attributes_ng: restore setting superuser flag (#71855)

This commit is contained in:
Valentin Deniaud 2022-11-29 18:30:06 +01:00
parent 5f0c03e32f
commit 8e6a95b6ce
3 changed files with 63 additions and 1 deletions

View File

@ -101,6 +101,7 @@ default_settings = dict(
'authentic2.attributes_ng.sources.function',
'authentic2.attributes_ng.sources.django_user',
'authentic2.attributes_ng.sources.ldap',
'authentic2.attributes_ng.sources.service_roles',
),
definition='List of attribute backend classes or modules',
),

View File

@ -0,0 +1,51 @@
# authentic2 - versatile identity manager
# Copyright (C) 2010-2019 Entr'ouvert
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from django.utils.translation import gettext_lazy as _
from authentic2.a2_rbac.models import Role
from ...decorators import to_list
@to_list
def get_instances(ctx):
return [None]
@to_list
def get_attribute_names(instance, ctx):
yield ('is_superuser', 'is_superuser (%s)' % _('role attribute'))
def get_dependencies(instance, ctx):
return (
'user',
'service',
)
def get_attributes(instance, ctx):
user = ctx.get('user')
service = ctx.get('service')
if not user or not service:
return ctx
ctx = ctx.copy()
roles = Role.objects.for_user(user).filter(service=service)
for service_role in roles:
if service_role.is_superuser:
ctx['is_superuser'] = True
return ctx

View File

@ -954,10 +954,19 @@ def test_add_attributes_user_ou1_role_ou2(add_attributes_all, user_ou1, role_ou2
add_attributes_all.provider.save()
service_role = Role.objects.create(
name='Role of service', slug='role-of-service', ou=ou1, service=add_attributes_all.provider
name='Role of service',
slug='role-of-service',
ou=ou1,
service=add_attributes_all.provider,
is_superuser=True,
)
user_ou1.roles.add(service_role)
add_attributes_all.get_definitions.return_value.append(
SAMLAttribute(name_format='basic', name='is_superuser', attribute_name='is_superuser'),
)
attributes = add_attributes_all(user_ou1)
assert attributes == {
'a2_role_names': {'Role of service', 'role_ou2'},
@ -992,6 +1001,7 @@ def test_add_attributes_user_ou1_role_ou2(add_attributes_all, user_ou1, role_ou2
'django_user_password': {'abba0b6ff456806bab66baed93e6d9c4'},
'django_user_username': {'john.doe'},
'django_user_uuid': {user_ou1.uuid},
'is_superuser': {'true'},
}