Projet

Général

Profil

0001-agent-authentic2-provision-the-is_superuser-attribut.patch

Benjamin Dauvergne, 04 janvier 2016 16:42

Télécharger (12,7 ko)

Voir les différences: 

Subject: [PATCH] agent/authentic2: provision the is_superuser attribute (fixes
 #9230)


 hobo/agent/authentic2/apps.py                      | 41 +++++++++++++--------
 .../common/management/commands/hobo_notify.py      |  2 ++
 tests_authentic/test_provisionning.py              | 42 +++++++++++++++-------
 3 files changed, 58 insertions(+), 27 deletions(-)
hobo/agent/authentic2/apps.py
45 45 
        qs = LibertyProvider.objects.filter(ou=ou)
46 46 
    else:
47 47 
        qs = LibertyProvider.objects.filter(ou__isnull=True)
48 
    return list(qs.values_list('entity_id', flat=True))
48 
    return [(service, service.entity_id) for service in qs]
49 49 

  		




  50
  50
  
    

  		




  51
  51
  
    
def get_related_roles(role_or_through):

  		




  ......




  75
  75
  
    
    try:

  		




  76
  76
  
    
        notify_agents({

  		




  77
  77
  
    
            '@type': 'provision',

  		




  78
  
  
    
            'audience': get_audience(instance),

  		




  
  78
  
    
            'audience': [audience for service, audience in get_audience(instance)],

  		




  79
  79
  
    
            'full': True,

  		




  80
  80
  
    
            'objects': {

  		




  81
  81
  
    
                '@type': 'role',

  		




  ......




  111
  111
  
    
    data = {}

  		




  112
  112
  
    
    for av in AttributeValue.objects.with_owner(instance):

  		




  113
  113
  
    
        data[str(av.attribute.name)] = av.to_python()

  		




  
  114
  
    

  		




  
  115
  
    
    roles = instance.roles_and_parents() \

  		




  
  116
  
    
            .prefetch_related('attributes')

  		




  
  117
  
    
    is_superuser = instance.is_superuser

  		




  114
  118
  
    
    data.update({

  		




  115
  119
  
    
        'uuid': instance.uuid,

  		




  116
  120
  
    
        'username': instance.username,

  		




  ......




  122
  126
  
    
                'uuid': role.uuid,

  		




  123
  127
  
    
                'name': role.name,

  		




  124
  128
  
    
                'slug': role.slug,

  		




  125
  
  
    
            } for role in instance.roles_and_parents()],

  		




  
  129
  
    
            } for role in roles],

  		




  126
  130
  
    
    })

  		




  127
  131
  
    

  		




  128
  
  
    
    notify_agents({

  		




  129
  
  
    
        '@type': 'provision',

  		




  130
  
  
    
        'issuer': unicode(get_entity_id()),

  		




  131
  
  
    
        'audience': get_audience(instance),

  		




  132
  
  
    
        'full': False,

  		




  133
  
  
    
        'objects': {

  		




  134
  
  
    
            '@type': 'user',

  		




  135
  
  
    
            'data': [data],

  		




  136
  
  
    
        }

  		




  137
  
  
    
    })

  		




  
  132
  
    
    for service, audience in get_audience(instance):

  		




  
  133
  
    
        role_is_superuser = False

  		




  
  134
  
    
        for role in roles:

  		




  
  135
  
    
            if role.service_id != service.pk:

  		




  
  136
  
    
                continue

  		




  
  137
  
    
            for attribute in role.attributes.all():

  		




  
  138
  
    
                if attribute.name == 'is_superuser' and attribute.value == 'true':

  		




  
  139
  
    
                    role_is_superuser = True

  		




  
  140
  
    
        data['is_superuser'] = is_superuser or role_is_superuser

  		




  
  141
  
    
        notify_agents({

  		




  
  142
  
    
            '@type': 'provision',

  		




  
  143
  
    
            'issuer': unicode(get_entity_id()),

  		




  
  144
  
    
            'audience': [audience],

  		




  
  145
  
    
            'full': False,

  		




  
  146
  
    
            'objects': {

  		




  
  147
  
    
                '@type': 'user',

  		




  
  148
  
    
                'data': [data],

  		




  
  149
  
    
            }

  		




  
  150
  
    
        })

  		




  138
  151
  
    

  		




  139
  152
  
    

  		




  140
  153
  
    
def deprovision_user(sender, instance, **kwargs):

  		




  ......




