From 614a2bede10f5da479140f343a15e9febcbfacc1 Mon Sep 17 00:00:00 2001 From: Valentin Deniaud Date: Tue, 25 Oct 2022 15:49:37 +0200 Subject: [PATCH] authentic2: support direct role attribute access (#70672) --- .../management/commands/hobo_deploy.py | 14 ++++++- .../management/commands/hobo_provision.py | 14 ++++++- hobo/agent/authentic2/provisionning.py | 42 ++++++++++++++----- 3 files changed, 57 insertions(+), 13 deletions(-) diff --git a/hobo/agent/authentic2/management/commands/hobo_deploy.py b/hobo/agent/authentic2/management/commands/hobo_deploy.py index 7d9d17f..f80473f 100644 --- a/hobo/agent/authentic2/management/commands/hobo_deploy.py +++ b/hobo/agent/authentic2/management/commands/hobo_deploy.py @@ -21,6 +21,14 @@ from tenant_schemas.utils import tenant_context from hobo.agent.authentic2.provisionning import Provisionning from hobo.agent.common.management.commands import hobo_deploy +try: + from authentic2.a2_rbac.models import RoleAttribute + + has_role_attributes = True +except ImportError: + has_role_attributes = False + + User = get_user_model() @@ -226,7 +234,11 @@ class Command(hobo_deploy.Command): if su_role.name != name: su_role.name = name su_role.save() - su_role.attributes.get_or_create(name='is_superuser', kind='string', value='true') + if has_role_attributes: + su_role.attributes.get_or_create(name='is_superuser', kind='string', value='true') + else: + su_role.is_superuser = True + su_role.save() # pass the new attribute to the service SAMLAttribute.objects.get_or_create( name='is_superuser', diff --git a/hobo/agent/authentic2/management/commands/hobo_provision.py b/hobo/agent/authentic2/management/commands/hobo_provision.py index 60269b8..8966062 100644 --- a/hobo/agent/authentic2/management/commands/hobo_provision.py +++ b/hobo/agent/authentic2/management/commands/hobo_provision.py @@ -6,6 +6,13 @@ from django_rbac.utils import get_ou_model, get_role_model from hobo.agent.authentic2.provisionning import Provisionning +try: + from authentic2.a2_rbac.models import RoleAttribute + + has_role_attributes = True +except ImportError: + has_role_attributes = False + class Command(BaseCommand): help = 'Provision all roles or users' @@ -61,7 +68,12 @@ class Command(BaseCommand): if users: time.sleep(batch_sleep) - roles_with_attributes = get_role_model().objects.filter(attributes__name='is_superuser').children() + if has_role_attributes: + roles_with_attributes = ( + get_role_model().objects.filter(attributes__name='is_superuser').children() + ) + else: + roles_with_attributes = get_role_model().objects.filter(is_superuser=True).children() # first those without and admin attribute normal_users = qs.exclude(roles__in=roles_with_attributes) diff --git a/hobo/agent/authentic2/provisionning.py b/hobo/agent/authentic2/provisionning.py index 87128c2..dd80957 100644 --- a/hobo/agent/authentic2/provisionning.py +++ b/hobo/agent/authentic2/provisionning.py @@ -7,7 +7,6 @@ import urllib.parse from itertools import chain, islice import requests -from authentic2.a2_rbac.models import RoleAttribute from authentic2.models import AttributeValue from authentic2.saml.models import LibertyProvider from django.conf import settings @@ -20,6 +19,14 @@ from django_rbac.utils import get_ou_model, get_role_model, get_role_parenting_m from hobo.agent.common import notify_agents from hobo.signature import sign_url +try: + from authentic2.a2_rbac.models import RoleAttribute +except ImportError: + + class RoleAttribute: + dummy = True + + User = get_user_model() Role = get_role_model() OU = get_ou_model() @@ -185,23 +192,36 @@ class Provisionning(threading.local): for role in user_roles.get(user.id, []): if role.service_id != service.pk: continue - for attribute in role.attributes.all(): - if attribute.name == 'is_superuser' and attribute.value == 'true': - role_is_superuser = True + if hasattr(RoleAttribute, 'dummy'): + role_is_superuser = role.is_superuser + else: + for attribute in role.attributes.all(): + if attribute.name == 'is_superuser' and attribute.value == 'true': + role_is_superuser = True data['is_superuser'] = user.is_superuser or role_is_superuser return data # Find roles giving a superuser attribute # If there is any role of this kind, we do one provisionning message for each user and # each service. - roles_with_attributes = ( - Role.objects.filter(members__in=users) - .parents(include_self=True) - .filter(attributes__name='is_superuser') - .exists() - ) + if hasattr(RoleAttribute, 'dummy'): + roles_with_attributes = ( + Role.objects.filter(members__in=users) + .parents(include_self=True) + .filter(is_superuser=True) + .exists() + ) + else: + roles_with_attributes = ( + Role.objects.filter(members__in=users) + .parents(include_self=True) + .filter(attributes__name='is_superuser') + .exists() + ) - all_roles = Role.objects.all().prefetch_related('attributes') + all_roles = Role.objects.all() + if not hasattr(RoleAttribute, 'dummy'): + all_roles = all_roles.prefetch_related('attributes') roles = {r.id: r for r in all_roles} user_roles = {} parents = {} -- 2.35.1