Projet

Général

Profil

0001-DRAFT-A2-roles-mapped-to-LDAP-groups-16523.patch

Paul Marillonnet, 31 mai 2017 16:56

Télécharger (3,04 ko)

Voir les différences: 

Subject: [PATCH] DRAFT A2 roles mapped to LDAP groups (#16523)


 src/authentic2/backends/ldap_backend.py | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
src/authentic2/backends/ldap_backend.py
216 216 
        'groupstaff': None,
217 217 
        'groupactive': None,
218 218 
        'group_mapping': (),
219 
        'role_mapping': (),
219 220 
        'replicas': True,
220 221 
        'email_field': 'mail',
221 222 
        'fname_field': 'givenName',
......
514 515 
                elif dn not in group_dns and group in groups:
515 516 
                    user.groups.remove(group)
516 517 

  		




  
  518
  
    
    def populate_roles_by_mapping(self, user, dn, conn, block, group_dns):

  		




  
  519
  
    
        '''Assign role to user based on a mapping from group (sic) DNs'''

  		




  
  520
  
    
        role_mapping = block.get('role_mapping')

  		




  
  521
  
    
        if not role_mapping:

  		




  
  522
  
    
            return

  		




  
  523
  
    
        if not user.pk:

  		




  
  524
  
    
            user.save()

  		




  
  525
  
    
            user._changed = False

  		




  
  526
  
    
        roles = user.roles.all()

  		




  
  527
  
    
        for dn, role_names in role_mapping:

  		




  
  528
  
    
            for role_name in role_names:

  		




  
  529
  
    
                role = self.get_role_by_name(block, role_name)

  		




  
  530
  
    
                if role is None:

  		




  
  531
  
    
                    continue

  		




  
  532
  
    
                # Add missing roles

  		




  
  533
  
    
                if dn in group_dns and role not in roles:

  		




  
  534
  
    
                    user.roles.add(role)

  		




  
  535
  
    
                # Remove extra roles

  		




  
  536
  
    
                elif dn not in groups_dns and role in roles:

  		




  
  537
  
    
                    user.roles.remove(role)

  		




  
  538
  
    

  		




  517
  539
  
    
    def get_ldap_group_dns(self, user, dn, conn, block, attributes):

  		




  518
  540
  
    
        '''Retrieve group DNs from the LDAP by attributes (memberOf) or by

  		




  519
  541
  
    
           filter.

  		




  ......




  546
  568
  
    
        self.populate_admin_flags_by_group(user, block, group_dns)

  		




  547
  569
  
    
        self.populate_groups_by_mapping(user, dn, conn, block, group_dns)

  		




  548
  570
  
    

  		




  
  571
  
    
    def populate_user_roles(self, user, dn, conn, block, attributes):

  		




  
  572
  
    
        group_dns = self.get_ldap_group_dns(user, dn, conn, block, attributes)

  		




  
  573
  
    
        log.debug('groups for dn %r: %r', dn, group_dns)

  		




  
  574
  
    
        # Admin flags by roles ?

  		




  
  575
  
    
        self.populate_roles_by_mapping(user, dn, conn, block, group_dns)

  		




  
  576
  
    

  		




  549
  577
  
    
    def get_group_by_name(self, block, group_name, create=None):

  		




  550
  578
  
    
        '''Obtain a Django group'''

  		




  551
  579
  
    
        if create is None:

  		




  ......




  621
  649
  
    
        self.populate_mandatory_groups(user, block)

  		




  622
  650
  
    
        self.populate_mandatory_roles(user, block)

  		




  623
  651
  
    
        self.populate_user_groups(user, dn, conn, block, attributes)

  		




  
  652
  
    
        self.populate_user_roles(user, dn, conn, block, attributes)

  		




  624
  653
  
    

  		




  625
  654
  
    
    def populate_user_ou(self, user, dn, conn, block, attributes):

  		




  626
  655
  
    
        '''Assign LDAP user to an ou, the default one if ou_slug setting is

  		




  627
  
  
    
-