  146
  159
  
    
    notify_agents({

  		




  147
  160
  
    
        '@type': 'deprovision',

  		




  148
  161
  
    
        'issuer': unicode(get_entity_id()),

  		




  149
  
  
    
        'audience': get_audience(instance),

  		




  
  162
  
    
        'audience': [audience for service, audience in get_audience(instance)],

  		




  150
  163
  
    
        'full': False,

  		




  151
  164
  
    
        'objects': {

  		




  152
  165
  
    
            '@type': 'user',

  		












  

    
      hobo/agent/common/management/commands/hobo_notify.py
    
  





  64
  64
  
    
    @classmethod

  		




  65
  65
  
    
    def check_valid_user(cls, o):

  		




  66
  66
  
    
        return 'uuid' in o \

  		




  
  67
  
    
               and 'is_superuser' in o \

  		




  67
  68
  
    
               and 'email' in o \

  		




  68
  69
  
    
               and 'first_name' in o \

  		




  69
  70
  
    
               and 'last_name' in o \

  		




  ......




  98
  99
  
    
                        user.last_name = o['last_name']

  		




  99
  100
  
    
                        user.email = o['email']

  		




  100
  101
  
    
                        user.username = o['uuid'][:30]

  		




  
  102
  
    
                        user.is_superuser = o['is_superuser']

  		




  101
  103
  
    
                        user.save()

  		




  102
  104
  
    
                        role_uuids = [role['uuid'] for role in o.get('roles', [])]

  		




  103
  105
  
    
                        user.groups = Role.objects.filter(uuid__in=role_uuids)

  		












  

    
      tests_authentic/test_provisionning.py
    
  





  50
  50
  
    

  		




  51
  51
  
    

  		




  52
  52
  
    
def test_provision_user(tenant):

  		




  
  53
  
    
    import lasso

  		




  
  54
  
    
    from authentic2.saml.models import LibertyProvider

  		




  
  55
  
    

  		




  53
  56
  
    
    with patch('hobo.agent.authentic2.apps.notify_agents') as notify_agents:

  		




  54
  57
  
    
        with tenant_context(tenant):

  		




  55
  
  
    
            role = Role.objects.create(name='coin', ou=get_default_ou())

  		




  
  58
  
    
            service = LibertyProvider.objects.create(ou=get_default_ou(), name='provider',

  		




  
  59
  
    
                                                     entity_id='http://provider.com',

  		




  
  60
  
    
                                                     protocol_conformance=lasso.PROTOCOL_SAML_2_0)

  		




  
  61
  
    
            role = Role.objects.create(name='coin', service=service, ou=get_default_ou())

  		




  
  62
  
    
            role.attributes.create(kind='string', name='is_superuser', value='true')

  		




  56
  63
  
    
            notify_agents.reset_mock()

  		




  57
  64
  
    
            User = get_user_model()

  		




  58
  65
  
    
            attribute = Attribute.objects.create(label='Code postal', name='code_postal',

  		




  ......




  71
  78
  
    
                'issuer', 'audience', '@type', 'objects', 'full'])

  		




  72
  79
  
    
            assert arg['issuer'] == \

  		




  73
  80
  
    
                'http://%s/idp/saml2/metadata' % tenant.domain_url

  		




  74
  
  
    
            assert arg['audience'] == []

  		




  
  81
  
    
            assert arg['audience'] == ['http://provider.com']

  		




  75
  82
  
    
            assert arg['@type'] == 'provision'

  		




  76
  83
  
    
            assert arg['full'] is False

  		




  77
  84
  
    
            objects = arg['objects']

  		




  ......




  82
  89
  
    
            assert isinstance(data, list)

  		




  83
  90
  
    
            assert len(data) == 1

  		




  84
  91
  
    
            for o in data:

  		




  85
  
  
    
                assert set(o.keys()) == set(['uuid', 'username', 'first_name',

  		




  
  92
  
    
                assert set(o.keys()) == set(['uuid', 'username', 'first_name', 'is_superuser',

  		




  86
  93
  
    
                                             'last_name', 'email', 'roles'])

  		




  87
  94
  
    
                assert o['uuid'] == user.uuid

  		




  88
  95
  
    
                assert o['username'] == user.username

  		




  ......




