From 8e6a95b6ce813af0f5c3569f9ac13c4c5de10324 Mon Sep 17 00:00:00 2001 From: Valentin Deniaud Date: Tue, 29 Nov 2022 18:30:06 +0100 Subject: [PATCH] attributes_ng: restore setting superuser flag (#71855) --- src/authentic2/app_settings.py | 1 + .../attributes_ng/sources/service_roles.py | 51 +++++++++++++++++++ tests/test_idp_saml2.py | 12 ++++- 3 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 src/authentic2/attributes_ng/sources/service_roles.py diff --git a/src/authentic2/app_settings.py b/src/authentic2/app_settings.py index e33653ec2..fc22288c9 100644 --- a/src/authentic2/app_settings.py +++ b/src/authentic2/app_settings.py @@ -101,6 +101,7 @@ default_settings = dict( 'authentic2.attributes_ng.sources.function', 'authentic2.attributes_ng.sources.django_user', 'authentic2.attributes_ng.sources.ldap', + 'authentic2.attributes_ng.sources.service_roles', ), definition='List of attribute backend classes or modules', ), diff --git a/src/authentic2/attributes_ng/sources/service_roles.py b/src/authentic2/attributes_ng/sources/service_roles.py new file mode 100644 index 000000000..54bc03888 --- /dev/null +++ b/src/authentic2/attributes_ng/sources/service_roles.py @@ -0,0 +1,51 @@ +# authentic2 - versatile identity manager +# Copyright (C) 2010-2019 Entr'ouvert +# +# This program is free software: you can redistribute it and/or modify it +# under the terms of the GNU Affero General Public License as published +# by the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Affero General Public License for more details. +# +# You should have received a copy of the GNU Affero General Public License +# along with this program. If not, see . + +from django.utils.translation import gettext_lazy as _ + +from authentic2.a2_rbac.models import Role + +from ...decorators import to_list + + +@to_list +def get_instances(ctx): + return [None] + + +@to_list +def get_attribute_names(instance, ctx): + yield ('is_superuser', 'is_superuser (%s)' % _('role attribute')) + + +def get_dependencies(instance, ctx): + return ( + 'user', + 'service', + ) + + +def get_attributes(instance, ctx): + user = ctx.get('user') + service = ctx.get('service') + if not user or not service: + return ctx + ctx = ctx.copy() + roles = Role.objects.for_user(user).filter(service=service) + for service_role in roles: + if service_role.is_superuser: + ctx['is_superuser'] = True + return ctx diff --git a/tests/test_idp_saml2.py b/tests/test_idp_saml2.py index 348df595b..fe4f355e1 100644 --- a/tests/test_idp_saml2.py +++ b/tests/test_idp_saml2.py @@ -954,10 +954,19 @@ def test_add_attributes_user_ou1_role_ou2(add_attributes_all, user_ou1, role_ou2 add_attributes_all.provider.save() service_role = Role.objects.create( - name='Role of service', slug='role-of-service', ou=ou1, service=add_attributes_all.provider + name='Role of service', + slug='role-of-service', + ou=ou1, + service=add_attributes_all.provider, + is_superuser=True, ) + user_ou1.roles.add(service_role) + add_attributes_all.get_definitions.return_value.append( + SAMLAttribute(name_format='basic', name='is_superuser', attribute_name='is_superuser'), + ) + attributes = add_attributes_all(user_ou1) assert attributes == { 'a2_role_names': {'Role of service', 'role_ou2'}, @@ -992,6 +1001,7 @@ def test_add_attributes_user_ou1_role_ou2(add_attributes_all, user_ou1, role_ou2 'django_user_password': {'abba0b6ff456806bab66baed93e6d9c4'}, 'django_user_username': {'john.doe'}, 'django_user_uuid': {user_ou1.uuid}, + 'is_superuser': {'true'}, } -- 2.35.1