django-mellon/mellon/adapters.py

import logging
import uuid
from xml.etree import ElementTree as ET

import lasso
import requests
import requests.exceptions

from django.core.exceptions import PermissionDenied
from django.contrib import auth
from django.contrib.auth.models import Group
from django.utils import six
from django.utils.encoding import force_text

from . import utils, app_settings, models


class UserCreationError(Exception):
    pass


class DefaultAdapter(object):
    def __init__(self, *args, **kwargs):
        self.logger = logging.getLogger(__name__)

    def get_idp(self, entity_id):
        '''Find the first IdP definition matching entity_id'''
        for idp in self.get_idps():
            if entity_id == idp['ENTITY_ID']:
                return idp

    def get_identity_providers_setting(self):
        return app_settings.IDENTITY_PROVIDERS

    def get_idps(self):
        for i, idp in enumerate(self.get_identity_providers_setting()):
            if 'METADATA_URL' in idp and 'METADATA' not in idp:
                verify_ssl_certificate = utils.get_setting(
                    idp, 'VERIFY_SSL_CERTIFICATE')
                try:
                    response = requests.get(idp['METADATA_URL'], verify=verify_ssl_certificate)
                    response.raise_for_status()
                except requests.exceptions.RequestException as e:
                    self.logger.error(
                        u'retrieval of metadata URL %r failed with error %s for %d-th idp',
                        idp['METADATA_URL'], e, i)
                    continue
                idp['METADATA'] = response.text
            elif 'METADATA' in idp:
                if idp['METADATA'].startswith('/'):
                    idp['METADATA'] = open(idp['METADATA']).read()
            else:
                self.logger.error(u'missing METADATA or METADATA_URL in %d-th idp', i)
                continue
            if 'ENTITY_ID' not in idp:
                try:
                    doc = ET.fromstring(idp['METADATA'])
                except (TypeError, ET.ParseError):
                    self.logger.error(u'METADATA of %d-th idp is invalid', i)
                    continue
                if doc.tag != '{%s}EntityDescriptor' % lasso.SAML2_METADATA_HREF:
                    self.logger.error(u'METADATA of %d-th idp has no EntityDescriptor root tag', i)
                    continue

                if not 'entityID' in doc.attrib:
                    self.logger.error(
                        u'METADATA of %d-th idp has no entityID attribute on its root tag', i)
                    continue
                idp['ENTITY_ID'] = doc.attrib['entityID']
            yield idp

    def authorize(self, idp, saml_attributes):
        if not idp:
            return False
        required_classref = utils.get_setting(idp, 'AUTHN_CLASSREF')
        if required_classref:
            given_classref = saml_attributes['authn_context_class_ref']
            if given_classref is None or \
                    given_classref not in required_classref:
                raise PermissionDenied
        return True

    def format_username(self, idp, saml_attributes):
        realm = utils.get_setting(idp, 'REALM')
        username_template = utils.get_setting(idp, 'USERNAME_TEMPLATE')
        try:
            username = force_text(username_template).format(
                realm=realm, attributes=saml_attributes, idp=idp)[:30]
        except ValueError:
            self.logger.error(u'invalid username template %r', username_template)
        except (AttributeError, KeyError, IndexError) as e:
            self.logger.error(
                u'invalid reference in username template %r: %s', username_template, e)
        except Exception as e:
            self.logger.exception(u'unknown error when formatting username')
        else:
            return username

    def create_user(self, user_class):
        return user_class.objects.create(username=uuid.uuid4().hex[:30])

    def finish_create_user(self, idp, saml_attributes, user):
        username = self.format_username(idp, saml_attributes)
        if not username:
            self.logger.warning('could not build a username, login refused')
            raise UserCreationError
        user.username = username
        user.save()