  90
  97
  
    
                assert o['last_name'] == user.last_name

  		




  91
  98
  
    
                assert o['email'] == user.email

  		




  92
  99
  
    
                assert o['roles'] == []

  		




  
  100
  
    
                assert o['is_superuser'] is False

  		




  93
  101
  
    

  		




  94
  102
  
    
            notify_agents.reset_mock()

  		




  95
  103
  
    
            attribute.set_value(user, '13400')

  		




  
  104
  
    
            user.is_superuser = True

  		




  
  105
  
    
            user.save()

  		




  96
  106
  
    

  		




  97
  
  
    
            assert notify_agents.call_count == 1

  		




  
  107
  
    
            assert notify_agents.call_count == 2

  		




  98
  108
  
    
            arg = notify_agents.call_args

  		




  99
  109
  
    
            assert arg == call(ANY)

  		




  100
  110
  
    
            arg = arg[0][0]

  		




  ......




  103
  113
  
    
                'issuer', 'audience', '@type', 'objects', 'full'])

  		




  104
  114
  
    
            assert arg['issuer'] == \

  		




  105
  115
  
    
                'http://%s/idp/saml2/metadata' % tenant.domain_url

  		




  106
  
  
    
            assert arg['audience'] == []

  		




  
  116
  
    
            assert arg['audience'] == ['http://provider.com']

  		




  107
  117
  
    
            assert arg['@type'] == 'provision'

  		




  108
  118
  
    
            assert arg['full'] is False

  		




  109
  119
  
    
            objects = arg['objects']

  		




  ......




  115
  125
  
    
            assert len(data) == 1

  		




  116
  126
  
    
            for o in data:

  		




  117
  127
  
    
                assert set(o.keys()) == set(['code_postal', 'uuid', 'username', 'first_name',

  		




  118
  
  
    
                                             'last_name', 'email', 'roles'])

  		




  
  128
  
    
                                             'is_superuser', 'last_name', 'email', 'roles'])

  		




  119
  129
  
    
                assert o['uuid'] == user.uuid

  		




  120
  130
  
    
                assert o['username'] == user.username

  		




  121
  131
  
    
                assert o['first_name'] == user.first_name

  		




  ......




  123
  133
  
    
                assert o['email'] == user.email

  		




  124
  134
  
    
                assert o['roles'] == []

  		




  125
  135
  
    
                assert o['code_postal'] == '13400'

  		




  
  136
  
    
                assert o['is_superuser'] is True

  		




  126
  137
  
    

  		




  127
  138
  
    
            notify_agents.reset_mock()

  		




  128
  139
  
    
            AttributeValue.objects.get().delete()

  		




  ......




  136
  147
  
    
                'issuer', 'audience', '@type', 'objects', 'full'])

  		




  137
  148
  
    
            assert arg['issuer'] == \

  		




  138
  149
  
    
                'http://%s/idp/saml2/metadata' % tenant.domain_url

  		




  139
  
  
    
            assert arg['audience'] == []

  		




  
  150
  
    
            assert arg['audience'] == ['http://provider.com']

  		




  140
  151
  
    
            assert arg['@type'] == 'provision'

  		




  141
  152
  
    
            assert arg['full'] is False

  		




  142
  153
  
    
            objects = arg['objects']

  		




  ......




  148
  159
  
    
            assert len(data) == 1

  		




  149
  160
  
    
            for o in data:

  		




  150
  161
  
    
                assert set(o.keys()) == set(['uuid', 'username', 'first_name',

  		




  151
  
  
    
                                             'last_name', 'email', 'roles'])

  		




  
  162
  
    
                                             'is_superuser', 'last_name', 'email', 'roles'])

  		




  152
  163
  
    
                assert o['uuid'] == user.uuid

  		




  153
  164
  
    
                assert o['username'] == user.username

  		




  154
  165
  
    
                assert o['first_name'] == user.first_name

  		




  155
  166
  
    
                assert o['last_name'] == user.last_name

  		




  156
  167
  
    
                assert o['email'] == user.email

  		




  157
  168
  
    
                assert o['roles'] == []

  		




  
  169
  
    
                assert o['is_superuser'] is True

  		




  158
  170
  
    

  		




  
  171
  
    
            user.is_superuser = False

  		




  
  172
  
    
            user.save()

  		




  159
  173
  
    
            notify_agents.reset_mock()

  		




  160
  174
  
    
            role.members.add(user)

  		




  161
  175
  
    

  		




  ......




