Merge branch 'devel' into boto3

grycap · Nov 8, 2024 · 299db4b · 299db4b
2 parents b0d2c68 + c0a914c
commit 299db4b
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 7 deletions.
diff --git a/IM/InfrastructureManager.py b/IM/InfrastructureManager.py
@@ -1434,10 +1434,7 @@ def check_oidc_token(im_auth):
 
                 if Config.OIDC_GROUPS:
                     # Get user groups from any of the possible fields
-                    user_groups = userinfo.get('groups',  # Generic
-                                               userinfo.get('entitlements',  # GEANT
-                                                            userinfo.get('eduperson_entitlement',  # EGI Check-in
-                                                                         [])))
+                    user_groups = userinfo.get(Config.OIDC_GROUPS_CLAIM, [])
 
                     if not set(Config.OIDC_GROUPS).issubset(user_groups):
                         raise InvaliddUserException("Invalid InfrastructureManager credentials. " +

diff --git a/IM/config.py b/IM/config.py
@@ -107,6 +107,7 @@ class Config:
     OIDC_USER_INFO_PATH = "/userinfo"
     OIDC_INSTROSPECT_PATH = "/introspect"
     OIDC_GROUPS = []
+    OIDC_GROUPS_CLAIM = "groups"
     VM_NUM_USE_CTXT_DIST = 30
     DELAY_BETWEEN_VM_RETRIES = 5
     VERIFI_SSL = False

diff --git a/IM/connectors/Kubernetes.py b/IM/connectors/Kubernetes.py
@@ -21,6 +21,8 @@
 import os
 import re
 import socket
+from random import choice
+from string import ascii_lowercase, digits
 from netaddr import IPNetwork, IPAddress
 try:
     from urlparse import urlparse
@@ -370,9 +372,12 @@ def _generate_ingress_data(self, namespace, name, dns, port, apps_dns, vm):
             if dns_url[1]:
                 host = dns_url[1]
                 if apps_dns and not host.endswith(apps_dns):
-                    if not host.endswith(".") and not apps_dns.startswith("."):
-                        host += "."
-                    host += apps_dns
+                    if host.endswith("."):
+                        host = host[:-1]
+                    host += "-" + ''.join(choice(ascii_lowercase + digits) for _ in range(4))
+                    if apps_dns.startswith("."):
+                        apps_dns = apps_dns[1:]
+                    host += "." + apps_dns
             if dns_url[2]:
                 path = dns_url[2]
 

diff --git a/etc/im.cfg b/etc/im.cfg
@@ -145,6 +145,8 @@ OIDC_ISSUERS = https://aai.egi.eu/auth/realms/egi
 #OIDC_INSTROSPECT_PATH = "/introspect"
 # List of OIDC groups that will be allowed to access the IM service
 #OIDC_GROUPS =
+# Claim where the groups are stored in the OIDC token
+# OIDC_GROUPS_CLAIM = groups
 # Force the users to pass a valid OIDC token
 #FORCE_OIDC_AUTH = False