    def lookup_user(self, idp, saml_attributes):
        User = auth.get_user_model()
        transient_federation_attribute = utils.get_setting(idp, 'TRANSIENT_FEDERATION_ATTRIBUTE')
        if saml_attributes['name_id_format'] == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:
            if (transient_federation_attribute
                    and saml_attributes.get(transient_federation_attribute)):
                name_id = saml_attributes[transient_federation_attribute]
                if not isinstance(name_id, six.string_types):
                    if len(name_id) == 1:
                        name_id = name_id[0]
                    else:
                        self.logger.warning('more than one value for attribute %r, cannot federate',
                                            transient_federation_attribute)
                        return None
            else:
                return None
        else:
            name_id = saml_attributes['name_id_content']
        issuer = saml_attributes['issuer']
        try:
            return User.objects.get(saml_identifiers__name_id=name_id,
                                    saml_identifiers__issuer=issuer)
        except User.DoesNotExist:
            if not utils.get_setting(idp, 'PROVISION'):
                self.logger.warning('provisionning disabled, login refused')
                return None
            user = self.create_user(User)
            saml_id, created = models.UserSAMLIdentifier.objects.get_or_create(
                name_id=name_id, issuer=issuer, defaults={'user': user})
            if created:
                try:
                    self.finish_create_user(idp, saml_attributes, user)
                except UserCreationError:
                    user.delete()
                    return None
                self.logger.info('created new user %s with name_id %s from issuer %s',
                                 user, name_id, issuer)
            else:
                user.delete()
                user = saml_id.user
                self.logger.info('looked up user %s with name_id %s from issuer %s',
                                 user, name_id, issuer)
        return user

    def provision(self, user, idp, saml_attributes):
        self.provision_attribute(user, idp, saml_attributes)
        self.provision_superuser(user, idp, saml_attributes)
        self.provision_groups(user, idp, saml_attributes)

    def provision_attribute(self, user, idp, saml_attributes):
        realm = utils.get_setting(idp, 'REALM')
        attribute_mapping = utils.get_setting(idp, 'ATTRIBUTE_MAPPING')
        attribute_set = False
        for field, tpl in attribute_mapping.items():
            try:
                value = force_text(tpl).format(realm=realm, attributes=saml_attributes, idp=idp)
            except ValueError:
                self.logger.warning(u'invalid attribute mapping template %r', tpl)
            except (AttributeError, KeyError, IndexError, ValueError) as e:
                self.logger.warning(
                    u'invalid reference in attribute mapping template %r: %s', tpl, e)
            else:
                model_field = user._meta.get_field(field)
                if hasattr(model_field, 'max_length'):
                    value = value[:model_field.max_length]
                if getattr(user, field) != value:
                    old_value = getattr(user, field)
                    setattr(user, field, value)
                    attribute_set = True
                    self.logger.info(u'set field %s of user %s to value %r (old value %r)', field,
                                     user, value, old_value)
        if attribute_set:
            user.save()

    def provision_superuser(self, user, idp, saml_attributes):
        superuser_mapping = utils.get_setting(idp, 'SUPERUSER_MAPPING')
        if not superuser_mapping:
            return
        attribute_set = False
        for key, values in superuser_mapping.items():
            if key in saml_attributes:
                if not isinstance(values, (tuple, list)):
                    values = [values]
                values = set(values)
                attribute_values = saml_attributes[key]
                if not isinstance(attribute_values, (tuple, list)):
                    attribute_values = [attribute_values]
                attribute_values = set(attribute_values)
                if attribute_values & values:
                    if not (user.is_staff and user.is_superuser):
                        user.is_staff = True
                        user.is_superuser = True
                        attribute_set = True
                        self.logger.info('flag is_staff and is_superuser added to user %s', user)
                    break
        else:
            if user.is_superuser or user.is_staff:
                user.is_staff = False
                user.is_superuser = False
                self.logger.info('flag is_staff and is_superuser removed from user %s', user)
                attribute_set = True
        if attribute_set:
            user.save()