  168
  182
  
    
                'issuer', 'audience', '@type', 'objects', 'full'])

  		




  169
  183
  
    
            assert arg['issuer'] == \

  		




  170
  184
  
    
                'http://%s/idp/saml2/metadata' % tenant.domain_url

  		




  171
  
  
    
            assert arg['audience'] == []

  		




  
  185
  
    
            assert arg['audience'] == ['http://provider.com']

  		




  172
  186
  
    
            assert arg['@type'] == 'provision'

  		




  173
  187
  
    
            assert arg['full'] is False

  		




  174
  188
  
    
            objects = arg['objects']

  		




  ......




  180
  194
  
    
            assert len(data) == 1

  		




  181
  195
  
    
            for o in data:

  		




  182
  196
  
    
                assert set(o.keys()) == set(['uuid', 'username', 'first_name',

  		




  183
  
  
    
                                             'last_name', 'email', 'roles'])

  		




  
  197
  
    
                                             'is_superuser', 'last_name', 'email', 'roles'])

  		




  184
  198
  
    
                assert o['uuid'] == user.uuid

  		




  185
  199
  
    
                assert o['username'] == user.username

  		




  186
  200
  
    
                assert o['first_name'] == user.first_name

  		




  ......




  191
  205
  
    
                    'name': role.name,

  		




  192
  206
  
    
                    'slug': role.slug

  		




  193
  207
  
    
                }]

  		




  
  208
  
    
                assert o['is_superuser'] is True

  		




  194
  209
  
    

  		




  195
  210
  
    
            notify_agents.reset_mock()

  		




  196
  211
  
    
            user.roles.remove(role)

  		




  ......




  204
  219
  
    
                'issuer', 'audience', '@type', 'objects', 'full'])

  		




  205
  220
  
    
            assert arg['issuer'] == \

  		




  206
  221
  
    
                'http://%s/idp/saml2/metadata' % tenant.domain_url

  		




  207
  
  
    
            assert arg['audience'] == []

  		




  
  222
  
    
            assert arg['audience'] == ['http://provider.com']

  		




  208
  223
  
    
            assert arg['@type'] == 'provision'

  		




  209
  224
  
    
            assert arg['full'] is False

  		




  210
  225
  
    
            objects = arg['objects']

  		




  ......




  216
  231
  
    
            assert len(data) == 1

  		




  217
  232
  
    
            for o in data:

  		




  218
  233
  
    
                assert set(o.keys()) == set(['uuid', 'username', 'first_name',

  		




  219
  
  
    
                                             'last_name', 'email', 'roles'])

  		




  
  234
  
    
                                             'is_superuser', 'last_name', 'email', 'roles'])

  		




  220
  235
  
    
                assert o['uuid'] == user.uuid

  		




  221
  236
  
    
                assert o['username'] == user.username

  		




  222
  237
  
    
                assert o['first_name'] == user.first_name

  		




  223
  238
  
    
                assert o['last_name'] == user.last_name

  		




  224
  239
  
    
                assert o['email'] == user.email

  		




  225
  240
  
    
                assert o['roles'] == []

  		




  
  241
  
    
                assert o['is_superuser'] is False

  		




  226
  242
  
    
            notify_agents.reset_mock()

  		




  227
  243
  
    
            user.delete()

  		




  228
  244
  
    
            assert notify_agents.call_count == 1

  		




  ......




  234
  250
  
    
                'issuer', 'audience', '@type', 'objects', 'full'])

  		




  235
  251
  
    
            assert arg['issuer'] == \

  		




  236
  252
  
    
                'http://%s/idp/saml2/metadata' % tenant.domain_url

  		




  237
  
  
    
            assert arg['audience'] == []

  		




  
  253
  
    
            assert arg['audience'] == ['http://provider.com']

  		




  238
  254
  
    
            assert arg['@type'] == 'deprovision'

  		




  239
  255
  
    
            assert arg['full'] is False

  		




  240
  256
  
    
            objects = arg['objects']

  		




  241
  
  
    
-