[ROCK-8674] Sync correctly admin status (#304)

* Add metabase admin group to group sync list * Update changelog
Stratio · Oct 24, 2022 · 36e060f · 36e060f
1 parent c4f1a2f
commit 36e060f
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## 0.43.4-0.1.1 (upcoming)
+
+* [ROCK-8674] Sync correctly Administrators group
+
 ## 0.43.4-0.1.0 (2022-10-07)
 
 * [ROCK-7390] Update metabase to 0.43

diff --git a/src/metabase/stratio/auth.clj b/src/metabase/stratio/auth.clj
@@ -39,10 +39,11 @@
   (contains? (set groups) admin-group))
 
 (defn- effective-groups
-  [groups]
-  (if whitelist-disabled?
-    (set groups)
-    (set/intersection (set groups) whitelist)))
+  [groups superuser?]
+  (cond-> (set groups)
+    whitelist-enabled? (set/intersection whitelist)
+    true               (disj group/admin-group-name)  ;; prevent a SSO "Administrators" group to trigger admin status
+    superuser?         (conj group/admin-group-name)))
 
 (defn- allowed-user
   [{:keys [user groups error]}]
@@ -83,21 +84,21 @@
       (log/error "Could not create and sync groups. Error:" (st.util/stack-trace e)))))
 
 (defn- fetch-or-create-user!
-  [{first_name :first_name {groups :groups} :login_attributes, :as allowed-user}]
+  [{first_name :first_name {groups :groups} :login_attributes superuser? :is_superuser, :as allowed-user}]
   (or (if-let [user-in-db (db/select-one [User :id :last_login :is_superuser] :first_name first_name)]
         (do
           ;; Check if superuser status has changed and update if necessary
           (if (or (apply not= (map :is_superuser     [user-in-db allowed-user]))
                   (apply not= (map :login_attributes [user-in-db allowed-user])))
             (db/update! User (:id user-in-db)
-                        :is_superuser     (:is_superuser allowed-user)
+                        :is_superuser     superuser?
                         :login_attributes (:login_attributes allowed-user)))
           (if create-and-sync-groups?
-            (create-and-sync-groups! (:id user-in-db) (effective-groups groups)))
+            (create-and-sync-groups! (:id user-in-db) (effective-groups groups superuser?)))
           user-in-db))
       (let [user-inserted (insert-new-user! allowed-user)]
         (if create-and-sync-groups?
-          (create-and-sync-groups! (:id user-inserted) (effective-groups groups)))
+          (create-and-sync-groups! (:id user-inserted) (effective-groups groups superuser?)))
         user-inserted)))
 
 (defn create-session-from-headers!