    def provision_groups(self, user, idp, saml_attributes):
        User = user.__class__
        group_attribute = utils.get_setting(idp, 'GROUP_ATTRIBUTE')
        create_group = utils.get_setting(idp, 'CREATE_GROUP')
        if group_attribute in saml_attributes:
            values = saml_attributes[group_attribute]
            if not isinstance(values, (list, tuple)):
                values = [values]
            groups = []
            for value in set(values):
                if create_group:
                    group, created = Group.objects.get_or_create(name=value)
                else:
                    try:
                        group = Group.objects.get(name=value)
                    except Group.DoesNotExist:
                        continue
                groups.append(group)
            for group in Group.objects.filter(pk__in=[g.pk for g in groups]).exclude(user=user):
                self.logger.info(
                    u'adding group %s (%s) to user %s (%s)', group, group.pk, user, user.pk)
                User.groups.through.objects.get_or_create(group=group, user=user)
            qs = User.groups.through.objects.exclude(
                group__pk__in=[g.pk for g in groups]).filter(user=user)
            for rel in qs:
                self.logger.info(u'removing group %s (%s) from user %s (%s)', rel.group,
                                 rel.group.pk, rel.user, rel.user.pk)
            qs.delete()
first commit 2014-04-28 14:33:04 +02:00			`import logging`
fix concurrency error when creating new users (fixes #9965) UserSAMLIdentifier is retrieved using get_or_create() first, and if is new we proceed with the creation of the new user, otherwise we delete the temporaru user we created use the one attached to the existing UserSAMLIdentifier. 2016-02-12 17:19:34 +01:00			`import uuid`
move idp settings building in adapters 2016-02-26 13:27:32 +01:00			`from xml.etree import ElementTree as ET`

			`import lasso`
			`import requests`
			`import requests.exceptions`
first commit 2014-04-28 14:33:04 +02:00
			`from django.core.exceptions import PermissionDenied`
			`from django.contrib import auth`
			`from django.contrib.auth.models import Group`
python3: adjust unicode usage 2018-03-25 10:19:36 +02:00			`from django.utils import six`
use force_text for python2/3 compatibility (#24139) 2018-05-29 12:21:13 +02:00			`from django.utils.encoding import force_text`
first commit 2014-04-28 14:33:04 +02:00
add a model to store user<->NameID mapping (#7085) 2015-04-29 16:39:14 +02:00			`from . import utils, app_settings, models`
first commit 2014-04-28 14:33:04 +02:00

adapters: factorize user creation in lookup_user() (fixes #10164) User creation can have peculiarities. 2016-03-02 15:34:07 +01:00			`class UserCreationError(Exception):`
			`pass`


first commit 2014-04-28 14:33:04 +02:00			`class DefaultAdapter(object):`
adapters: prevent collision in provision_groups() (fixes #9327) Assiging related m2m fields provokes a bulk insert which is not safe with respect to concurrent writes, we replace this by use of get_or_create() and delete() on the through model of the User.groups field. 2015-12-14 16:39:05 +01:00			`def __init__(self, args, *kwargs):`
			`self.logger = logging.getLogger(__name__)`

adapters: add implementation of get_idp() to the DefaultAdapter class 2014-08-05 18:19:33 +02:00			`def get_idp(self, entity_id):`
			`'''Find the first IdP definition matching entity_id'''`
Revert "support federation file loading (#19396)" This reverts commit 63993e360c89b22ea8e70fabf12d4f7e223cfb90. 2018-01-09 21:43:25 +01:00			`for idp in self.get_idps():`
			`if entity_id == idp['ENTITY_ID']:`
			`return idp`
adapters: add implementation of get_idp() to the DefaultAdapter class 2014-08-05 18:19:33 +02:00
move idp settings building in adapters 2016-02-26 13:27:32 +01:00			`def get_identity_providers_setting(self):`
Revert "support federation file loading (#19396)" This reverts commit 63993e360c89b22ea8e70fabf12d4f7e223cfb90. 2018-01-09 21:43:25 +01:00			`return app_settings.IDENTITY_PROVIDERS`
move idp settings building in adapters 2016-02-26 13:27:32 +01:00
Always use adapters to get to IdP settings 2015-02-13 18:03:47 +01:00			`def get_idps(self):`
move idp settings building in adapters 2016-02-26 13:27:32 +01:00			`for i, idp in enumerate(self.get_identity_providers_setting()):`
			`if 'METADATA_URL' in idp and 'METADATA' not in idp:`
			`verify_ssl_certificate = utils.get_setting(`
			`idp, 'VERIFY_SSL_CERTIFICATE')`
			`try:`
			`response = requests.get(idp['METADATA_URL'], verify=verify_ssl_certificate)`
			`response.raise_for_status()`
misc: update exception handling for Python 3 (#20925) 2017-12-28 17:31:20 +01:00			`except requests.exceptions.RequestException as e:`
move idp settings building in adapters 2016-02-26 13:27:32 +01:00			`self.logger.error(`
			`u'retrieval of metadata URL %r failed with error %s for %d-th idp',`
			`idp['METADATA_URL'], e, i)`
			`continue`
python3: get metadata from URL as a string 2018-04-05 14:38:25 +02:00			`idp['METADATA'] = response.text`
Revert "support federation file loading (#19396)" This reverts commit 63993e360c89b22ea8e70fabf12d4f7e223cfb90. 2018-01-09 21:43:25 +01:00			`elif 'METADATA' in idp:`
			`if idp['METADATA'].startswith('/'):`
python3: use open() to open files 2018-03-25 09:57:01 +02:00			`idp['METADATA'] = open(idp['METADATA']).read()`
Revert "support federation file loading (#19396)" This reverts commit 63993e360c89b22ea8e70fabf12d4f7e223cfb90. 2018-01-09 21:43:25 +01:00			`else:`
move idp settings building in adapters 2016-02-26 13:27:32 +01:00			`self.logger.error(u'missing METADATA or METADATA_URL in %d-th idp', i)`
			`continue`
Revert "support federation file loading (#19396)" This reverts commit 63993e360c89b22ea8e70fabf12d4f7e223cfb90. 2018-01-09 21:43:25 +01:00			`if 'ENTITY_ID' not in idp:`
			`try:`
			`doc = ET.fromstring(idp['METADATA'])`
			`except (TypeError, ET.ParseError):`
			`self.logger.error(u'METADATA of %d-th idp is invalid', i)`
			`continue`
			`if doc.tag != '{%s}EntityDescriptor' % lasso.SAML2_METADATA_HREF:`
			`self.logger.error(u'METADATA of %d-th idp has no EntityDescriptor root tag', i)`
			`continue`

