0003-agent-common-add-user-provisionning-and-tests-for-co.patch
hobo/agent/common/management/commands/hobo_notify.py | ||
---|---|---|
16 | 16 | |
17 | 17 |
import json |
18 | 18 |
import sys |
19 |
import random |
|
19 | 20 | |
20 | 21 |
from django.core.management.base import BaseCommand |
22 |
from django.db.transaction import atomic |
|
23 |
from django.db import IntegrityError |
|
21 | 24 | |
22 | 25 |
from tenant_schemas.utils import tenant_context |
23 | 26 |
from hobo.multitenant.middleware import TenantMiddleware |
24 | 27 | |
25 | 28 |
from hobo.agent.common.models import Role |
26 | 29 | |
30 |
class TryAgain(Exception): |
|
31 |
pass |
|
27 | 32 | |
28 | 33 |
class Command(BaseCommand): |
29 | 34 |
@classmethod |
... | ... | |
57 | 62 |
and 'description' in o |
58 | 63 | |
59 | 64 |
@classmethod |
60 |
def provision_role(cls, action, data, full=False): |
|
65 |
def check_valid_user(cls, o): |
|
66 |
return 'uuid' in o \ |
|
67 |
and 'email' in o \ |
|
68 |
and 'first_name' in o \ |
|
69 |
and 'last_name' in o \ |
|
70 |
and 'roles' in o |
|
71 | ||
72 |
@classmethod |
|
73 |
def provision_user(cls, issuer, action, data, full=False): |
|
74 |
from django.contrib.auth import get_user_model |
|
75 |
from mellon.models import UserSAMLIdentifier |
|
76 |
User = get_user_model() |
|
77 | ||
78 | ||
79 |
assert not full # provisionning all users is dangerous, we prefer deprovision |
|
80 |
uuids = set() |
|
81 |
for o in data: |
|
82 |
try: |
|
83 |
with atomic(): |
|
84 |
if action == 'provision': |
|
85 |
assert cls.check_valid_user(o) |
|
86 |
try: |
|
87 |
mellon_user = UserSAMLIdentifier.objects.get( |
|
88 |
issuer=issuer, name_id=o['uuid']) |
|
89 |
user = mellon_user.user |
|
90 |
except UserSAMLIdentifier.DoesNotExist: |
|
91 |
# temp user object |
|
92 |
random_uid = str(random.randint(1,10000000000000)) |
|
93 |
user = User.objects.create( |
|
94 |
username=random_uid) |
|
95 |
mellon_user = UserSAMLIdentifier.objects.create( |
|
96 |
user=user, issuer=issuer, name_id=o['uuid']) |
|
97 |
user.first_name = o['first_name'] |
|
98 |
user.last_name = o['last_name'] |
|
99 |
user.email = o['email'] |
|
100 |
user.username = o['uuid'][:30] |
|
101 |
user.save() |
|
102 |
role_uuids = [role['uuid'] for role in o.get('roles', [])] |
|
103 |
user.groups = Role.objects.filter(uuid__in=role_uuids) |
|
104 |
elif action == 'deprovision': |
|
105 |
assert 'uuid' in o |
|
106 |
uuids.add(o['uuid']) |
|
107 |
except IntegrityError: |
|
108 |
raise TryAgain |
|
109 |
if full and action == 'provision': |
|
110 |
for usi in UserSAMLIdentifier.objects.exclude(name_id__in=uuids): |
|
111 |
usi.user.delete() |
|
112 |
elif action == 'deprovision': |
|
113 |
for user in User.objects.filter(saml_identifiers__name_id__in=uuids): |
|
114 |
user.delete() |
|
115 | ||
116 | ||
117 |
@classmethod |
|
118 |
def provision_role(cls, issuer, action, data, full=False): |
|
61 | 119 |
uuids = set() |
62 | 120 |
for o in data: |
63 | 121 |
assert cls.check_valid_role(o) |
... | ... | |
93 | 151 |
audience = notification['audience'] |
94 | 152 |
full = notification['full'] if 'full' in notification else False |
95 | 153 |
entity_id = service.get('saml-sp-metadata-url') |
154 |
issuer = notification.get('issuer') |
|
96 | 155 |
assert entity_id, 'service has no saml-sp-metadat-url field' |
97 | 156 |
if entity_id not in audience: |
98 | 157 |
return |
99 | 158 |
uuids = set() |
100 | 159 |
