Added logging to diagnose group matches (#30)

* Added logging for failures on entra id mapping * Fix for compilation issue Never rename properties on a Saturday morning! :-) * Update README.md --------- Co-authored-by: Steve Temple <[email protected]>
Gibe · Oct 24, 2024 · 3019bf5 · 3019bf5
1 parent c7b1f77
commit 3019bf5
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -35,6 +35,7 @@ You'll need to configure the package by adding the following section to the root
 	  ],
     "Icon": "fa fa-lock",
     "ButtonStyle": "btn-microsoft",
+    "LogUnmappedRolesAsWarning": false
 },
 ```
 On Umbraco v13+ change the `Icon` to `"icon-microsoft-fill"`, i.e. `"Icon": "icon-microsoft-fill",`
@@ -166,5 +167,10 @@ i.e.
 }
 ```
 
+## LogUnmappedRolesAsWarning
+
+When `SetGroupsOnLogin` is set to true, if `LogUnmappedRolesAsWarning` is also set to true this will log as warning for unmapped Entra ID groups, where the Entra ID name has a slash `\` in it. Be design it does not log everything to prevent logging of email addresses and so on.
+
+
 
 
diff --git a/src/Umbraco.Community.AzureSSO/AzureSSOConfiguration.cs b/src/Umbraco.Community.AzureSSO/AzureSSOConfiguration.cs
@@ -18,6 +18,8 @@ public class AzureSSOConfiguration
 		public Dictionary<string, string> GroupBindings { get; set; } = new();
 
 		public bool? SetGroupsOnLogin { get; set; }
+
+		public bool? LogUnmappedRolesAsWarning { get; set; }
 
 		public string[]? DefaultGroups { get; set; }
 

diff --git a/src/Umbraco.Community.AzureSSO/MicrosoftAccountBackOfficeExternalLoginProviderOptions.cs b/src/Umbraco.Community.AzureSSO/MicrosoftAccountBackOfficeExternalLoginProviderOptions.cs
@@ -2,6 +2,7 @@
 using System.Linq;
 using System.Security.Claims;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Umbraco.Cms.Core.Security;
 using Umbraco.Cms.Web.BackOffice.Security;
@@ -14,6 +15,16 @@ public class MicrosoftAccountBackOfficeExternalLoginProviderOptions(AzureSsoSett
 	{
 		public const string SchemeName = "MicrosoftAccount";
 
+		private readonly AzureSsoSettings _settings;
+		private readonly ILogger<MicrosoftAccountBackOfficeExternalLoginProviderOptions> _logger;
+
+		public MicrosoftAccountBackOfficeExternalLoginProviderOptions(AzureSsoSettings settings,
+																																	ILogger<MicrosoftAccountBackOfficeExternalLoginProviderOptions> logger)
+		{
+			_settings = settings;
+			_logger = logger;
+		}
+
 		public void Configure(string? name, BackOfficeExternalLoginProviderOptions options)
 		{
 			var profile = settings.Profiles
@@ -90,7 +101,8 @@ private void SetGroups(BackOfficeIdentityUser user, ExternalLoginInfo loginInfo,
 		{
 			user.Roles.Clear();
 
-			var groups = loginInfo.Principal.Claims.Where(c => settings.GroupLookup.ContainsKey(c.Value));
+			var groups = loginInfo.Principal.Claims.Where(c => _settings.GroupLookup.ContainsKey(c.Value)).ToList();
+
 			foreach (var group in groups)
 			{
 				var umbracoGroups = settings.GroupLookup[group.Value].Split(',');
@@ -104,6 +116,16 @@ private void SetGroups(BackOfficeIdentityUser user, ExternalLoginInfo loginInfo,
 			{
 				user.AddRole(group);
 			}
+
+			if (_settings.LogUnmappedRolesAsWarning)
+			{
+				var unmappedGroups = loginInfo.Principal.Claims.Where(c => !_settings.GroupLookup.ContainsKey(c.Value) && c.Value.Contains("\\")).Select(c => c.Value).ToList();
+				if (unmappedGroups.Any())
+				{
+					_logger.LogWarning("The following groups were not mapped to Umbraco roles: {Groups}", string.Join(", ", unmappedGroups));
+				}
+			}
+
 		}
 
 		private void SetName(BackOfficeIdentityUser user, ExternalLoginInfo loginInfo)

diff --git a/src/Umbraco.Community.AzureSSO/Settings/AzureSSOSettings.cs b/src/Umbraco.Community.AzureSSO/Settings/AzureSSOSettings.cs
@@ -16,7 +16,6 @@ public AzureSsoSettings(AzureSSOConfiguration configuration)
 
 			Profiles = configuration.Profiles.Select(x => new AzureSsoProfileSettings(x)).ToArray();
 		}
-
 		public AzureSsoProfileSettings[] Profiles { get; }
 	}
 
@@ -28,6 +27,7 @@ public class AzureSsoProfileSettings(AzureSSOConfiguration configuration)
 		public string Icon => configuration.Icon ?? "fa fa-lock";
 		public Dictionary<string, string> GroupLookup => configuration.GroupBindings;
 		public bool SetGroupsOnLogin => configuration.SetGroupsOnLogin ?? true;
+    public bool LogUnmappedRolesAsWarning => _configuration.LogUnmappedRolesAsWarning ?? false;
 		public string[] DefaultGroups => configuration.DefaultGroups ?? System.Array.Empty<string>();
 		public bool DenyLocalLogin => configuration.DenyLocalLogin ?? false;
 		public TokenCacheType TokenCacheType => configuration.TokenCacheType;