			`if not 'entityID' in doc.attrib:`
			`self.logger.error(`
			`u'METADATA of %d-th idp has no entityID attribute on its root tag', i)`
			`continue`
			`idp['ENTITY_ID'] = doc.attrib['entityID']`
move idp settings building in adapters 2016-02-26 13:27:32 +01:00			`yield idp`
Always use adapters to get to IdP settings 2015-02-13 18:03:47 +01:00
first commit 2014-04-28 14:33:04 +02:00			`def authorize(self, idp, saml_attributes):`
			`if not idp:`
			`return False`
rename get_parameter() to get_setting() 2014-08-05 17:55:29 +02:00			`required_classref = utils.get_setting(idp, 'AUTHN_CLASSREF')`
first commit 2014-04-28 14:33:04 +02:00			`if required_classref:`
			`given_classref = saml_attributes['authn_context_class_ref']`
			`if given_classref is None or \`
			`given_classref not in required_classref:`
			`raise PermissionDenied`
			`return True`

			`def format_username(self, idp, saml_attributes):`
rename get_parameter() to get_setting() 2014-08-05 17:55:29 +02:00			`realm = utils.get_setting(idp, 'REALM')`
			`username_template = utils.get_setting(idp, 'USERNAME_TEMPLATE')`
first commit 2014-04-28 14:33:04 +02:00			`try:`
use force_text for python2/3 compatibility (#24139) 2018-05-29 12:21:13 +02:00			`username = force_text(username_template).format(`
Limit username to 30 characters for now (#7085) 2015-04-29 17:07:14 +02:00			`realm=realm, attributes=saml_attributes, idp=idp)[:30]`
first commit 2014-04-28 14:33:04 +02:00			`except ValueError:`
adapters: prevent collision in provision_groups() (fixes #9327) Assiging related m2m fields provokes a bulk insert which is not safe with respect to concurrent writes, we replace this by use of get_or_create() and delete() on the through model of the User.groups field. 2015-12-14 16:39:05 +01:00			`self.logger.error(u'invalid username template %r', username_template)`
misc: update exception handling for Python 3 (#20925) 2017-12-28 17:31:20 +01:00			`except (AttributeError, KeyError, IndexError) as e:`
pep8ness 2016-02-12 17:22:48 +01:00			`self.logger.error(`
			`u'invalid reference in username template %r: %s', username_template, e)`
misc: update exception handling for Python 3 (#20925) 2017-12-28 17:31:20 +01:00			`except Exception as e:`
adapters: prevent collision in provision_groups() (fixes #9327) Assiging related m2m fields provokes a bulk insert which is not safe with respect to concurrent writes, we replace this by use of get_or_create() and delete() on the through model of the User.groups field. 2015-12-14 16:39:05 +01:00			`self.logger.exception(u'unknown error when formatting username')`
first commit 2014-04-28 14:33:04 +02:00			`else:`
			`return username`

adapters: factorize user creation in lookup_user() (fixes #10164) User creation can have peculiarities. 2016-03-02 15:34:07 +01:00			`def create_user(self, user_class):`
			`return user_class.objects.create(username=uuid.uuid4().hex[:30])`

