0001-provision-users-on-role-parenting-changes-fixes-9643.patch
hobo/agent/authentic2/apps.py | ||
---|---|---|
22 | 22 |
from django.conf import settings |
23 | 23 |
from django.contrib.auth import get_user_model |
24 | 24 |
from django.db import connection |
25 |
from django.db.models import Q |
|
25 | 26 |
from django.core.urlresolvers import reverse |
26 | 27 | |
27 |
from django_rbac.utils import get_role_model |
|
28 |
from django_rbac.utils import get_role_model, get_role_parenting_model
|
|
28 | 29 | |
29 | 30 |
from hobo.agent.common import notify_agents |
30 | 31 |
from authentic2.models import AttributeValue |
... | ... | |
198 | 199 |
return |
199 | 200 |
provision_user(User, instance.owner) |
200 | 201 | |
202 |
def on_save_role_parenting(sender, instance, created, **kwargs): |
|
203 |
if not created: |
|
204 |
return |
|
205 |
User = get_user_model() |
|
206 |
for user in instance.child.all_members(): |
|
207 |
provision_user(User, user) |
|
208 | ||
209 |
def on_delete_role_parenting(sender, instance, **kwargs): |
|
210 |
User = get_user_model() |
|
211 |
for user in instance.child.all_members(): |
|
212 |
provision_user(User, user) |
|
213 | ||
201 | 214 | |
202 | 215 |
class Authentic2AgentConfig(AppConfig): |
203 | 216 |
name = 'hobo.agent.authentic2' |
... | ... | |
206 | 219 | |
207 | 220 |
def ready(self): |
208 | 221 |
Role = get_role_model() |
222 |
RoleParenting = get_role_parenting_model() |
|
209 | 223 |
post_save.connect(notify_roles, sender=Role) |
210 | 224 |
post_delete.connect(notify_roles, sender=Role) |
211 | 225 |
post_save.connect(notify_roles, Role) |
212 | 226 |
post_delete.connect(notify_roles, Role) |
213 | 227 |
post_save.connect(notify_roles, Role.members.through) |
214 | 228 |
post_delete.connect(notify_roles, Role.members.through) |
229 |
post_save.connect(on_save_role_parenting, sender=RoleParenting) |
|
230 |
post_delete.connect(on_delete_role_parenting, sender=RoleParenting) |
|
215 | 231 |
User = get_user_model() |
216 | 232 |
post_save.connect(provision_user) |
217 | 233 |
post_delete.connect(deprovision_user) |
tests_authentic/test_provisionning.py | ||
---|---|---|
13 | 13 | |
14 | 14 |
pytestmark = pytest.mark.django_db |
15 | 15 | |
16 | ||
17 | 16 |
def test_provision_role(tenant): |
18 | 17 |
with patch('hobo.agent.authentic2.apps.notify_agents') as notify_agents: |
19 | 18 |
with tenant_context(tenant): |
... | ... | |
58 | 57 |
service = LibertyProvider.objects.create(ou=get_default_ou(), name='provider', |
59 | 58 |
entity_id='http://provider.com', |
60 | 59 |
protocol_conformance=lasso.PROTOCOL_SAML_2_0) |
60 |
parent = Role.objects.create(name='parent', service=service, ou=get_default_ou()) |
|
61 | 61 |
role = Role.objects.create(name='coin', service=service, ou=get_default_ou()) |
62 | 62 |
role.attributes.create(kind='string', name='is_superuser', value='true') |
63 | 63 |
notify_agents.reset_mock() |
... | ... | |
208 | 208 |
assert o['is_superuser'] is True |
209 | 209 | |
210 | 210 |
notify_agents.reset_mock() |
211 |
role.add_parent(parent) |
|
212 | ||
213 |
assert notify_agents.call_count == 1 |
|
214 |
arg = notify_agents.call_args |
|
215 |
assert arg == call(ANY) |
|
216 |
arg = arg[0][0] |
|
217 |
assert isinstance(arg, dict) |
|
218 |
assert set(arg.keys()) == set([ |
|
219 |
'issuer', 'audience', '@type', 'objects', 'full']) |
|
220 |
assert arg['issuer'] == \ |
|
221 |
'http://%s/idp/saml2/metadata' % tenant.domain_url |
|
222 |
assert arg['audience'] == ['http://provider.com'] |
|
223 |
assert arg['@type'] == 'provision' |
|
224 |
assert arg['full'] is False |
|
225 |
objects = arg['objects'] |
|
226 |
assert isinstance(objects, dict) |
|
227 |
assert set(objects.keys()) == set(['data', '@type']) |
|
228 |
assert objects['@type'] == 'user' |
|
229 |
data = objects['data'] |
|
230 |
assert isinstance(data, list) |
|
231 |
assert len(data) == 1 |
|
232 |
order_by_uuid = lambda l: sorted(l, key=lambda x: x['uuid']) |
|
233 |
for o in data: |
|
234 |
assert set(o.keys()) == set(['uuid', 'username', 'first_name', |
|
235 |
'is_superuser', 'last_name', 'email', 'roles']) |
|
236 |
assert o['uuid'] == user.uuid |
|
237 |
assert o['username'] == user.username |
|
238 |
assert o['first_name'] == user.first_name |
|
239 |
assert o['last_name'] == user.last_name |
|
240 |
assert o['email'] == user.email |
|
241 |
assert order_by_uuid(o['roles']) == order_by_uuid([{ |
|
242 |
'uuid': role.uuid, |
|
243 |
'name': role.name, |
|
244 |
'slug': role.slug |
|
245 |
}, |
|
246 |
{ |
|
247 |
'uuid': parent.uuid, |
|
248 |
'name': parent.name, |
|
249 |
'slug': parent.slug |
|
250 |
}]) |
|
251 |
assert o['is_superuser'] is True |
|
252 | ||
253 |
notify_agents.reset_mock() |
|
211 | 254 |
user.roles.remove(role) |
212 | 255 | |
213 | 256 |
assert notify_agents.call_count == 1 |
214 |
- |