0001-misc-remove-compatibility-code-with-old-authentic-ve.patch
hobo/agent/authentic2/apps.py | ||
---|---|---|
14 | 14 |
# You should have received a copy of the GNU Affero General Public License |
15 | 15 |
# along with this program. If not, see <http://www.gnu.org/licenses/>. |
16 | 16 | |
17 |
from authentic2.a2_rbac.signals import post_soft_create, post_soft_delete |
|
17 | 18 |
from django.apps import AppConfig |
18 | 19 |
from django.conf import settings |
19 | 20 |
from django.db.models.signals import m2m_changed, post_save, pre_delete, pre_save |
20 | 21 | |
21 |
try: |
|
22 |
from authentic2.a2_rbac.signals import post_soft_create, post_soft_delete |
|
23 |
except ImportError: |
|
24 |
# legacy |
|
25 |
from django_rbac.signals import post_soft_create, post_soft_delete |
|
26 | ||
27 | 22 | |
28 | 23 |
class Plugin: |
29 | 24 |
def get_before_urls(self): |
hobo/agent/authentic2/management/commands/hobo_deploy.py | ||
---|---|---|
21 | 21 |
from hobo.agent.authentic2.provisionning import Provisionning |
22 | 22 |
from hobo.agent.common.management.commands import hobo_deploy |
23 | 23 | |
24 |
try: |
|
25 |
from authentic2.a2_rbac.models import RoleAttribute |
|
26 | ||
27 |
has_role_attributes = True |
|
28 |
except ImportError: |
|
29 |
has_role_attributes = False |
|
30 | ||
31 | ||
32 | 24 |
User = get_user_model() |
33 | 25 | |
34 | 26 | |
... | ... | |
233 | 225 |
if su_role.name != name: |
234 | 226 |
su_role.name = name |
235 | 227 |
su_role.save() |
236 |
if has_role_attributes: |
|
237 |
su_role.attributes.get_or_create(name='is_superuser', kind='string', value='true') |
|
238 |
else: |
|
239 |
su_role.is_superuser = True |
|
240 |
su_role.save() |
|
228 | ||
229 |
su_role.is_superuser = True |
|
230 |
su_role.save() |
|
231 | ||
241 | 232 |
# pass the new attribute to the service |
242 | 233 |
SAMLAttribute.objects.get_or_create( |
243 | 234 |
name='is_superuser', |
hobo/agent/authentic2/management/commands/hobo_provision.py | ||
---|---|---|
6 | 6 | |
7 | 7 |
from hobo.agent.authentic2.provisionning import Provisionning |
8 | 8 | |
9 |
try: |
|
10 |
from authentic2.a2_rbac.models import RoleAttribute |
|
11 | ||
12 |
has_role_attributes = True |
|
13 |
except ImportError: |
|
14 |
has_role_attributes = False |
|
15 | ||
16 | 9 | |
17 | 10 |
class Command(BaseCommand): |
18 | 11 |
help = 'Provision all roles or users' |
... | ... | |
68 | 61 |
if users: |
69 | 62 |
time.sleep(batch_sleep) |
70 | 63 | |
71 |
if has_role_attributes: |
|
72 |
roles_with_attributes = Role.objects.filter(attributes__name='is_superuser').children() |
|
73 |
else: |
|
74 |
roles_with_attributes = Role.objects.filter(is_superuser=True).children() |
|
64 |
roles_with_attributes = Role.objects.filter(is_superuser=True).children() |
|
75 | 65 |
# first those without and admin attribute |
76 | 66 |
normal_users = qs.exclude(roles__in=roles_with_attributes) |
77 | 67 |
hobo/agent/authentic2/provisionning.py | ||
---|---|---|
20 | 20 |
from hobo.agent.common import notify_agents |
21 | 21 |
from hobo.signature import sign_url |
22 | 22 | |
23 |
try: |
|
24 |
from authentic2.a2_rbac.models import RoleAttribute |
|
25 |
except ImportError: |
|
26 | ||
27 |
class RoleAttribute: |
|
28 |
dummy = True |
|
29 | ||
30 | ||
31 | 23 |
User = get_user_model() |
32 | 24 | |
33 | 25 |
logger = logging.getLogger(__name__) |
... | ... | |
190 | 182 |
for role in user_roles.get(user.id, []): |
191 | 183 |
if role.service_id != service.pk: |
192 | 184 |
continue |
193 |
if hasattr(RoleAttribute, 'dummy'): |
|
194 |
role_is_superuser = role.is_superuser |
|
195 |
else: |
|
196 |
for attribute in role.attributes.all(): |
|
197 |
if attribute.name == 'is_superuser' and attribute.value == 'true': |
|
198 |
role_is_superuser = True |
|
185 |
role_is_superuser = role.is_superuser |