			`def finish_create_user(self, idp, saml_attributes, user):`
			`username = self.format_username(idp, saml_attributes)`
			`if not username:`
			`self.logger.warning('could not build a username, login refused')`
			`raise UserCreationError`
			`user.username = username`
			`user.save()`

first commit 2014-04-28 14:33:04 +02:00			`def lookup_user(self, idp, saml_attributes):`
			`User = auth.get_user_model()`
allow federating transient NameID using an attribute (fixes #10619) 2016-04-11 19:20:05 +02:00			`transient_federation_attribute = utils.get_setting(idp, 'TRANSIENT_FEDERATION_ATTRIBUTE')`
			`if saml_attributes['name_id_format'] == lasso.SAML2_NAME_IDENTIFIER_FORMAT_TRANSIENT:`
			`if (transient_federation_attribute`
			`and saml_attributes.get(transient_federation_attribute)):`
			`name_id = saml_attributes[transient_federation_attribute]`
python3: adjust unicode usage 2018-03-25 10:19:36 +02:00			`if not isinstance(name_id, six.string_types):`
allow federating transient NameID using an attribute (fixes #10619) 2016-04-11 19:20:05 +02:00			`if len(name_id) == 1:`
			`name_id = name_id[0]`
			`else:`
			`self.logger.warning('more than one value for attribute %r, cannot federate',`
			`transient_federation_attribute)`
			`return None`
			`else:`
			`return None`
			`else:`
			`name_id = saml_attributes['name_id_content']`
add a model to store user<->NameID mapping (#7085) 2015-04-29 16:39:14 +02:00			`issuer = saml_attributes['issuer']`
			`try:`
			`return User.objects.get(saml_identifiers__name_id=name_id,`
fix concurrency error when creating new users (fixes #9965) UserSAMLIdentifier is retrieved using get_or_create() first, and if is new we proceed with the creation of the new user, otherwise we delete the temporaru user we created use the one attached to the existing UserSAMLIdentifier. 2016-02-12 17:19:34 +01:00			`saml_identifiers__issuer=issuer)`
add a model to store user<->NameID mapping (#7085) 2015-04-29 16:39:14 +02:00			`except User.DoesNotExist:`
			`if not utils.get_setting(idp, 'PROVISION'):`
fix concurrency error when creating new users (fixes #9965) UserSAMLIdentifier is retrieved using get_or_create() first, and if is new we proceed with the creation of the new user, otherwise we delete the temporaru user we created use the one attached to the existing UserSAMLIdentifier. 2016-02-12 17:19:34 +01:00			`self.logger.warning('provisionning disabled, login refused')`
add a model to store user<->NameID mapping (#7085) 2015-04-29 16:39:14 +02:00			`return None`
adapters: factorize user creation in lookup_user() (fixes #10164) User creation can have peculiarities. 2016-03-02 15:34:07 +01:00			`user = self.create_user(User)`
fix concurrency error when creating new users (fixes #9965) UserSAMLIdentifier is retrieved using get_or_create() first, and if is new we proceed with the creation of the new user, otherwise we delete the temporaru user we created use the one attached to the existing UserSAMLIdentifier. 2016-02-12 17:19:34 +01:00			`saml_id, created = models.UserSAMLIdentifier.objects.get_or_create(`
			`name_id=name_id, issuer=issuer, defaults={'user': user})`
			`if created:`
adapters: factorize user creation in lookup_user() (fixes #10164) User creation can have peculiarities. 2016-03-02 15:34:07 +01:00			`try:`
			`self.finish_create_user(idp, saml_attributes, user)`
			`except UserCreationError:`
			`user.delete()`
			`return None`
adapters: improve logging during provisionning - user creation is logged - attributes are only changed if different from the provisionning value, and changes are logged. 2016-02-26 13:23:12 +01:00			`self.logger.info('created new user %s with name_id %s from issuer %s',`
			`user, name_id, issuer)`
fix concurrency error when creating new users (fixes #9965) UserSAMLIdentifier is retrieved using get_or_create() first, and if is new we proceed with the creation of the new user, otherwise we delete the temporaru user we created use the one attached to the existing UserSAMLIdentifier. 2016-02-12 17:19:34 +01:00			`else:`
			`user.delete()`
			`user = saml_id.user`
add logging of IdP SAML responses and looked up users (#14056) 2016-11-23 13:09:01 +01:00			`self.logger.info('looked up user %s with name_id %s from issuer %s',`
			`user, name_id, issuer)`
first commit 2014-04-28 14:33:04 +02:00			`return user`

