# authentic2_gnm - Authentic2 plugin for GNM # Copyright (C) 2017-2018 Entr'ouvert # # This program is free software: you can redistribute it and/or modify it # under the terms of the GNU Affero General Public License as published # by the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public License # along with this program. If not, see . import datetime import requests import sys import django.db from django.conf import settings from django.contrib.auth import get_user_model from django.core.management.base import BaseCommand from django_rbac.utils import get_ou_model from authentic2.a2_rbac.utils import get_default_ou from authentic2_auth_oidc.models import OIDCProvider, OIDCAccount class Command(BaseCommand): def handle(self, *args, **options): User = get_user_model() OU = get_ou_model() verbose = int(options['verbosity']) > 0 # check all existing users def chunks(l, n): for i in range(0, len(l), n): yield l[i:i + n] url = settings.CUT_API_BASE_URL + 'users/synchronization/' for provider in OIDCProvider.objects.all(): unknown_uuids = [] auth = (provider.client_id, provider.client_secret) for accounts in chunks(OIDCAccount.objects.filter(provider=provider), 100): subs = [x.sub for x in accounts] resp = requests.post(url, json={'known_uuids': subs}, auth=auth) resp.raise_for_status() unknown_uuids.extend(resp.json().get('unknown_uuids')) for account in OIDCAccount.objects.filter(sub__in=unknown_uuids): if verbose: print 'disabling', account.user.email, account.user.ou account.user.email = account.user.email + '.invalid' account.user.save() OIDCAccount.objects.filter(sub__in=unknown_uuids).delete() # update recently modified users cut_users = OIDCProvider.objects.get(slug='cut') url = settings.CUT_API_BASE_URL + 'users/?modified__gt=%s' % ( datetime.datetime.now() - datetime.timedelta(seconds=120)).strftime('%Y-%m-%dT%H:%M:%S') resp = requests.get(url, auth=settings.CUT_API_CREDENTIALS) resp.raise_for_status() for user_dict in resp.json()['results']: try: account = OIDCAccount.objects.get(user__email=user_dict['email']) except OIDCAccount.DoesNotExist: continue for claim in cut_users.claim_mappings.all(): setattr(account.user, claim.attribute, user_dict.get(claim.claim)) try: setattr(account.user.attributes, claim.attribute, user_dict.get(claim.claim)) except AttributeError: pass account.user.save() # get new agents cut_agents = OIDCProvider.objects.get(slug='cut-agents') ou_mapping = settings.CUT_GNM_OU_MAPPING for ou_cut_slug, ou_gnm_slug in ou_mapping.items(): ou_gnm = OU.objects.get(slug=ou_gnm_slug) url = settings.CUT_API_BASE_URL + 'users/?ou__slug=%s' % ou_cut_slug for cut_user_data in requests.get(url, auth=settings.CUT_API_CREDENTIALS).json()['results']: try: # get user with sub user = User.objects.get(oidc_account__provider=cut_agents, oidc_account__sub=cut_user_data['sub']) except User.DoesNotExist: # fallback to getting the user from its (email, ou) try: user = User.objects.get(email=cut_user_data['email'], ou=ou_gnm) except User.MultipleObjectsReturned: if verbose: print 'bad duplicated email', cut_user_data['email'] continue except User.DoesNotExist: # uuid? try: user = User.objects.get(uuid=cut_user_data['sub']) except User.DoesNotExist: # at last, create new user if verbose: print 'creating', cut_user_data['email'] user = User() if (user.uuid != cut_user_data['sub'] or user.ou != ou_gnm or user.email != cut_user_data['email'] or user.first_name != cut_user_data['first_name'] or user.last_name != cut_user_data['last_name']): if verbose: print 'updating', user.email, '->', ou_gnm # only touch user if there are changes user.uuid = cut_user_data['sub'] user.ou = ou_gnm user.email = cut_user_data['email'] user.first_name = cut_user_data['first_name'] user.last_name = cut_user_data['last_name'] user.save() try: OIDCAccount.objects.get_or_create(provider=cut_agents, user=user, sub=cut_user_data['sub']) except django.db.utils.IntegrityError: if verbose: print 'oops duplicated email?', cut_user_data['email']