0001-authentic2-support-direct-role-attribute-access-7067.patch
| hobo/agent/authentic2/management/commands/hobo_deploy.py | ||
|---|---|---|
| 21 | 21 |
from hobo.agent.authentic2.provisionning import Provisionning |
| 22 | 22 |
from hobo.agent.common.management.commands import hobo_deploy |
| 23 | 23 | |
| 24 |
try: |
|
| 25 |
from authentic2.a2_rbac.models import RoleAttribute |
|
| 26 | ||
| 27 |
has_role_attributes = True |
|
| 28 |
except ImportError: |
|
| 29 |
has_role_attributes = False |
|
| 30 | ||
| 31 | ||
| 24 | 32 |
User = get_user_model() |
| 25 | 33 | |
| 26 | 34 | |
| ... | ... | |
| 226 | 234 |
if su_role.name != name: |
| 227 | 235 |
su_role.name = name |
| 228 | 236 |
su_role.save() |
| 229 |
su_role.attributes.get_or_create(name='is_superuser', kind='string', value='true') |
|
| 237 |
if has_role_attributes: |
|
| 238 |
su_role.attributes.get_or_create(name='is_superuser', kind='string', value='true') |
|
| 239 |
else: |
|
| 240 |
su_role.is_superuser = True |
|
| 241 |
su_role.save() |
|
| 230 | 242 |
# pass the new attribute to the service |
| 231 | 243 |
SAMLAttribute.objects.get_or_create( |
| 232 | 244 |
name='is_superuser', |
| hobo/agent/authentic2/management/commands/hobo_provision.py | ||
|---|---|---|
| 6 | 6 | |
| 7 | 7 |
from hobo.agent.authentic2.provisionning import Provisionning |
| 8 | 8 | |
| 9 |
try: |
|
| 10 |
from authentic2.a2_rbac.models import RoleAttribute |
|
| 11 | ||
| 12 |
has_role_attributes = True |
|
| 13 |
except ImportError: |
|
| 14 |
has_role_attributes = False |
|
| 15 | ||
| 9 | 16 | |
| 10 | 17 |
class Command(BaseCommand): |
| 11 | 18 |
help = 'Provision all roles or users' |
| ... | ... | |
| 61 | 68 |
if users: |
| 62 | 69 |
time.sleep(batch_sleep) |
| 63 | 70 | |
| 64 |
roles_with_attributes = get_role_model().objects.filter(attributes__name='is_superuser').children() |
|
| 71 |
if has_role_attributes: |
|
| 72 |
roles_with_attributes = ( |
|
| 73 |
get_role_model().objects.filter(attributes__name='is_superuser').children() |
|
| 74 |
) |
|
| 75 |
else: |
|
| 76 |
roles_with_attributes = get_role_model().objects.filter(is_superuser=True).children() |
|
| 65 | 77 |
# first those without and admin attribute |
| 66 | 78 |
normal_users = qs.exclude(roles__in=roles_with_attributes) |
| 67 | 79 | |
| hobo/agent/authentic2/provisionning.py | ||
|---|---|---|
| 7 | 7 |
from itertools import chain, islice |
| 8 | 8 | |
| 9 | 9 |
import requests |
| 10 |
from authentic2.a2_rbac.models import RoleAttribute |
|
| 11 | 10 |
from authentic2.models import AttributeValue |
| 12 | 11 |
from authentic2.saml.models import LibertyProvider |
| 13 | 12 |
from django.conf import settings |
| ... | ... | |
| 20 | 19 |
from hobo.agent.common import notify_agents |
| 21 | 20 |
from hobo.signature import sign_url |
| 22 | 21 | |
| 22 |
try: |
|
| 23 |
from authentic2.a2_rbac.models import RoleAttribute |
|
| 24 |
except ImportError: |
|
| 25 | ||
| 26 |
class RoleAttribute: |
|
| 27 |
dummy = True |
|
| 28 | ||
| 29 | ||
| 23 | 30 |
User = get_user_model() |
| 24 | 31 |
Role = get_role_model() |
| 25 | 32 |
OU = get_ou_model() |
| ... | ... | |
| 185 | 192 |
for role in user_roles.get(user.id, []): |
| 186 | 193 |
if role.service_id != service.pk: |
| 187 | 194 |
continue |
| 188 |
for attribute in role.attributes.all(): |
|
| 189 |
if attribute.name == 'is_superuser' and attribute.value == 'true': |
|
| 190 |
role_is_superuser = True |
|
| 195 |
if hasattr(RoleAttribute, 'dummy'): |
|
| 196 |
role_is_superuser = role.is_superuser |
|
| 197 |
else: |
|
| 198 |
for attribute in role.attributes.all(): |
|
| 199 |
if attribute.name == 'is_superuser' and attribute.value == 'true': |
|
| 200 |
role_is_superuser = True |
|
| 191 | 201 |
data['is_superuser'] = user.is_superuser or role_is_superuser |
| 192 | 202 |
return data |
| 193 | 203 | |
| 194 | 204 |
# Find roles giving a superuser attribute |
| 195 | 205 |
# If there is any role of this kind, we do one provisionning message for each user and |
| 196 | 206 |
# each service. |
| 197 |
roles_with_attributes = ( |
|
| 198 |
Role.objects.filter(members__in=users) |
|
| 199 |
.parents(include_self=True) |
|
| 200 |
.filter(attributes__name='is_superuser') |
|
| 201 |
.exists() |
|
| 202 |
) |
|
| 207 |
if hasattr(RoleAttribute, 'dummy'): |
|
| 208 |
roles_with_attributes = ( |
|
| 209 |
Role.objects.filter(members__in=users) |
|
| 210 |
.parents(include_self=True) |
|
| 211 |
.filter(is_superuser=True) |
|
| 212 |
.exists() |
|
| 213 |
) |
|
| 214 |
else: |
|
| 215 |
roles_with_attributes = ( |
|
| 216 |
Role.objects.filter(members__in=users) |
|
| 217 |
.parents(include_self=True) |
|
| 218 |
.filter(attributes__name='is_superuser') |
|
| 219 |
.exists() |
|
| 220 |
) |
|
| 203 | 221 | |
| 204 |
all_roles = Role.objects.all().prefetch_related('attributes')
|
|
| 222 |
all_roles = Role.objects.all() |
|
| 223 |
if not hasattr(RoleAttribute, 'dummy'): |
|
| 224 |
all_roles = all_roles.prefetch_related('attributes')
|
|
| 205 | 225 |
roles = {r.id: r for r in all_roles}
|
| 206 | 226 |
user_roles = {}
|
| 207 | 227 |
parents = {}
|
| 208 |
- |
|