[AIRFLOW-500] Use id for github allowed teams

The team string is not unique across an organization and therefore we should use the long id instead. Closes apache#1788 from mylons/master
jbhsieh · Oct 8, 2016 · a66cf75 · a66cf75
1 parent bae8bc7
commit a66cf75
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 8 deletions.
diff --git a/airflow/contrib/auth/backends/github_enterprise_auth.py b/airflow/contrib/auth/backends/github_enterprise_auth.py
@@ -138,13 +138,21 @@ def get_ghe_user_profile_info(self, ghe_token):
 
     def ghe_team_check(self, username, ghe_token):
         try:
-            teams = [team.strip()
-                     for team in
-                     get_config_param('allowed_teams').split(',')]
+            # the response from ghe returns the id of the team as an integer
+            try:
+                allowed_teams = [int(team.strip())
+                                 for team in
+                                 get_config_param('allowed_teams').split(',')]
+            except ValueError:
+                # this is to deprecate using the string name for a team
+                raise ValueError('it appears that you are using the string name for a team, '
+                                 'please use the id number instead')
+
         except AirflowConfigException:
             # No allowed teams defined, let anyone in GHE in.
             return True
 
+        # https://developer.github.com/v3/orgs/teams/#list-user-teams
         resp = self.ghe_oauth.get(self.ghe_api_route('/user/teams'),
                                   token=(ghe_token, ''))
 
@@ -154,14 +162,16 @@ def ghe_team_check(self, username, ghe_token):
                     resp.status if resp else 'None'))
 
         for team in resp.data:
-            # team json object has a slug cased team name field aptly named
-            # 'slug'
-            if team['slug'] in teams:
+            # mylons: previously this line used to be if team['slug'] in teams
+            # however, teams are part of organizations. organizations are unique,
+            # but teams are not therefore 'slug' for a team is not necessarily unique.
+            # use id instead
+            if team['id'] in allowed_teams:
                 return True
 
         _log.debug('Denying access for user "%s", not a member of "%s"',
                    username,
-                   str(teams))
+                   str(allowed_teams))
 
         return False
 

diff --git a/docs/security.rst b/docs/security.rst
@@ -240,7 +240,7 @@ your GHE installation will be able to login to Airflow.
     client_id = oauth_key_from_github_enterprise
     client_secret = oauth_secret_from_github_enterprise
     oauth_callback_route = /example/ghe_oauth/callback
-    allowed_teams = example_team_1, example_team_2
+    allowed_teams = 1, 345, 23
 
 Setting up GHE Authentication
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^