entrouvert
/
hobo
16
0
Fork 0
Code Issues Pull Requests 16 Releases Activity
hobo/hobo/agent/authentic2/provisionning.py

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

527 lines
19 KiB
Python
Raw Normal View History

send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
import copy
agent/authentic2: add debug mode for provisionning (#54637)
2021-06-08 11:31:22 +02:00
import datetime
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
import json
import logging
general: use HTTP API to provision users & groups (#43245)
2020-05-25 21:15:26 +02:00
import threading
misc: remove usage of django.utils.six (#63684)
2022-04-15 17:12:55 +02:00
import urllib.parse
general: use HTTP API to provision users & groups (#43245)
2020-05-25 21:15:26 +02:00
from itertools import chain, islice
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
misc: use new location for django.urls imports (#42967)
2020-05-07 20:01:20 +02:00
import requests
authentic2: use direct imports for rbac models (#70963)
2022-11-03 12:11:24 +01:00
from authentic2.a2_rbac.models import OrganizationalUnit as OU
from authentic2.a2_rbac.models import Role, RoleParenting
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
from authentic2.models import AttributeValue
from authentic2.saml.models import LibertyProvider
from django.conf import settings
from django.contrib.auth import get_user_model
agent/authentic2: mark object for provisionning if transaction commit (#52355)
2021-03-24 21:13:12 +01:00
from django.db import connection, transaction
misc: use new location for django.urls imports (#42967)
2020-05-07 20:01:20 +02:00
from django.urls import reverse
misc: change django-upgrade target version to 3.2 (#75442)
2023-03-29 12:10:39 +02:00
from django.utils.encoding import force_str
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
from hobo.agent.common import notify_agents
general: use HTTP API to provision users & groups (#43245)
2020-05-25 21:15:26 +02:00
from hobo.signature import sign_url
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
User = get_user_model()
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
logger = logging.getLogger(__name__)
agent/authentic2: batch the provisionning of agents (#52620)
2021-04-01 13:21:57 +02:00
def batch(iterable, size):
"""Batch an iterable as an iterable of iterables of at most size element
long.
"""
sourceiter = iter(iterable)
for first in sourceiter:
yield chain([first], islice(sourceiter, size - 1))
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
class Provisionning(threading.local):
__slots__ = ['threads']
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
def __init__(self):
python3: migrate authentic (#40407)
2020-03-04 14:31:36 +01:00
self.threads = set()
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
self.stack = []
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
def start(self):
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
self.stack.append(
{
'saved': {},
'deleted': {},
agent/authentic2: mark object for provisionning if transaction commit (#52355)
2021-03-24 21:13:12 +01:00
'in_atomic_block': connection.in_atomic_block,
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
}
)
def clear(self):
self.stack = []
def stop(self, provision=True, wait=True):
if not self.stack:
return
context = self.stack.pop()
agent/authentic2: mark object for provisionning if transaction commit (#52355)
2021-03-24 21:13:12 +01:00
context.pop('in_atomic_block')
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
if provision:
agent/authentic2: mark object for provisionning if transaction commit (#52355)
2021-03-24 21:13:12 +01:00
def callback():
self.provision(**context)
if wait:
self.wait()
transaction.on_commit(callback)
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
@property
def saved(self):
if self.stack:
return self.stack[-1]['saved']
return None
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
@property
def deleted(self):
if self.stack:
return self.stack[-1]['deleted']
return None
def add_saved(self, *args):
if not self.stack:
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
return
agent/authentic2: mark object for provisionning if transaction commit (#52355)
2021-03-24 21:13:12 +01:00
in_atomic_block = self.stack[-1]['in_atomic_block']
def callback():
for instance in args:
klass = User if isinstance(instance, User) else Role
self.saved.setdefault(klass, set()).add(instance)
if in_atomic_block:
callback()
else:
transaction.on_commit(callback)
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
def add_deleted(self, *args):
if not self.stack:
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
return
agent/authentic2: mark object for provisionning if transaction commit (#52355)
2021-03-24 21:13:12 +01:00
in_atomic_block = self.stack[-1]['in_atomic_block']
def callback():
for instance in args:
klass = User if isinstance(instance, User) else Role
self.deleted.setdefault(klass, set()).add(instance)
self.saved.get(klass, set()).discard(instance)
if in_atomic_block:
callback()
else:
transaction.on_commit(callback)
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
def resolve_ou(self, instances, ous):
for instance in instances:
if instance.ou_id in ous:
instance.ou = ous[instance.ou_id]
provisionning: add ?sync=1 parameter to /__provision__ API (#56920) When used by the /api/provision API on authentic, it garantees the provisionning is made synchronously.