object_type = notification['objects']['@type'] |
101 |
getattr(cls, 'provision_' + object_type)(action, notification['objects']['data'], full=full) |
|
160 |
while True: |
|
161 |
try: |
|
162 |
getattr(cls, 'provision_' + object_type)(issuer, action, notification['objects']['data'], full=full) |
|
163 |
except TryAgain: |
|
164 |
continue |
|
165 |
break |
tests_multitenant/settings.py | ||
---|---|---|
4 | 4 | |
5 | 5 |
LANGUAGE_CODE = 'en-us' |
6 | 6 | |
7 |
INSTALLED_APPS = ('django.contrib.auth', 'django.contrib.sessions', 'django.contrib.contenttypes') |
|
7 |
INSTALLED_APPS = ('django.contrib.auth', 'django.contrib.sessions', 'django.contrib.contenttypes', 'mellon')
|
|
8 | 8 | |
9 | 9 |
PROJECT_NAME = 'fake-agent' |
10 | 10 | |
11 | 11 |
with patch.object(builtin, 'file', mock_open(read_data='xxx')): |
12 | 12 |
execfile(os.path.join(os.path.dirname(__file__), '../debian/debian_config_common.py')) |
13 | 13 | |
14 |
TENANT_APPS = ('django.contrib.auth','django.contrib.sessions', 'django.contrib.contenttypes', 'hobo.agent.common') |
|
14 |
TENANT_APPS = ('django.contrib.auth','django.contrib.sessions', 'django.contrib.contenttypes', 'hobo.agent.common', 'mellon')
|
|
15 | 15 | |
16 | 16 |
ROOT_URLCONF = 'hobo.agent.test_urls' |
17 | 17 |
CACHES = { |
tests_multitenant/test_hobo_notify.py | ||
---|---|---|
107 | 107 |
Command.process_notification(tenant, notification) |
108 | 108 |
assert Group.objects.count() == 0 |
109 | 109 |
assert Role.objects.count() == 0 |
110 | ||
111 |
def test_provision_users(tenants): |
|
112 |
from hobo.agent.common.management.commands.hobo_notify import Command |
|
113 |
from tenant_schemas.utils import tenant_context |
|
114 |
from django.contrib.auth import get_user_model |
|
115 |
from django.contrib.auth.models import Group |
|
116 |
from hobo.agent.common.models import Role |
|
117 | ||
118 |
User = get_user_model() |
|
119 | ||
120 |
# provision a role |
|
121 |
for tenant in tenants: |
|
122 |
with tenant_context(tenant): |
|
123 |
notification = { |
|
124 |
u'@type': u'provision', |
|
125 |
u'audience': [u'%s/saml/metadata' % tenant.get_base_url()], |
|
126 |
u'objects': { |
|
127 |
u'@type': 'role', |
|
128 |
u'data': [ |
|
129 |
{ |
|
130 |
u'uuid': u'12345', |
|
131 |
u'name': u'Service petite enfance', |
|
132 |
u'slug': u'service-petite-enfance', |
|
133 |
u'description': u'Role du service petite enfance %s' % tenant.domain_url, |
|
134 |
} |
|
135 |
] |
|
136 |
} |
|
137 |
} |
|
138 |
Command.process_notification(tenant, notification) |
|
139 |
assert Group.objects.count() == 1 |
|
140 |
assert Role.objects.count() == 1 |
|
141 |
role = Role.objects.get() |
|
142 |
assert role.uuid == u'12345' |
|
143 |
assert role.name == u'Service petite enfance' |
|
144 |
assert role.description == u'Role du service petite enfance %s' % tenant.domain_url |
|
145 | ||
146 |
# test user provisionning |
|
147 |
for tenant in tenants: |
|
148 |
with tenant_context(tenant): |
|
149 |
notification = { |
|
150 |
u'@type': u'provision', |
|
151 |
u'issuer': 'http://idp.example.net/idp/saml/metadata', |
|
152 |
u'audience': [u'%s/saml/metadata' % tenant.get_base_url()], |
|
153 |
u'objects': { |
|
154 |
u'@type': 'user', |
|
155 |
u'data': [ |
|
156 |
{ |
|
157 |
u'uuid': u'a' * 32, |
|
158 |
u'first_name': u'John', |
|
159 |
u'last_name': u'Doe', |
|
160 |
u'email': u'john.doe@example.net', |
|
161 |
u'roles': [ |
|
162 |
{ |
|
163 |
u'uuid': u'12345', |
|
164 |
