entrouvert
/
hobo
16
0
Fork 0
Code Issues Pull Requests 15 Releases Activity

misc: provision users to services of all OUs (#40518)

This commit is contained in:
Frédéric Péters 2020-03-06 18:48:52 +01:00
parent 70a230090b
commit 6f927f0196
2 changed files with 28 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
hobo/agent/authentic2/provisionning.py
View File

@ -95,8 +95,9 @@ class Provisionning(threading.local):
self.resolve_ou(users, ous)
ous = {}
for user in users:
ous.setdefault(user.ou, set()).add(user)
for ou in [None] + list(OU.objects.all()):
for user in users:
ous.setdefault(ou, set()).add(user)
def is_forbidden_technical_role(role):
return role.slug.startswith('_') and not role.slug.startswith(tuple(allowed_technical_roles_prefixes))
@ -158,11 +159,6 @@ class Provisionning(threading.local):
for p_id in parents.get(r_id, []):
user_roles[u_id].add(roles[p_id])
# add role's ous
for user in users:
for r in user_roles.get(user.id, []):
ous.setdefault(r.ou, set()).add(user)
if roles_with_attributes:
for ou, users in ous.items():
for service, audience in self.get_audience(ou):
@ -196,7 +192,7 @@ class Provisionning(threading.local):
}
})
elif users:
audience = [audience for ou in OU.objects.all()
audience = [audience for ou in ous.keys()
for s, audience in self.get_audience(ou)]
logger.info(u'deprovisionning users %s from %s', u', '.join(
map(force_text, users)), u', '.join(audience))

25
tests_authentic/test_provisionning.py
View File

@ -15,6 +15,7 @@ from authentic2.saml.models import LibertyProvider
from authentic2.a2_rbac.models import Role, RoleAttribute
from authentic2.a2_rbac.utils import get_default_ou
from authentic2.models import Attribute, AttributeValue
from django_rbac.utils import get_ou_model
from hobo.agent.authentic2.provisionning import provisionning
User = get_user_model()
@ -216,6 +217,23 @@ def test_provision_user(transactional_db, tenant, caplog):
assert o['code_postal'] is None or o['code_postal'] == '13400'
assert o['is_superuser'] is user.is_superuser
# test a service in a second OU also get the provisionning message
notify_agents.reset_mock()
ou2 = get_ou_model().objects.create(name=u'ou2', slug=u'ou2')
LibertyProvider.objects.create(ou=ou2, name='provider2',
slug='provider2',
entity_id='http://provider2.com',
protocol_conformance=lasso.PROTOCOL_SAML_2_0)
attribute.set_value(user1, '13500')
with provisionning:
user1.save()
user2.save()
assert notify_agents.call_count == 2
assert set(notify_agents.mock_calls[0][1][0]['audience'] +
notify_agents.mock_calls[1][1][0]['audience']) == set(['http://provider.com', 'http://provider2.com'])
ou2.delete()
notify_agents.reset_mock()
with provisionning:
AttributeValue.objects.get(attribute=attribute).delete()
@ -415,6 +433,11 @@ def test_provision_user(transactional_db, tenant, caplog):
assert o['is_superuser'] is False
notify_agents.reset_mock()
ou2 = get_ou_model().objects.create(name=u'ou2', slug=u'ou2')
LibertyProvider.objects.create(ou=get_default_ou(), name='provider2',
slug='provider2',
entity_id='http://provider2.com',
protocol_conformance=lasso.PROTOCOL_SAML_2_0)
with provisionning:
user1.delete()
user2.delete()
@ -427,7 +450,7 @@ def test_provision_user(transactional_db, tenant, caplog):
'issuer', 'audience', '@type', 'objects', 'full'])
assert arg['issuer'] == \
'http://%s/idp/saml2/metadata' % tenant.domain_url
assert arg['audience'] == ['http://provider.com']
assert set(arg['audience']) == set(['http://provider.com', 'http://provider2.com'])
assert arg['@type'] == 'deprovision'
assert arg['full'] is False
objects = arg['objects']