2021-09-14 07:00:19 +02:00
def notify_users(self, ous, users, mode='provision', sync=False):
authentic: allow provisionning some technical roles (#36398)
2019-09-24 11:41:51 +02:00
allowed_technical_roles_prefixes = getattr(settings, 'HOBO_PROVISION_ROLE_PREFIXES', []) or []
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
if mode == 'provision':
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
users = (
User.objects.filter(id__in=[u.id for u in users])
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
.select_related('ou')
.prefetch_related('attribute_values__attribute')
trivial: apply black
2021-05-14 18:39:27 +02:00
)
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
else:
self.resolve_ou(users, ous)
ous = {}
misc: provision users to services of all OUs (#40518)
2020-03-06 18:48:52 +01:00
for ou in [None] + list(OU.objects.all()):
for user in users:
ous.setdefault(ou, set()).add(user)
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
authentic: allow provisionning some technical roles (#36398)
2019-09-24 11:41:51 +02:00
def is_forbidden_technical_role(role):
return role.slug.startswith('_') and not role.slug.startswith(
tuple(allowed_technical_roles_prefixes)
trivial: apply black
2021-05-14 18:39:27 +02:00
)
authentic: allow provisionning some technical roles (#36398)
2019-09-24 11:41:51 +02:00
misc: change django-upgrade target version to 3.2 (#75442)
2023-03-29 12:10:39 +02:00
issuer = force_str(self.get_entity_id())
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
if mode == 'provision':
provisioning: only send user's roles visible by the service (#35168)
2019-08-06 11:26:28 +02:00
def user_to_json(ou, service, user, user_roles):
agent: use BaseUserSerializer for user provisionning (fixes #16924)
2017-06-15 17:33:17 +02:00
from authentic2.api_views import BaseUserSerializer
trivial: apply black
2021-05-14 18:39:27 +02:00
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
data = {}
provisioning: only send user's roles visible by the service (#35168)
2019-08-06 11:26:28 +02:00
# filter user's roles visible by the service's ou
roles = [
role
for role in user_roles.get(user.id, [])
authentic: allow provisionning some technical roles (#36398)
2019-09-24 11:41:51 +02:00
if (
not is_forbidden_technical_role(role)
agent-authentic2: test if ou is None in provisionning (#35385)
2019-08-13 12:59:14 +02:00
and (role.ou_id is None or (ou and role.ou_id == ou.id))
trivial: apply black
2021-05-14 18:39:27 +02:00
)
agent-authentic2: test if ou is None in provisionning (#35385)
2019-08-13 12:59:14 +02:00
]
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
data.update(
{
'uuid': user.uuid,
'username': user.username,
'first_name': user.first_name,
'last_name': user.last_name,
'email': user.email,
misc: provision user.is_active (#44896)
2020-07-07 11:48:19 +02:00
'is_active': user.is_active,
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
'roles': [
{
'uuid': role.uuid,
'name': role.name,
'slug': role.slug,
}
for role in roles
],
}
)
agent: use BaseUserSerializer for user provisionning (fixes #16924)
2017-06-15 17:33:17 +02:00
data.update(BaseUserSerializer(user).data)
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
# check if user is superuser through a role
role_is_superuser = False
if service:
for role in user_roles.get(user.id, []):
if role.service_id != service.pk:
continue
misc: remove compatibility code with old authentic version (#72027)
