17 |
17 |
import hashlib
|
18 |
18 |
import logging
|
19 |
19 |
|
|
20 |
from django.contrib.auth import get_user_model
|
20 |
21 |
from django.contrib.auth.models import Group
|
21 |
22 |
from django.db import IntegrityError
|
22 |
|
from django.db.models.query import Q
|
23 |
23 |
from django.db.transaction import atomic
|
|
24 |
from mellon.models import Issuer
|
24 |
25 |
|
25 |
26 |
from hobo.agent.common.models import Role
|
26 |
27 |
from hobo.multitenant.utils import provision_user_groups
|
... | ... | |
50 |
51 |
return s
|
51 |
52 |
|
52 |
53 |
|
|
54 |
def get_issuer(entity_id):
|
|
55 |
issuer, created = Issuer.objects.get_or_create(entity_id=entity_id)
|
|
56 |
return issuer
|
|
57 |
|
|
58 |
|
|
59 |
def provision_user(entity_id, o, tries=0):
|
|
60 |
updated = set()
|
|
61 |
attributes = {
|
|
62 |
'first_name': o['first_name'][:30],
|
|
63 |
'last_name': o['last_name'][:150],
|
|
64 |
'email': o['email'][:254],
|
|
65 |
'username': o['uuid'][:150],
|
|
66 |
'is_superuser': o['is_superuser'],
|
|
67 |
'is_staff': o['is_superuser'],
|
|
68 |
'is_active': o.get('is_active', True),
|
|
69 |
}
|
|
70 |
|
|
71 |
User = get_user_model()
|
|
72 |
try:
|
|
73 |
user = User.objects.get(
|
|
74 |
saml_identifiers__name_id=o['uuid'], saml_identifiers__issuer__entity_id=entity_id
|
|
75 |
)
|
|
76 |
except User.DoesNotExist:
|
|
77 |
user = User()
|
|
78 |
|
|
79 |
for key in attributes:
|
|
80 |
if getattr(user, key) != attributes[key]:
|
|
81 |
setattr(user, key, attributes[key])
|
|
82 |
updated.add(key)
|
|
83 |
|
|
84 |
if not user.id: # user is new
|
|
85 |
issuer = get_issuer(entity_id)
|
|
86 |
try:
|
|
87 |
with atomic(savepoint=False):
|
|
88 |
user.save()
|
|
89 |
user.saml_identifiers.create(issuer=issuer, name_id=o['uuid'])
|
|
90 |
logger.info('provisionned new user %s', user_str(user))
|
|
91 |
except IntegrityError:
|
|
92 |
if tries > 0:
|
|
93 |
raise
|
|
94 |
return provision_user(user, o, tries=tries + 1)
|
|
95 |
elif updated:
|
|
96 |
user.save()
|
|
97 |
logger.info('updated user %s(%s)', user_str(user), updated)
|
|
98 |
return user
|
|
99 |
|
|
100 |
|
53 |
101 |
class NotificationProcessing:
|
54 |
102 |
@classmethod
|
55 |
103 |
def check_valid_notification(cls, notification):
|
... | ... | |
80 |
128 |
|
81 |
129 |
@classmethod
|
82 |
130 |
def provision_user(cls, issuer, action, data, full=False):
|
83 |
|
from django.contrib.auth import get_user_model
|
84 |
|
from mellon.models import UserSAMLIdentifier
|
85 |
|
from mellon.models_utils import get_issuer
|
|
131 |
assert not full # provisionning all users is dangerous, we prefer deprovision
|
86 |
132 |
|
87 |
133 |
User = get_user_model()
|
88 |
|
|
89 |
|
assert not full # provisionning all users is dangerous, we prefer deprovision
|
90 |
134 |
uuids = set()
|
|
135 |
|
91 |
136 |
for o in data:
|
92 |
|
try:
|
93 |
|
with atomic():
|
94 |
|
if action == 'provision':
|
95 |
|
new = False
|
96 |
|
updated = set()
|
97 |
|
attributes = {
|
98 |
|
'first_name': o['first_name'][:30],
|
99 |
|
'last_name': o['last_name'][:150],
|
100 |
|
'email': o['email'][:254],
|
101 |
|
'username': o['uuid'][:150],
|
102 |
|
'is_superuser': o['is_superuser'],
|
103 |
|
'is_staff': o['is_superuser'],
|
104 |
|
'is_active': o.get('is_active', True),
|
105 |
|
}
|
106 |
|
assert cls.check_valid_user(o)
|
107 |
|
try:
|
108 |
|
mellon_user = UserSAMLIdentifier.objects.get(
|
109 |
|
issuer__entity_id=issuer, name_id=o['uuid']
|
110 |
|
)
|
111 |
|
user = mellon_user.user
|
112 |
|
except UserSAMLIdentifier.DoesNotExist:
|
113 |
|
try:
|
114 |
|
user = User.objects.get(
|
115 |
|
Q(username=o['uuid'][:30]) | Q(username=o['uuid'][:150])
|
116 |
|
)
|
117 |
|
except User.DoesNotExist:
|
118 |
|
# temp user object
|
119 |
|
user = User.objects.create(**attributes)
|
120 |
|
new = True
|
121 |
|
saml_issuer = get_issuer(issuer)
|
122 |
|
mellon_user = UserSAMLIdentifier.objects.create(
|
123 |
|
user=user, issuer=saml_issuer, name_id=o['uuid']
|
124 |
|
)
|
125 |
|
if new:
|
126 |
|
logger.info('provisionned new user %s', user_str(user))
|
127 |
|
else:
|
128 |
|
for key in attributes:
|
129 |
|
if getattr(user, key) != attributes[key]:
|
130 |
|
setattr(user, key, attributes[key])
|
131 |
|
updated.add(key)
|
132 |
|
if updated:
|
133 |
|
user.save()
|
134 |
|
logger.info('updated user %s(%s)', user_str(user), updated)
|
135 |
|
role_uuids = [role['uuid'] for role in o.get('roles', [])]
|
136 |
|
provision_user_groups(user, role_uuids)
|
137 |
|
elif action == 'deprovision':
|
138 |
|
assert 'uuid' in o
|
139 |
|
uuids.add(o['uuid'])
|
140 |
|
except IntegrityError:
|
141 |
|
raise TryAgain
|
|
137 |
if action == 'provision':
|
|
138 |
assert cls.check_valid_user(o)
|
|
139 |
user = provision_user(issuer, o)
|
|
140 |
role_uuids = [role['uuid'] for role in o.get('roles', [])]
|
|
141 |
provision_user_groups(user, role_uuids)
|
|
142 |
elif action == 'deprovision':
|
|
143 |
assert 'uuid' in o
|
|
144 |
uuids.add(o['uuid'])
|
|
145 |
|
142 |
146 |
if (full and action == 'provision') or (action == 'deprovision'):
|
143 |
147 |
if action == 'deprovision':
|
144 |
148 |
qs = User.objects.filter(saml_identifiers__name_id__in=uuids)
|
145 |
|
-
|