Project

General

Profile

0003-wf-roles-handle-case-when-user-attributes-are-manage.patch

Benjamin Dauvergne, 05 December 2015 11:51 PM

Download (4.01 KB)

View differences:

Subject: [PATCH 3/3] wf/roles: handle case when user attributes are managed by
 the idp (#9210)

If the user's attributes are managed by an idp, we add/remove roles by calling
the idp role management web-services. It only works with authentic2.
 wcs/wf/roles.py | 50 +++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 49 insertions(+), 1 deletion(-)
wcs/wf/roles.py
14 14
# You should have received a copy of the GNU General Public License
15 15
# along with this program; if not, see <http://www.gnu.org/licenses/>.
16 16

  
17
import urlparse
18
import urllib
19

  
17 20
from quixote import get_request, get_publisher
18 21
from qommon.form import *
19 22
from wcs.workflows import WorkflowStatusItem, register_item_class
20
from wcs.roles import get_user_roles
23
from wcs.roles import get_user_roles, Role
24
from qommon.ident.idp import is_idp_manage_user_attributes
25
from qommon.misc import http_post_request, http_delete_request
26
from qommon.publisher import get_cfg, get_logger
27

  
28

  
29
def roles_ws_url(role_uuid, user_uuid):
30
    idps = get_cfg('idp', {})
31
    entity_id = idps.values()[0]['metadata']
32
    base_url = entity_id.split('idp/saml2/metadata')[0]
33
    return urlparse.urljoin(base_url, '/api/roles/%s/members/%s/' % (urllib.urlquote(role_uuid),
34
                                                                     urllib.urlquote(user_uuid)))
35

  
21 36

  
22 37
class AddRoleWorkflowStatusItem(WorkflowStatusItem):
23 38
    description = N_('Add Role to User')
......
50 65
            # we can't work on anonymous or user_hash'ed forms
51 66
            return
52 67
        user = get_publisher().user_class.get(formdata.user_id)
68
        if user.name_identifiers and is_idp_manage_user_attributes():
69
            self.perform_idp(user, formdata)
70
        else:
71
            self.perform_local(user, formdata)
72

  
73
    def perform_local(self, user, formdata):
53 74
        if not user.roles:
54 75
            user.roles = []
55 76
        if not self.role_id in user.roles:
......
60 81
            # changes.
61 82
            get_request().user = user
62 83

  
84
    def perform_idp(self, user, formdata):
85
        role = Role.get(self.role_id)
86
        role_uuid = role.slug
87
        user_uuid = user.name_identifiers[0]
88
        response, status, data, auth_header = http_post_request(
89
            roles_ws_url(role_uuid, user_uuid))
90
        if status != 201:
91
            get_logger().error('failed to add role %r to user %r',
92
                               role, user)
93

  
94

  
63 95
register_item_class(AddRoleWorkflowStatusItem)
64 96

  
65 97

  
......
86 118
            # we can't work on anonymous or user_hash'ed forms
87 119
            return
88 120
        user = get_publisher().user_class.get(formdata.user_id)
121
        if user.name_identifiers and is_idp_manage_user_attributes():
122
            self.perform_idp(user, formdata)
123
        else:
124
            self.perform_local(user, formdata)
125

  
126
    def perform_local(self, user, formdata):
89 127
        if user.roles and self.role_id in user.roles:
90 128
            user.roles.remove(self.role_id)
91 129
            user.store()
......
94 132
                # with the changes.
95 133
                get_request().user = user
96 134

  
135
    def perform_idp(self, user, formdata):
136
        role = Role.get(self.role_id)
137
        role_uuid = role.slug
138
        user_uuid = user.name_identifiers[0]
139
        response, status, data, auth_header = http_delete_request(
140
            roles_ws_url(role_uuid, user_uuid))
141
        if status != 200:
142
            get_logger().error('failed to remove role %r from user %r',
143
                               role, user)
144

  
97 145
register_item_class(RemoveRoleWorkflowStatusItem)
98
-