2022-12-05 12:22:01 +01:00
role_is_superuser = role.is_superuser
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
data['is_superuser'] = user.is_superuser or role_is_superuser
return data
trivial: apply black
2021-05-14 18:39:27 +02:00
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
# Find roles giving a superuser attribute
# If there is any role of this kind, we do one provisionning message for each user and
# each service.
misc: remove compatibility code with old authentic version (#72027)
2022-12-05 12:22:01 +01:00
roles_with_attributes = (
Role.objects.filter(members__in=users)
.parents(include_self=True)
.filter(is_superuser=True)
.exists()
)
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
authentic2: support direct role attribute access (#70672)
2022-10-25 15:49:37 +02:00
all_roles = Role.objects.all()
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
roles = {r.id: r for r in all_roles}
user_roles = {}
parents = {}
agent/authentic2: handle signals for soft creation/deletion of roles relations (#63199)
2022-03-25 13:31:48 +01:00
for rp in RoleParenting.objects.filter(deleted__isnull=True):
provisionning: do not fail on missing role (#50014)
2021-03-30 14:20:11 +02:00
# broken parent/child relationship can happen
try:
parents.setdefault(rp.child.id, []).append(rp.parent.id)
except Role.DoesNotExist:
pass
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
Through = Role.members.through
python3: migrate authentic (#40407)
2020-03-04 14:31:36 +01:00
qs = Through.objects.filter(role__members__in=users).values_list('user_id', 'role_id')
for u_id, r_id in qs:
provisionning: protect against missing role (#52482)
2021-03-30 11:54:04 +02:00
# unkwon r_id can happen
if r_id in roles:
user_roles.setdefault(u_id, set()).add(roles[r_id])
for p_id in parents.get(r_id, []):
user_roles[u_id].add(roles[p_id])
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
if roles_with_attributes:
python3: migrate authentic (#40407)
2020-03-04 14:31:36 +01:00
for ou, users in ous.items():
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
for service, audience in self.get_audience(ou):
agent/authentic2: batch the provisionning of agents (#52620)
2021-04-01 13:21:57 +02:00
for batched_users in batch(users, 500):
batched_users = list(batched_users)
for user in batched_users:
logger.info('provisionning user %s to %s', user, audience)
general: use HTTP API to provision users & groups (#43245)
2020-05-25 21:15:26 +02:00
self.notify_agents(
{
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
'@type': 'provision',
'issuer': issuer,
'audience': [audience],
'full': False,
'objects': {
'@type': 'user',
agent/authentic2: batch the provisionning of agents (#52620)
2021-04-01 13:21:57 +02:00
'data': [
user_to_json(ou, service, user, user_roles)
for user in batched_users
],
trivial: apply black
2021-05-14 18:39:27 +02:00
},
provisionning: add ?sync=1 parameter to /__provision__ API (#56920) When used by the /api/provision API on authentic, it garantees the provisionning is made synchronously.
2021-09-14 07:00:19 +02:00
},
sync=sync,
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
)
else:
python3: migrate authentic (#40407)
2020-03-04 14:31:36 +01:00
for ou, users in ous.items():
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
audience = [a for service, a in self.get_audience(ou)]
authentic: do not send provisionning messages to empty audience (#20309)
2017-11-27 20:32:16 +01:00
if not audience:
continue
python3: migrate authentic (#40407)
2020-03-04 14:31:36 +01:00
logger.info(
'provisionning users %s to %s',
misc: change django-upgrade target version to 3.2 (#75442)
2023-03-29 12:10:39 +02:00
', '.join(map(force_str, users)),
python3: migrate authentic (#40407)
2020-03-04 14:31:36 +01:00
', '.join(audience),
)
general: use HTTP API to provision users & groups (#43245)
2020-05-25 21:15:26 +02:00
self.notify_agents(
{
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
'@type': 'provision',
'issuer': issuer,
'audience': audience,
'full': False,
'objects': {
'@type': 'user',
provisioning: only send user's roles visible by the service (#35168)
2019-08-06 11:26:28 +02:00
'data': [user_to_json(ou, None, user, user_roles) for user in users],
trivial: apply black
2021-05-14 18:39:27 +02:00
},
provisionning: add ?sync=1 parameter to /__provision__ API (#56920) When used by the /api/provision API on authentic, it garantees the provisionning is made synchronously.
