From fed71c997479d8d69f032936267c1f10e9fb2d69 Mon Sep 17 00:00:00 2001
From: Paul Marillonnet <pmarillonnet@entrouvert.com>
Date: Wed, 31 May 2017 16:31:26 +0200
Subject: [PATCH] DRAFT A2 roles mapped to LDAP groups (#16523)

---
 src/authentic2/backends/ldap_backend.py | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/src/authentic2/backends/ldap_backend.py b/src/authentic2/backends/ldap_backend.py
index 542c8abe..9e958759 100644
--- a/src/authentic2/backends/ldap_backend.py
+++ b/src/authentic2/backends/ldap_backend.py
@@ -216,6 +216,7 @@ class LDAPBackend(object):
         'groupstaff': None,
         'groupactive': None,
         'group_mapping': (),
+        'role_mapping': (),
         'replicas': True,
         'email_field': 'mail',
         'fname_field': 'givenName',
@@ -514,6 +515,27 @@ class LDAPBackend(object):
                 elif dn not in group_dns and group in groups:
                     user.groups.remove(group)
 
+    def populate_roles_by_mapping(self, user, dn, conn, block, group_dns):
+        '''Assign role to user based on a mapping from group (sic) DNs'''
+        role_mapping = block.get('role_mapping')
+        if not role_mapping:
+            return
+        if not user.pk:
+            user.save()
+            user._changed = False
+        roles = user.roles.all()
+        for dn, role_names in role_mapping:
+            for role_name in role_names:
+                role = self.get_role_by_name(block, role_name)
+                if role is None:
+                    continue
+                # Add missing roles
+                if dn in group_dns and role not in roles:
+                    user.roles.add(role)
+                # Remove extra roles
+                elif dn not in groups_dns and role in roles:
+                    user.roles.remove(role)
+
     def get_ldap_group_dns(self, user, dn, conn, block, attributes):
         '''Retrieve group DNs from the LDAP by attributes (memberOf) or by
            filter.
@@ -546,6 +568,12 @@ class LDAPBackend(object):
         self.populate_admin_flags_by_group(user, block, group_dns)
         self.populate_groups_by_mapping(user, dn, conn, block, group_dns)
 
+    def populate_user_roles(self, user, dn, conn, block, attributes):
+        group_dns = self.get_ldap_group_dns(user, dn, conn, block, attributes)
+        log.debug('groups for dn %r: %r', dn, group_dns)
+        # Admin flags by roles ?
+        self.populate_roles_by_mapping(user, dn, conn, block, group_dns)
+
     def get_group_by_name(self, block, group_name, create=None):
         '''Obtain a Django group'''
         if create is None:
@@ -621,6 +649,7 @@ class LDAPBackend(object):
         self.populate_mandatory_groups(user, block)
         self.populate_mandatory_roles(user, block)
         self.populate_user_groups(user, dn, conn, block, attributes)
+        self.populate_user_roles(user, dn, conn, block, attributes)
 
     def populate_user_ou(self, user, dn, conn, block, attributes):
         '''Assign LDAP user to an ou, the default one if ou_slug setting is
-- 
2.11.0