u'name': u'Service petite enfance', |
|
165 |
u'description': u'etc.', |
|
166 |
}, |
|
167 |
{ |
|
168 |
u'uuid': u'xyz', |
|
169 |
u'name': u'Service état civil', |
|
170 |
u'description': u'etc.', |
|
171 |
}, |
|
172 |
], |
|
173 |
} |
|
174 |
] |
|
175 |
} |
|
176 |
} |
|
177 |
Command.process_notification(tenant, notification) |
|
178 |
assert User.objects.count() == 1 |
|
179 |
assert Role.objects.count() == 1 |
|
180 |
assert Group.objects.count() == 1 |
|
181 |
user = User.objects.get() |
|
182 |
assert user.username == 'a' * 30 |
|
183 |
assert user.first_name == 'John' |
|
184 |
assert user.last_name == 'Doe' |
|
185 |
assert user.email == 'john.doe@example.net' |
|
186 |
assert user.saml_identifiers.count() == 1 |
|
187 |
usi = user.saml_identifiers.get() |
|
188 |
assert usi.issuer == 'http://idp.example.net/idp/saml/metadata' |
|
189 |
assert usi.name_id == 'a' * 32 |
|
190 |
assert user.groups.count() == 1 |
|
191 |
group = user.groups.get() |
|
192 |
assert group.name == 'Service petite enfance' |
|
193 |
role = Role.objects.get(group_ptr=group.pk) |
|
194 |
assert role.uuid == '12345' |
|
195 | ||
196 |
# test nothing change if run a second time |
|
197 |
for tenant in tenants: |
|
198 |
with tenant_context(tenant): |
|
199 |
notification = { |
|
200 |
u'@type': u'provision', |
|
201 |
u'issuer': 'http://idp.example.net/idp/saml/metadata', |
|
202 |
u'audience': [u'%s/saml/metadata' % tenant.get_base_url()], |
|
203 |
u'objects': { |
|
204 |
u'@type': 'user', |
|
205 |
u'data': [ |
|
206 |
{ |
|
207 |
u'uuid': u'a' * 32, |
|
208 |
u'first_name': u'John', |
|
209 |
u'last_name': u'Doe', |
|
210 |
u'email': u'john.doe@example.net', |
|
211 |
u'roles': [ |
|
212 |
{ |
|
213 |
u'uuid': u'12345', |
|
214 |
u'name': u'Service petite enfance', |
|
215 |
u'description': u'etc.', |
|
216 |
}, |
|
217 |
{ |
|
218 |
u'uuid': u'xyz', |
|
219 |
u'name': u'Service état civil', |
|
220 |
u'description': u'etc.', |
|
221 |
}, |
|
222 |
], |
|
223 |
} |
|
224 |
] |
|
225 |
} |
|
226 |
} |
|
227 |
Command.process_notification(tenant, notification) |
|
228 |
assert User.objects.count() == 1 |
|
229 |
assert Role.objects.count() == 1 |
|
230 |
assert Group.objects.count() == 1 |
|
231 |
user = User.objects.get() |
|
232 |
assert user.username == 'a' * 30 |
|
233 |
assert user.first_name == 'John' |
|
234 |
assert user.last_name == 'Doe' |
|
235 |
assert user.email == 'john.doe@example.net' |
|
236 |
assert user.saml_identifiers.count() == 1 |
|
237 |
usi = user.saml_identifiers.get() |
|
238 |
assert usi.issuer == 'http://idp.example.net/idp/saml/metadata' |
|
239 |
assert usi.name_id == 'a' * 32 |
|
240 |
assert user.groups.count() == 1 |
|
241 |
group = user.groups.get() |
|
242 |
assert group.name == 'Service petite enfance' |
|
243 |
role = Role.objects.get(group_ptr=group.pk) |
|
244 |
assert role.uuid == '12345' |
|
245 | ||
246 |
# test deprovision works |
|
247 |
for tenant in tenants: |
|
248 |
with tenant_context(tenant): |
|
249 |
notification = { |
|
250 |
u'@type': u'deprovision', |
|
251 |
u'issuer': 'http://idp.example.net/idp/saml/metadata', |
|
252 |
u'audience': [u'%s/saml/metadata' % tenant.get_base_url()], |
|
253 |
u'objects': { |
|
254 |
u'@type': 'user', |
|
255 |
u'data': [ |
|
256 |
{ |
|
257 |
u'uuid': u'a' * 32, |
|
258 |
} |
|
259 |
] |
|
260 |
} |
|
261 |
} |
|
262 |
Command.process_notification(tenant, notification) |
|
263 |
assert User.objects.count() == 0 |
|
110 |
- |