2021-09-14 07:00:19 +02:00
},
sync=sync,
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
)
elif users:
misc: provision users to services of all OUs (#40518)
2020-03-06 18:48:52 +01:00
audience = [audience for ou in ous.keys() for s, audience in self.get_audience(ou)]
python3: migrate authentic (#40407)
2020-03-04 14:31:36 +01:00
logger.info(
misc: change django-upgrade target version to 3.2 (#75442)
2023-03-29 12:10:39 +02:00
'deprovisionning users %s from %s', ', '.join(map(force_str, users)), ', '.join(audience)
python3: migrate authentic (#40407)
2020-03-04 14:31:36 +01:00
)
general: use HTTP API to provision users & groups (#43245)
2020-05-25 21:15:26 +02:00
self.notify_agents(
{
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
'@type': 'deprovision',
'issuer': issuer,
'audience': audience,
'full': False,
'objects': {
'@type': 'user',
'data': [
{
'uuid': user.uuid,
}
for user in users
trivial: apply black
2021-05-14 18:39:27 +02:00
],
},
provisionning: add ?sync=1 parameter to /__provision__ API (#56920) When used by the /api/provision API on authentic, it garantees the provisionning is made synchronously.
2021-09-14 07:00:19 +02:00
},
sync=sync,
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
)
provisionning: add ?sync=1 parameter to /__provision__ API (#56920) When used by the /api/provision API on authentic, it garantees the provisionning is made synchronously.
2021-09-14 07:00:19 +02:00
def notify_roles(self, ous, roles, mode='provision', full=False, sync=False):
agent: consider allowed technical roles when provisionning roles (#36937)
2019-10-15 13:46:27 +02:00
allowed_technical_roles_prefixes = getattr(settings, 'HOBO_PROVISION_ROLE_PREFIXES', []) or []
def is_forbidden_technical_role(role):
return role.slug.startswith('_') and not role.slug.startswith(
tuple(allowed_technical_roles_prefixes)
trivial: apply black
2021-05-14 18:39:27 +02:00
)
agent: consider allowed technical roles when provisionning roles (#36937)
2019-10-15 13:46:27 +02:00
roles = {role for role in roles if not is_forbidden_technical_role(role)}
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
if not roles:
return
self.resolve_ou(roles, ous)
ous = {}
for role in roles:
ous.setdefault(role.ou, []).append(role)
def helper(ou, roles):
if mode == 'provision':
data = [
{
'uuid': role.uuid,
'name': role.name,
'slug': role.slug,
'description': role.description,
'details': role.details,
'emails': role.emails,
'emails_to_members': role.emails_to_members,
}
for role in roles
]
else:
data = [
{
'uuid': role.uuid,
}
for role in roles
]
audience = [entity_id for service, entity_id in self.get_audience(ou)]
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
logger.info('%sning roles %s to %s', mode, roles, audience)
general: use HTTP API to provision users & groups (#43245)
2020-05-25 21:15:26 +02:00
self.notify_agents(
{
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
'@type': mode,
'audience': audience,
'full': full,
'objects': {
'@type': 'role',
'data': data,
trivial: apply black
2021-05-14 18:39:27 +02:00
},
provisionning: add ?sync=1 parameter to /__provision__ API (#56920) When used by the /api/provision API on authentic, it garantees the provisionning is made synchronously.
