misc: provision users to services of all OUs (#40518)
This commit is contained in:
parent
70a230090b
commit
6f927f0196
|
@ -95,8 +95,9 @@ class Provisionning(threading.local):
|
|||
self.resolve_ou(users, ous)
|
||||
|
||||
ous = {}
|
||||
for user in users:
|
||||
ous.setdefault(user.ou, set()).add(user)
|
||||
for ou in [None] + list(OU.objects.all()):
|
||||
for user in users:
|
||||
ous.setdefault(ou, set()).add(user)
|
||||
|
||||
def is_forbidden_technical_role(role):
|
||||
return role.slug.startswith('_') and not role.slug.startswith(tuple(allowed_technical_roles_prefixes))
|
||||
|
@ -158,11 +159,6 @@ class Provisionning(threading.local):
|
|||
for p_id in parents.get(r_id, []):
|
||||
user_roles[u_id].add(roles[p_id])
|
||||
|
||||
# add role's ous
|
||||
for user in users:
|
||||
for r in user_roles.get(user.id, []):
|
||||
ous.setdefault(r.ou, set()).add(user)
|
||||
|
||||
if roles_with_attributes:
|
||||
for ou, users in ous.items():
|
||||
for service, audience in self.get_audience(ou):
|
||||
|
@ -196,7 +192,7 @@ class Provisionning(threading.local):
|
|||
}
|
||||
})
|
||||
elif users:
|
||||
audience = [audience for ou in OU.objects.all()
|
||||
audience = [audience for ou in ous.keys()
|
||||
for s, audience in self.get_audience(ou)]
|
||||
logger.info(u'deprovisionning users %s from %s', u', '.join(
|
||||
map(force_text, users)), u', '.join(audience))
|
||||
|
|
|
@ -15,6 +15,7 @@ from authentic2.saml.models import LibertyProvider
|
|||
from authentic2.a2_rbac.models import Role, RoleAttribute
|
||||
from authentic2.a2_rbac.utils import get_default_ou
|
||||
from authentic2.models import Attribute, AttributeValue
|
||||
from django_rbac.utils import get_ou_model
|
||||
from hobo.agent.authentic2.provisionning import provisionning
|
||||
|
||||
User = get_user_model()
|
||||
|
@ -216,6 +217,23 @@ def test_provision_user(transactional_db, tenant, caplog):
|
|||
assert o['code_postal'] is None or o['code_postal'] == '13400'
|
||||
assert o['is_superuser'] is user.is_superuser
|
||||
|
||||
# test a service in a second OU also get the provisionning message
|
||||
notify_agents.reset_mock()
|
||||
ou2 = get_ou_model().objects.create(name=u'ou2', slug=u'ou2')
|
||||
LibertyProvider.objects.create(ou=ou2, name='provider2',
|
||||
slug='provider2',
|
||||
entity_id='http://provider2.com',
|
||||
protocol_conformance=lasso.PROTOCOL_SAML_2_0)
|
||||
attribute.set_value(user1, '13500')
|
||||
with provisionning:
|
||||
user1.save()
|
||||
user2.save()
|
||||
|
||||
assert notify_agents.call_count == 2
|
||||
assert set(notify_agents.mock_calls[0][1][0]['audience'] +
|
||||
notify_agents.mock_calls[1][1][0]['audience']) == set(['http://provider.com', 'http://provider2.com'])
|
||||
ou2.delete()
|
||||
|
||||
notify_agents.reset_mock()
|
||||
with provisionning:
|
||||
AttributeValue.objects.get(attribute=attribute).delete()
|
||||
|
@ -415,6 +433,11 @@ def test_provision_user(transactional_db, tenant, caplog):
|
|||
assert o['is_superuser'] is False
|
||||
|
||||
notify_agents.reset_mock()
|
||||
ou2 = get_ou_model().objects.create(name=u'ou2', slug=u'ou2')
|
||||
LibertyProvider.objects.create(ou=get_default_ou(), name='provider2',
|
||||
slug='provider2',
|
||||
entity_id='http://provider2.com',
|
||||
protocol_conformance=lasso.PROTOCOL_SAML_2_0)
|
||||
with provisionning:
|
||||
user1.delete()
|
||||
user2.delete()
|
||||
|
@ -427,7 +450,7 @@ def test_provision_user(transactional_db, tenant, caplog):
|
|||
'issuer', 'audience', '@type', 'objects', 'full'])
|
||||
assert arg['issuer'] == \
|
||||
'http://%s/idp/saml2/metadata' % tenant.domain_url
|
||||
assert arg['audience'] == ['http://provider.com']
|
||||
assert set(arg['audience']) == set(['http://provider.com', 'http://provider2.com'])
|
||||
assert arg['@type'] == 'deprovision'
|
||||
assert arg['full'] is False
|
||||
objects = arg['objects']
|
||||
|
|
Loading…
Reference in New Issue