			`def provision(self, user, idp, saml_attributes):`
			`self.provision_attribute(user, idp, saml_attributes)`
			`self.provision_superuser(user, idp, saml_attributes)`
			`self.provision_groups(user, idp, saml_attributes)`

			`def provision_attribute(self, user, idp, saml_attributes):`
rename get_parameter() to get_setting() 2014-08-05 17:55:29 +02:00			`realm = utils.get_setting(idp, 'REALM')`
			`attribute_mapping = utils.get_setting(idp, 'ATTRIBUTE_MAPPING')`
save provisioned users (#6667) 2015-03-10 14:08:33 +01:00			`attribute_set = False`
python3: don't use iteritems 2018-03-25 09:57:42 +02:00			`for field, tpl in attribute_mapping.items():`
first commit 2014-04-28 14:33:04 +02:00			`try:`
use force_text for python2/3 compatibility (#24139) 2018-05-29 12:21:13 +02:00			`value = force_text(tpl).format(realm=realm, attributes=saml_attributes, idp=idp)`
first commit 2014-04-28 14:33:04 +02:00			`except ValueError:`
adapters: prevent collision in provision_groups() (fixes #9327) Assiging related m2m fields provokes a bulk insert which is not safe with respect to concurrent writes, we replace this by use of get_or_create() and delete() on the through model of the User.groups field. 2015-12-14 16:39:05 +01:00			`self.logger.warning(u'invalid attribute mapping template %r', tpl)`
misc: update exception handling for Python 3 (#20925) 2017-12-28 17:31:20 +01:00			`except (AttributeError, KeyError, IndexError, ValueError) as e:`
pep8ness 2016-02-12 17:22:48 +01:00			`self.logger.warning(`
			`u'invalid reference in attribute mapping template %r: %s', tpl, e)`
first commit 2014-04-28 14:33:04 +02:00			`else:`
adapters: truncate attributes assigned to user fields (fixes #7907) 2015-07-22 16:22:59 +02:00			`model_field = user._meta.get_field(field)`
			`if hasattr(model_field, 'max_length'):`
			`value = value[:model_field.max_length]`
adapters: improve logging during provisionning - user creation is logged - attributes are only changed if different from the provisionning value, and changes are logged. 2016-02-26 13:23:12 +01:00			`if getattr(user, field) != value:`
			`old_value = getattr(user, field)`
			`setattr(user, field, value)`
			`attribute_set = True`
			`self.logger.info(u'set field %s of user %s to value %r (old value %r)', field,`
			`user, value, old_value)`
save provisioned users (#6667) 2015-03-10 14:08:33 +01:00			`if attribute_set:`
			`user.save()`
first commit 2014-04-28 14:33:04 +02:00
			`def provision_superuser(self, user, idp, saml_attributes):`
rename get_parameter() to get_setting() 2014-08-05 17:55:29 +02:00			`superuser_mapping = utils.get_setting(idp, 'SUPERUSER_MAPPING')`
first commit 2014-04-28 14:33:04 +02:00			`if not superuser_mapping:`
			`return`
adapters: improve logging during provisionning - user creation is logged - attributes are only changed if different from the provisionning value, and changes are logged. 2016-02-26 13:23:12 +01:00			`attribute_set = False`
python3: don't use iteritems 2018-03-25 09:57:42 +02:00			`for key, values in superuser_mapping.items():`
first commit 2014-04-28 14:33:04 +02:00			`if key in saml_attributes:`
			`if not isinstance(values, (tuple, list)):`
			`values = [values]`
			`values = set(values)`
			`attribute_values = saml_attributes[key]`
			`if not isinstance(attribute_values, (tuple, list)):`
			`attribute_values = [attribute_values]`
			`attribute_values = set(attribute_values)`
			`if attribute_values & values:`
adapters: improve logging during provisionning - user creation is logged - attributes are only changed if different from the provisionning value, and changes are logged. 2016-02-26 13:23:12 +01:00			`if not (user.is_staff and user.is_superuser):`