2021-09-14 07:00:19 +02:00
},
sync=sync,
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
)
global_roles = set(ous.get(None, []))
python3: migrate authentic (#40407)
2020-03-04 14:31:36 +01:00
for ou, ou_roles in ous.items():
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
sent_roles = set(ou_roles) | global_roles
helper(ou, sent_roles)
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
def provision(self, saved, deleted):
# Returns if:
# - we are not in a tenant
# - provsionning is disabled
# - there is nothing to do
do not provision if there is not tenant currently (fixes #16391)
2017-05-18 09:32:28 +02:00
if (
not hasattr(connection, 'tenant')
or not connection.tenant
or not hasattr(connection.tenant, 'domain_url')
):
return
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
if not getattr(settings, 'HOBO_ROLE_EXPORT', True):
return
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
if not (saved or deleted):
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
return
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
t = threading.Thread(target=self.do_provision, kwargs={'saved': saved, 'deleted': deleted})
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
t.start()
self.threads.add(t)
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
def do_provision(self, saved, deleted):
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
try:
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
ous = {ou.id: ou for ou in OU.objects.all()}
self.notify_roles(ous, saved.get(Role, []))
self.notify_roles(ous, deleted.get(Role, []), mode='deprovision')
self.notify_users(ous, saved.get(User, []))
self.notify_users(ous, deleted.get(User, []), mode='deprovision')
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
except Exception:
# last step, clear everything
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
logger.exception('error in provisionning thread')
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
finally:
self.threads.discard(threading.current_thread())
def wait(self):
for thread in list(self.threads):
thread.join()
def __enter__(self):
self.start()
def __exit__(self, exc_type, exc_value, exc_tb):
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
if not self.stack:
return
self.stop(provision=exc_type is None)
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
def get_audience(self, ou):
if ou:
qs = LibertyProvider.objects.filter(ou=ou)
else:
qs = LibertyProvider.objects.filter(ou__isnull=True)
return [(service, service.entity_id) for service in qs]
def get_entity_id(self):
tenant = getattr(connection, 'tenant', None)
assert tenant
base_url = tenant.get_base_url()
misc: remove usage of django.utils.six (#63684)
2022-04-15 17:12:55 +02:00
return urllib.parse.urljoin(base_url, reverse('a2-idp-saml-metadata'))
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
def pre_save(self, sender, instance, raw, using, update_fields, **kwargs):
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
if not self.stack:
return
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
# we skip new instances
if not instance.pk:
return
misc: remove compatibility code with old authentic version (#72027)
2022-12-05 12:22:01 +01:00
if not isinstance(instance, (User, Role, AttributeValue)):
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
return
# ignore last_login update on login
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
if isinstance(instance, User) and (update_fields and set(update_fields) == {'last_login'}):
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
return
elif isinstance(instance, AttributeValue):
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
if not isinstance(instance.owner, User):
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
return
instance = instance.owner
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
self.add_saved(instance)
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
def post_save(self, sender, instance, created, raw, using, update_fields, **kwargs):
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
if not self.stack:
return
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
# during post_save we only handle new instances
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
if isinstance(instance, RoleParenting):
self.add_saved(*list(instance.child.all_members()))
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
return
if not created:
return
misc: remove compatibility code with old authentic version (#72027)
2022-12-05 12:22:01 +01:00
if not isinstance(instance, (User, Role, AttributeValue)):
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
return
elif isinstance(instance, AttributeValue):
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
if not isinstance(instance.owner, User):
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
return
instance = instance.owner
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
self.add_saved(instance)
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
def pre_delete(self, sender, instance, using, **kwargs):
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
if not self.stack:
return
if isinstance(instance, (User, Role)):
self.add_deleted(copy.copy(instance))
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
elif isinstance(instance, AttributeValue):
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
if not isinstance(instance.owner, User):
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
return
instance = instance.owner
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
self.add_saved(instance)
elif isinstance(instance, RoleParenting):
self.add_saved(*list(instance.child.all_members()))
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
def m2m_changed(self, sender, instance, action, reverse, model, pk_set, using, **kwargs):
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
if not self.stack:
return
authentic: improve provisionning on Role.members changes (#13597) Only react to many-to-many changes on roles, not other potential relations (such as Group).
2016-10-13 23:30:57 +02:00
if action != 'pre_clear' and action.startswith('pre_'):
send provisionning messages after request treatment in a thread (fixes #9396) All objects to provision are collected into the Provisionning singleton object in thread local dictionnaries. When request processing is finished the ProvisionningMiddleware launch a thread which will send provisionning messages.
2016-09-13 17:13:31 +02:00
return
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
if sender is Role.members.through:
self.add_saved(instance)
provisionning: prevent ValueError on a user.roles.clear() (fixes #24949)
2018-07-03 00:44:22 +02:00
# on a clear, pk_set is None
for other_instance in model.objects.filter(pk__in=pk_set or []):
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
self.add_saved(other_instance)
authentic: improve provisionning on Role.members changes (#13597) Only react to many-to-many changes on roles, not other potential relations (such as Group).