|
199 | 186 |
data['is_superuser'] = user.is_superuser or role_is_superuser |
200 | 187 |
return data |
201 | 188 | |
202 | 189 |
# Find roles giving a superuser attribute |
203 | 190 |
# If there is any role of this kind, we do one provisionning message for each user and |
204 | 191 |
# each service. |
205 |
if hasattr(RoleAttribute, 'dummy'): |
|
206 |
roles_with_attributes = ( |
|
207 |
Role.objects.filter(members__in=users) |
|
208 |
.parents(include_self=True) |
|
209 |
.filter(is_superuser=True) |
|
210 |
.exists() |
|
211 |
) |
|
212 |
else: |
|
213 |
roles_with_attributes = ( |
|
214 |
Role.objects.filter(members__in=users) |
|
215 |
.parents(include_self=True) |
|
216 |
.filter(attributes__name='is_superuser') |
|
217 |
.exists() |
|
218 |
) |
|
192 |
roles_with_attributes = ( |
|
193 |
Role.objects.filter(members__in=users) |
|
194 |
.parents(include_self=True) |
|
195 |
.filter(is_superuser=True) |
|
196 |
.exists() |
|
197 |
) |
|
219 | 198 | |
220 | 199 |
all_roles = Role.objects.all() |
221 |
if not hasattr(RoleAttribute, 'dummy'): |
|
222 |
all_roles = all_roles.prefetch_related('attributes') |
|
223 | 200 |
roles = {r.id: r for r in all_roles} |
224 | 201 |
user_roles = {} |
225 | 202 |
parents = {} |
... | ... | |
317 | 294 |
) |
318 | 295 | |
319 | 296 |
roles = {role for role in roles if not is_forbidden_technical_role(role)} |
320 |
if mode == 'provision' and not hasattr(RoleAttribute, 'dummy'): |
|
321 |
self.complete_roles(roles) |
|
322 | 297 | |
323 | 298 |
if not roles: |
324 | 299 |
return |
... | ... | |
422 | 397 |
qs = LibertyProvider.objects.filter(ou__isnull=True) |
423 | 398 |
return [(service, service.entity_id) for service in qs] |
424 | 399 | |
425 |
def complete_roles(self, roles): |
|
426 |
for role in roles: |
|
427 |
role.emails = [] |
|
428 |
role.emails_to_members = True |
|
429 |
role.details = '' |
|
430 |
for attribute in role.attributes.all(): |
|
431 |
if attribute.name in ('emails', 'emails_to_members', 'details') and attribute.kind == 'json': |
|
432 |
setattr(role, attribute.name, json.loads(attribute.value)) |
|
433 | ||
434 | 400 |
def get_entity_id(self): |
435 | 401 |
tenant = getattr(connection, 'tenant', None) |
436 | 402 |
assert tenant |
... | ... | |
443 | 409 |
# we skip new instances |
444 | 410 |
if not instance.pk: |
445 | 411 |
return |
446 |
if not isinstance(instance, (User, Role, RoleAttribute, AttributeValue)):
|
|
412 |
if not isinstance(instance, (User, Role, AttributeValue)): |
|
447 | 413 |
return |
448 | 414 |
# ignore last_login update on login |
449 | 415 |
if isinstance(instance, User) and (update_fields and set(update_fields) == {'last_login'}): |
450 | 416 |
return |
451 |
if isinstance(instance, RoleAttribute): |
|
452 |
instance = instance.role |
|
453 | 417 |
elif isinstance(instance, AttributeValue): |
454 | 418 |
if not isinstance(instance.owner, User): |
455 | 419 |
return |
... | ... | |
465 | 429 |
return |
466 | 430 |
if not created: |
467 | 431 |
return |
468 |
if not isinstance(instance, (User, Role, RoleAttribute, AttributeValue)):
|
|
432 |
if not isinstance(instance, (User, Role, AttributeValue)): |
|
469 | 433 |
return |
470 |
if isinstance(instance, RoleAttribute): |
|
471 |
instance = instance.role |
|
472 | 434 |
elif isinstance(instance, AttributeValue): |
473 | 435 |
if not isinstance(instance.owner, User): |
474 | 436 |
return |
... | ... | |
480 | 442 |
return |
481 | 443 |
if isinstance(instance, (User, Role)): |
482 | 444 |
self.add_deleted(copy.copy(instance)) |
483 |
elif isinstance(instance, RoleAttribute): |
|
484 |
instance = instance.role |
|
485 |
self.add_saved(instance) |
|
486 | 445 |
elif isinstance(instance, AttributeValue): |
487 | 446 |
if not isinstance(instance.owner, User): |
488 | 447 |
return |
489 |
- |