0001-authentic2-support-direct-role-attribute-access-7067.patch
hobo/agent/authentic2/management/commands/hobo_deploy.py | ||
---|---|---|
21 | 21 |
from hobo.agent.authentic2.provisionning import Provisionning |
22 | 22 |
from hobo.agent.common.management.commands import hobo_deploy |
23 | 23 | |
24 |
try: |
|
25 |
from authentic2.a2_rbac.models import RoleAttribute |
|
26 | ||
27 |
has_role_attributes = True |
|
28 |
except ImportError: |
|
29 |
has_role_attributes = False |
|
30 | ||
31 | ||
24 | 32 |
User = get_user_model() |
25 | 33 | |
26 | 34 | |
... | ... | |
226 | 234 |
if su_role.name != name: |
227 | 235 |
su_role.name = name |
228 | 236 |
su_role.save() |
229 |
su_role.attributes.get_or_create(name='is_superuser', kind='string', value='true') |
|
237 |
if has_role_attributes: |
|
238 |
su_role.attributes.get_or_create(name='is_superuser', kind='string', value='true') |
|
239 |
else: |
|
240 |
su_role.is_superuser = True |
|
241 |
su_role.save() |
|
230 | 242 |
# pass the new attribute to the service |
231 | 243 |
SAMLAttribute.objects.get_or_create( |
232 | 244 |
name='is_superuser', |
hobo/agent/authentic2/management/commands/hobo_provision.py | ||
---|---|---|
6 | 6 | |
7 | 7 |
from hobo.agent.authentic2.provisionning import Provisionning |
8 | 8 | |
9 |
try: |
|
10 |
from authentic2.a2_rbac.models import RoleAttribute |
|
11 | ||
12 |
has_role_attributes = True |
|
13 |
except ImportError: |
|
14 |
has_role_attributes = False |
|
15 | ||
9 | 16 | |
10 | 17 |
class Command(BaseCommand): |
11 | 18 |
help = 'Provision all roles or users' |
... | ... | |
61 | 68 |
if users: |
62 | 69 |
time.sleep(batch_sleep) |
63 | 70 | |
64 |
roles_with_attributes = get_role_model().objects.filter(attributes__name='is_superuser').children() |
|
71 |
if has_role_attributes: |
|
72 |
roles_with_attributes = ( |
|
73 |
get_role_model().objects.filter(attributes__name='is_superuser').children() |
|
74 |
) |
|
75 |
else: |
|
76 |
roles_with_attributes = get_role_model().objects.filter(is_superuser=True).children() |
|
65 | 77 |
# first those without and admin attribute |
66 | 78 |
normal_users = qs.exclude(roles__in=roles_with_attributes) |
67 | 79 |
hobo/agent/authentic2/provisionning.py | ||
---|---|---|
7 | 7 |
from itertools import chain, islice |
8 | 8 | |
9 | 9 |
import requests |
10 |
from authentic2.a2_rbac.models import RoleAttribute |
|
11 | 10 |
from authentic2.models import AttributeValue |
12 | 11 |
from authentic2.saml.models import LibertyProvider |
13 | 12 |
from django.conf import settings |
... | ... | |
20 | 19 |
from hobo.agent.common import notify_agents |
21 | 20 |
from hobo.signature import sign_url |
22 | 21 | |
22 |
try: |
|
23 |
from authentic2.a2_rbac.models import RoleAttribute |
|
24 |
except ImportError: |
|
25 | ||
26 |
class RoleAttribute: |
|
27 |
dummy = True |
|
28 | ||
29 | ||
23 | 30 |
User = get_user_model() |
24 | 31 |
Role = get_role_model() |
25 | 32 |
OU = get_ou_model() |
... | ... | |
185 | 192 |
for role in user_roles.get(user.id, []): |
186 | 193 |
if role.service_id != service.pk: |
187 | 194 |
continue |
188 |
for attribute in role.attributes.all(): |
|
189 |
if attribute.name == 'is_superuser' and attribute.value == 'true': |
|
190 |
role_is_superuser = True |
|
195 |
if hasattr(RoleAttribute, 'dummy'): |
|
196 |
role_is_superuser = role.is_superuser |
|
197 |
else: |
|
198 |
for attribute in role.attributes.all(): |
|
199 |
if attribute.name == 'is_superuser' and attribute.value == 'true': |
|
200 |
role_is_superuser = True |
|
191 | 201 |
data['is_superuser'] = user.is_superuser or role_is_superuser |
192 | 202 |
return data |
193 | 203 | |
194 | 204 |
# Find roles giving a superuser attribute |
195 | 205 |
# If there is any role of this kind, we do one provisionning message for each user and |
196 | 206 |
# each service. |
197 |
roles_with_attributes = ( |
|
198 |
Role.objects.filter(members__in=users) |
|
199 |
.parents(include_self=True) |
|
200 |
.filter(attributes__name='is_superuser') |
|
201 |
.exists() |
|
202 |
) |
|
207 |
if hasattr(RoleAttribute, 'dummy'): |
|
208 |
roles_with_attributes = ( |
|
209 |
Role.objects.filter(members__in=users) |
|
210 |
.parents(include_self=True) |
|
211 |
.filter(is_superuser=True) |
|
212 |
.exists() |
|
213 |
) |
|
214 |
else: |
|
215 |
roles_with_attributes = ( |
|
216 |
Role.objects.filter(members__in=users) |
|
217 |
.parents(include_self=True) |
|
218 |
.filter(attributes__name='is_superuser') |
|
219 |
.exists() |
|
220 |
) |
|
203 | 221 | |
204 |
all_roles = Role.objects.all().prefetch_related('attributes') |
|
222 |
all_roles = Role.objects.all() |
|
223 |
if not hasattr(RoleAttribute, 'dummy'): |
|
224 |
all_roles = all_roles.prefetch_related('attributes') |
|
205 | 225 |
roles = {r.id: r for r in all_roles} |
206 | 226 |
user_roles = {} |
207 | 227 |
parents = {} |
208 |
- |