Merge pull request #200 from quantopian/group_auth

DEV: Allow setting a whitelist_group on LocalAuthenticator.
2025-10-17 15:03:02 +00:00 · 2015-03-22 21:22:49 -07:00
parent 8787335b01 ed94c2d774
commit fad5f5a61d
1 changed files with 42 additions and 5 deletions
--- a/jupyterhub/auth.py
+++ b/jupyterhub/auth.py
@@ -3,6 +3,7 @@
 # Copyright (c) IPython Development Team.
 # Distributed under the terms of the Modified BSD License.

+from grp import getgrnam
 import pwd
 from subprocess import check_call, check_output, CalledProcessError

@@ -39,7 +40,14 @@ class Authenticator(LoggingConfigurable):
        It must return the username on successful authentication,
        and return None on failed authentication.
        """
-    
+
+    def check_whitelist(self, user):
+        """
+        Return True if the whitelist is empty or user is in the whitelist.
+        """
+        # Parens aren't necessary here, but they make this easier to parse.
+        return (not self.whitelist) or (user in self.whitelist)
+
    def add_user(self, user):
        """Add a new user
        
@@ -56,8 +64,7 @@ class Authenticator(LoggingConfigurable):
        
        Removes the user from the whitelist.
        """
-        if user.name in self.whitelist:
-            self.whitelist.remove(user.name)
+        self.whitelist.discard(user.name)
    
    def login_url(self, base_url):
        """Override to register a custom login handler"""
@@ -87,7 +94,37 @@ class LocalAuthenticator(Authenticator):
        should I try to create the system user?
        """
    )
-    
+
+    group_whitelist = Set(
+        config=True,
+        help="Automatically whitelist anyone in this group.",
+    )
+
+    def _group_whitelist_changed(self, name, old, new):
+        if self.whitelist:
+            self.log.warn(
+                "Ignoring username whitelist because group whitelist supplied!"
+            )
+
+    def check_whitelist(self, username):
+        if self.group_whitelist:
+            return self.check_group_whitelist(username)
+        else:
+            return super().check_whitelist(username)
+
+    def check_group_whitelist(self, username):
+        if not self.group_whitelist:
+            return False
+        for group in self.group_whitelist:
+            try:
+                group = getgrnam(self.group_whitelist)
+            except KeyError:
+                self.log.error('No such group: [%s]' % self.group_whitelist)
+                continue
+            if username in group.gr_mem:
+                return True
+        return False
+
    @gen.coroutine
    def add_user(self, user):
        """Add a new user
@@ -152,7 +189,7 @@ class PAMAuthenticator(LocalAuthenticator):
        Return None otherwise.
        """
        username = data['username']
-        if self.whitelist and username not in self.whitelist:
+        if not self.check_whitelist(username):
            return
        # simplepam wants bytes, not unicode
        # see simplepam#3