authentic2: support direct role attribute access (#70672)

2022-10-25 15:49:37 +02:00 · 2022-10-25 15:49:37 +02:00 · ec1e57177a
parent f6df1ef278
commit ec1e57177a
3 changed files with 57 additions and 13 deletions
--- a/hobo/agent/authentic2/management/commands/hobo_deploy.py
+++ b/hobo/agent/authentic2/management/commands/hobo_deploy.py
@ -21,6 +21,14 @@ from tenant_schemas.utils import tenant_context
 from hobo.agent.authentic2.provisionning import Provisionning
 from hobo.agent.common.management.commands import hobo_deploy

+try:
+    from authentic2.a2_rbac.models import RoleAttribute
+
+    has_role_attributes = True
+except ImportError:
+    has_role_attributes = False
+
+
 User = get_user_model()


@ -226,7 +234,11 @@ class Command(hobo_deploy.Command):
                    if su_role.name != name:
                        su_role.name = name
                        su_role.save()
-                    su_role.attributes.get_or_create(name='is_superuser', kind='string', value='true')
+                    if has_role_attributes:
+                        su_role.attributes.get_or_create(name='is_superuser', kind='string', value='true')
+                    else:
+                        su_role.is_superuser = True
+                        su_role.save()
                    # pass the new attribute to the service
                    SAMLAttribute.objects.get_or_create(
                        name='is_superuser',
--- a/hobo/agent/authentic2/management/commands/hobo_provision.py
+++ b/hobo/agent/authentic2/management/commands/hobo_provision.py
@ -6,6 +6,13 @@ from django_rbac.utils import get_ou_model, get_role_model

 from hobo.agent.authentic2.provisionning import Provisionning

+try:
+    from authentic2.a2_rbac.models import RoleAttribute
+
+    has_role_attributes = True
+except ImportError:
+    has_role_attributes = False
+

 class Command(BaseCommand):
    help = 'Provision all roles or users'
@ -61,7 +68,12 @@ class Command(BaseCommand):
                if users:
                    time.sleep(batch_sleep)

-        roles_with_attributes = get_role_model().objects.filter(attributes__name='is_superuser').children()
+        if has_role_attributes:
+            roles_with_attributes = (
+                get_role_model().objects.filter(attributes__name='is_superuser').children()
+            )
+        else:
+            roles_with_attributes = get_role_model().objects.filter(is_superuser=True).children()
        # first those without and admin attribute
        normal_users = qs.exclude(roles__in=roles_with_attributes)

--- a/hobo/agent/authentic2/provisionning.py
+++ b/hobo/agent/authentic2/provisionning.py
@ -7,7 +7,6 @@ import urllib.parse
 from itertools import chain, islice

 import requests
-from authentic2.a2_rbac.models import RoleAttribute
 from authentic2.models import AttributeValue
 from authentic2.saml.models import LibertyProvider
 from django.conf import settings
@ -20,6 +19,14 @@ from django_rbac.utils import get_ou_model, get_role_model, get_role_parenting_m
 from hobo.agent.common import notify_agents
 from hobo.signature import sign_url

+try:
+    from authentic2.a2_rbac.models import RoleAttribute
+except ImportError:
+
+    class RoleAttribute:
+        dummy = True
+
+
 User = get_user_model()
 Role = get_role_model()
 OU = get_ou_model()
@ -185,23 +192,36 @@ class Provisionning(threading.local):
                    for role in user_roles.get(user.id, []):
                        if role.service_id != service.pk:
                            continue
-                        for attribute in role.attributes.all():
-                            if attribute.name == 'is_superuser' and attribute.value == 'true':
-                                role_is_superuser = True
+                        if hasattr(RoleAttribute, 'dummy'):
+                            role_is_superuser = role.is_superuser
+                        else:
+                            for attribute in role.attributes.all():
+                                if attribute.name == 'is_superuser' and attribute.value == 'true':
+                                    role_is_superuser = True
                data['is_superuser'] = user.is_superuser or role_is_superuser
                return data

            # Find roles giving a superuser attribute
            # If there is any role of this kind, we do one provisionning message for each user and
            # each service.
-            roles_with_attributes = (
-                Role.objects.filter(members__in=users)
-                .parents(include_self=True)
-                .filter(attributes__name='is_superuser')
-                .exists()
-            )
+            if hasattr(RoleAttribute, 'dummy'):
+                roles_with_attributes = (
+                    Role.objects.filter(members__in=users)
+                    .parents(include_self=True)
+                    .filter(is_superuser=True)
+                    .exists()
+                )
+            else:
+                roles_with_attributes = (
+                    Role.objects.filter(members__in=users)
+                    .parents(include_self=True)
+                    .filter(attributes__name='is_superuser')
+                    .exists()
+                )

-            all_roles = Role.objects.all().prefetch_related('attributes')
+            all_roles = Role.objects.all()
+            if not hasattr(RoleAttribute, 'dummy'):
+                all_roles = all_roles.prefetch_related('attributes')
            roles = {r.id: r for r in all_roles}
            user_roles = {}
            parents = {}