From 4ed5d38e4cb196d38941de14482611cca30f8b2f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20P=C3=A9ters?= <fpeters@entrouvert.com>
Date: Tue, 15 Oct 2019 13:46:27 +0200
Subject: [PATCH] agent: consider allowed technical roles when provisionning
 roles (#36937)

---
 hobo/agent/authentic2/provisionning.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/hobo/agent/authentic2/provisionning.py b/hobo/agent/authentic2/provisionning.py
index 502d284..16b2421 100644
--- a/hobo/agent/authentic2/provisionning.py
+++ b/hobo/agent/authentic2/provisionning.py
@@ -213,7 +213,12 @@ class Provisionning(threading.local):
             })
 
     def notify_roles(self, ous, roles, mode='provision', full=False):
-        roles = set([role for role in roles if not role.slug.startswith('_')])
+        allowed_technical_roles_prefixes = getattr(settings, 'HOBO_PROVISION_ROLE_PREFIXES', []) or []
+
+        def is_forbidden_technical_role(role):
+            return role.slug.startswith('_') and not role.slug.startswith(tuple(allowed_technical_roles_prefixes))
+
+        roles = set([role for role in roles if not is_forbidden_technical_role(role)])
         if mode == 'provision':
             self.complete_roles(roles)