			`user.is_staff = True`
			`user.is_superuser = True`
			`attribute_set = True`
			`self.logger.info('flag is_staff and is_superuser added to user %s', user)`
Fix removal of admin right when users have admin attributes but is already admin (fixes #10195) 2016-03-04 10:02:32 +01:00			`break`
first commit 2014-04-28 14:33:04 +02:00			`else:`
reset is_staff when superuser mapping fails (fixes #9736) 2016-01-21 20:02:34 +01:00			`if user.is_superuser or user.is_staff:`
			`user.is_staff = False`
first commit 2014-04-28 14:33:04 +02:00			`user.is_superuser = False`
adapters: improve logging during provisionning - user creation is logged - attributes are only changed if different from the provisionning value, and changes are logged. 2016-02-26 13:23:12 +01:00			`self.logger.info('flag is_staff and is_superuser removed from user %s', user)`
			`attribute_set = True`
			`if attribute_set:`
			`user.save()`
first commit 2014-04-28 14:33:04 +02:00
			`def provision_groups(self, user, idp, saml_attributes):`
adapters: prevent collision in provision_groups() (fixes #9327) Assiging related m2m fields provokes a bulk insert which is not safe with respect to concurrent writes, we replace this by use of get_or_create() and delete() on the through model of the User.groups field. 2015-12-14 16:39:05 +01:00			`User = user.__class__`
rename get_parameter() to get_setting() 2014-08-05 17:55:29 +02:00			`group_attribute = utils.get_setting(idp, 'GROUP_ATTRIBUTE')`
			`create_group = utils.get_setting(idp, 'CREATE_GROUP')`
first commit 2014-04-28 14:33:04 +02:00			`if group_attribute in saml_attributes:`
			`values = saml_attributes[group_attribute]`
			`if not isinstance(values, (list, tuple)):`
			`values = [values]`
			`groups = []`
			`for value in set(values):`
			`if create_group:`
			`group, created = Group.objects.get_or_create(name=value)`
			`else:`
			`try:`
			`group = Group.objects.get(name=value)`
			`except Group.DoesNotExist:`
			`continue`
			`groups.append(group)`
adapters: prevent collision in provision_groups() (fixes #9327) Assiging related m2m fields provokes a bulk insert which is not safe with respect to concurrent writes, we replace this by use of get_or_create() and delete() on the through model of the User.groups field. 2015-12-14 16:39:05 +01:00			`for group in Group.objects.filter(pk__in=[g.pk for g in groups]).exclude(user=user):`
pep8ness 2016-02-12 17:22:48 +01:00			`self.logger.info(`
			`u'adding group %s (%s) to user %s (%s)', group, group.pk, user, user.pk)`
adapters: prevent collision in provision_groups() (fixes #9327) Assiging related m2m fields provokes a bulk insert which is not safe with respect to concurrent writes, we replace this by use of get_or_create() and delete() on the through model of the User.groups field. 2015-12-14 16:39:05 +01:00			`User.groups.through.objects.get_or_create(group=group, user=user)`
pep8ness 2016-02-12 17:22:48 +01:00			`qs = User.groups.through.objects.exclude(`
			`group__pk__in=[g.pk for g in groups]).filter(user=user)`
adapters: prevent collision in provision_groups() (fixes #9327) Assiging related m2m fields provokes a bulk insert which is not safe with respect to concurrent writes, we replace this by use of get_or_create() and delete() on the through model of the User.groups field. 2015-12-14 16:39:05 +01:00			`for rel in qs:`
			`self.logger.info(u'removing group %s (%s) from user %s (%s)', rel.group,`
			`rel.group.pk, rel.user, rel.user.pk)`
			`qs.delete()`