2016-10-13 23:30:57 +02:00
if action == 'pre_clear':
# when the action is pre_clear we need to lookup the current value of the members
# relation, to re-provision all previously enroled users.
if not reverse:
for other_instance in instance.members.all():
agent/a2: prevent useless thread launching (#34484)
2019-07-02 11:38:34 +02:00
self.add_saved(other_instance)
general: use HTTP API to provision users & groups (#43245)
2020-05-25 21:15:26 +02:00
agent/authentic2: handle signals for soft creation/deletion of roles relations (#63199)
2022-03-25 13:31:48 +01:00
def post_soft_create(self, sender, instance, **kwargs):
if isinstance(instance, RoleParenting):
self.add_saved(*list(instance.child.all_members()))
def post_soft_delete(self, sender, instance, **kwargs):
if isinstance(instance, RoleParenting):
self.add_saved(*list(instance.child.all_members()))
provisionning: add ?sync=1 parameter to /__provision__ API (#56920) When used by the /api/provision API on authentic, it garantees the provisionning is made synchronously.
2021-09-14 07:00:19 +02:00
def notify_agents(self, data, sync=False):
agent/authentic2: add debug mode for provisionning (#54637)
2021-06-08 11:31:22 +02:00
log_path = getattr(settings, 'DEBUG_PROVISIONNING_LOG_PATH', '')
if log_path and getattr(settings, 'HOBO_PROVISIONNING_DEBUG', False):
try:
with open(log_path, 'a') as f:
f.write('%s %s ' % (datetime.datetime.now().isoformat(), connection.tenant.domain_url))
json.dump(data, f, indent=2)
f.write('\n')
except OSError:
pass
agent/authentic: use http provisionning by default (#59312)
2021-12-03 12:27:23 +01:00
if getattr(settings, 'HOBO_HTTP_PROVISIONNING', True):
provisionning: add ?sync=1 parameter to /__provision__ API (#56920) When used by the /api/provision API on authentic, it garantees the provisionning is made synchronously.
2021-09-14 07:00:19 +02:00
leftover_audience = self.notify_agents_http(data, sync=sync)
authentic: add API to force user provisionning (#53059)
2021-04-14 00:13:15 +02:00
if not leftover_audience:
return
logger.info('leftover AMQP audience: %s', leftover_audience)
data['audience'] = leftover_audience
general: use HTTP API to provision users & groups (#43245)
2020-05-25 21:15:26 +02:00
if data['audience']:
notify_agents(data)
authentic: add API to force user provisionning (#53059)
2021-04-14 00:13:15 +02:00
def get_http_services_by_url(self):
services_by_url = {}
agent/authentic: use http provisionning by default (#59312)
2021-12-03 12:27:23 +01:00
known_services = getattr(settings, 'KNOWN_SERVICES', {})
for services in known_services.values():
authentic: add API to force user provisionning (#53059)
2021-04-14 00:13:15 +02:00
for service in services.values():
if service.get('provisionning-url'):
services_by_url[service['saml-sp-metadata-url']] = service
return services_by_url
provisionning: add ?sync=1 parameter to /__provision__ API (#56920) When used by the /api/provision API on authentic, it garantees the provisionning is made synchronously.
2021-09-14 07:00:19 +02:00
def notify_agents_http(self, data, sync=False):
authentic: add API to force user provisionning (#53059)
2021-04-14 00:13:15 +02:00
services_by_url = self.get_http_services_by_url()
audience = data.get('audience')
rest_audience = [x for x in audience if x in services_by_url]
leftover_audience = audience
for audience in rest_audience:
service = services_by_url[audience]
data['audience'] = [audience]
provisionning: add ?sync=1 parameter to /__provision__ API (#56920) When used by the /api/provision API on authentic, it garantees the provisionning is made synchronously.
2021-09-14 07:00:19 +02:00
url = service['provisionning-url'] + '?orig=%s' % service['orig']
if sync:
url += '&sync=1'
authentic: add API to force user provisionning (#53059)
2021-04-14 00:13:15 +02:00
try:
provisionning: add ?sync=1 parameter to /__provision__ API (#56920) When used by the /api/provision API on authentic, it garantees the provisionning is made synchronously.
2021-09-14 07:00:19 +02:00
response = requests.put(sign_url(url, service['secret']), json=data)
authentic: add API to force user provisionning (#53059)
2021-04-14 00:13:15 +02:00
response.raise_for_status()
except requests.RequestException as e:
logger.error('error provisionning to %s (%s)', audience, e)
else:
leftover_audience.remove(audience)
return leftover_audience