agent: consider allowed technical roles when provisionning roles (#36937)

2019-10-15 13:46:27 +02:00 · 2019-10-15 13:46:27 +02:00 · 4ed5d38e4c
parent 7e8d61f077
commit 4ed5d38e4c
1 changed files with 6 additions and 1 deletions
--- a/hobo/agent/authentic2/provisionning.py
+++ b/hobo/agent/authentic2/provisionning.py
@ -213,7 +213,12 @@ class Provisionning(threading.local):
            })

    def notify_roles(self, ous, roles, mode='provision', full=False):
-        roles = set([role for role in roles if not role.slug.startswith('_')])
+        allowed_technical_roles_prefixes = getattr(settings, 'HOBO_PROVISION_ROLE_PREFIXES', []) or []
+
+        def is_forbidden_technical_role(role):
+            return role.slug.startswith('_') and not role.slug.startswith(tuple(allowed_technical_roles_prefixes))
+
+        roles = set([role for role in roles if not is_forbidden_technical_role(role)])
        if mode == 'provision':
            self.complete_roles(roles)