0003-wf-roles-handle-case-when-user-attributes-are-manage.patch

Benjamin Dauvergne, 04 février 2016 16:11

Voir les différences: en ligne côte à côte

Subject: [PATCH 3/4] wf/roles: handle case when user attributes are managed by
 the idp (#9210)

If the user's attributes are managed by an idp, we add/remove roles by calling
the idp role management web-services. It only works with authentic2.

 wcs/wf/roles.py | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 82 insertions(+), 2 deletions(-)

     # You should have received a copy of the GNU General Public License
     # along with this program; if not, see <http://www.gnu.org/licenses/>.
     from quixote import get_request, get_publisher
     import urlparse
     import urllib
     import sys
     from quixote import get_request, get_publisher, get_response
     from qommon.form import *
     from wcs.workflows import WorkflowStatusItem, register_item_class
     from wcs.roles import get_user_roles
     from wcs.roles import get_user_roles, Role
     from qommon.ident.idp import is_idp_managing_user_attributes
     from qommon.misc import http_post_request, http_delete_request
     from qommon.publisher import get_cfg, get_logger
     from wcs.api import sign_url
     class MissingSecret(Exception):
         pass
     def get_secret(url):
         domain = urlparse.urlparse(url).netloc.split(':')[0]
         secret = get_publisher().get_site_option(domain, 'wscall-secrets')
         if not secret:
             raise MissingSecret()
         return secret
     def roles_ws_url(role_uuid, user_uuid):
         idps = get_cfg('idp', {})
         entity_id = idps.values()[0]['metadata_url']
         base_url = entity_id.split('idp/saml2/metadata')[0]
         url = urlparse.urljoin(base_url, '/api/roles/%s/members/%s/' % (urllib.quote(role_uuid),
                                                                          urllib.quote(user_uuid)))
         secret = get_secret(url)
         orig = get_request().get_server().split(':')[0]
         url += '?orig=%s' % orig
         return sign_url(url, secret)
     class AddRoleWorkflowStatusItem(WorkflowStatusItem):
         description = N_('Add Role to User')
-...
                 # we can't work on anonymous or user_hash'ed forms
                 return
             user = get_publisher().user_class.get(formdata.user_id)
             self.perform_local(user, formdata)
             if user.name_identifiers and is_idp_managing_user_attributes():
                 self.perform_idp(user, formdata)
         def perform_local(self, user, formdata):
             if not user.roles:
                 user.roles = []
             if not self.role_id in user.roles:
-...
                 # changes.
                 get_request().user = user
         def perform_idp(self, user, formdata):
             role = Role.get(self.role_id)
             role_uuid = role.slug
             user_uuid = user.name_identifiers[0]
             try:
                 url = roles_ws_url(role_uuid, user_uuid)
             except MissingSecret:
                 get_publisher().notify_of_exception(sys.exc_info(), context='[ROLES]')
                 return
             def after_job(job):
                 response, status, data, auth_header = http_post_request(url)
                 if status != 201:
                     get_logger().error('failed to add role %r to user %r',
                                        role, user)
             get_response().add_after_job(
                 str(N_('Adding role')),
                 after_job)
     register_item_class(AddRoleWorkflowStatusItem)
-...
                 # we can't work on anonymous or user_hash'ed forms
                 return
             user = get_publisher().user_class.get(formdata.user_id)
             self.perform_local(user, formdata)
             if user.name_identifiers and is_idp_managing_user_attributes():
                 self.perform_idp(user, formdata)
         def perform_local(self, user, formdata):
             if user.roles and self.role_id in user.roles:
                 user.roles.remove(self.role_id)
                 user.store()
-...
                     # with the changes.
                     get_request().user = user
         def perform_idp(self, user, formdata):
             role = Role.get(self.role_id)
             role_uuid = role.slug
             user_uuid = user.name_identifiers[0]
             try:
                 url = roles_ws_url(role_uuid, user_uuid)
             except MissingSecret:
                 get_publisher().notify_of_exception(sys.exc_info(), context='[ROLES]')
                 return
             def after_job(job):
                 response, status, data, auth_header = http_delete_request(url)
                 if status != 200:
                     get_logger().error('failed to remove role %r from user %r',
                                        role, user)
             get_response().add_after_job(
                 str(N_('Removing role')),
                 after_job)
     register_item_class(RemoveRoleWorkflowStatusItem)
+    -

Projet

Général

Profil

Produits Entr'ouvert » w.c.s.

0003-wf-roles-handle-case-when-user-attributes-are-manage.patch