery.result import allow_join_result
from django.core.paginator import Paginator from django.core.paginator import Paginator
from django.db.models import Model from django.db.models import Model, QuerySet
from django.utils.text import slugify from django.utils.text import slugify
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from pydanticscim.responses import PatchOp from pydanticscim.responses import PatchOp
@ -143,6 +143,20 @@ def scim_signal_direct(model: str, pk: Any, raw_op: str):
operation = PatchOp(raw_op) operation = PatchOp(raw_op)
for provider in SCIMProvider.objects.all(): for provider in SCIMProvider.objects.all():
client = client_for_model(provider, instance) client = client_for_model(provider, instance)
# Check if the object is allowed within the provider's restrictions
queryset: Optional[QuerySet] = None
if isinstance(instance, User):
queryset = provider.get_user_qs()
if isinstance(instance, Group):
queryset = provider.get_group_qs()
if not queryset:
continue
# The queryset we get from the provider must include the instance we've got given
# otherwise ignore this provider
if not queryset.filter(pk=instance.pk).exists():
continue
try: try:
if operation == PatchOp.add: if operation == PatchOp.add:
client.write(instance) client.write(instance)
@ -159,6 +173,13 @@ def scim_signal_m2m(group_pk: str, action: str, pk_set: list[int]):
if not group: if not group:
return return
for provider in SCIMProvider.objects.all(): for provider in SCIMProvider.objects.all():
# Check if the object is allowed within the provider's restrictions
queryset: QuerySet = provider.get_group_qs()
# The queryset we get from the provider must include the instance we've got given
# otherwise ignore this provider
if not queryset.filter(pk=group_pk).exists():
continue
client = SCIMGroupClient(provider) client = SCIMGroupClient(provider)
try: try:
operation = None operation = None