authentic2: support direct role attribute access (#70672)
This commit is contained in:
parent
f6df1ef278
commit
ec1e57177a
|
@ -21,6 +21,14 @@ from tenant_schemas.utils import tenant_context
|
|||
from hobo.agent.authentic2.provisionning import Provisionning
|
||||
from hobo.agent.common.management.commands import hobo_deploy
|
||||
|
||||
try:
|
||||
from authentic2.a2_rbac.models import RoleAttribute
|
||||
|
||||
has_role_attributes = True
|
||||
except ImportError:
|
||||
has_role_attributes = False
|
||||
|
||||
|
||||
User = get_user_model()
|
||||
|
||||
|
||||
|
@ -226,7 +234,11 @@ class Command(hobo_deploy.Command):
|
|||
if su_role.name != name:
|
||||
su_role.name = name
|
||||
su_role.save()
|
||||
su_role.attributes.get_or_create(name='is_superuser', kind='string', value='true')
|
||||
if has_role_attributes:
|
||||
su_role.attributes.get_or_create(name='is_superuser', kind='string', value='true')
|
||||
else:
|
||||
su_role.is_superuser = True
|
||||
su_role.save()
|
||||
# pass the new attribute to the service
|
||||
SAMLAttribute.objects.get_or_create(
|
||||
name='is_superuser',
|
||||
|
|
|
@ -6,6 +6,13 @@ from django_rbac.utils import get_ou_model, get_role_model
|
|||
|
||||
from hobo.agent.authentic2.provisionning import Provisionning
|
||||
|
||||
try:
|
||||
from authentic2.a2_rbac.models import RoleAttribute
|
||||
|
||||
has_role_attributes = True
|
||||
except ImportError:
|
||||
has_role_attributes = False
|
||||
|
||||
|
||||
class Command(BaseCommand):
|
||||
help = 'Provision all roles or users'
|
||||
|
@ -61,7 +68,12 @@ class Command(BaseCommand):
|
|||
if users:
|
||||
time.sleep(batch_sleep)
|
||||
|
||||
roles_with_attributes = get_role_model().objects.filter(attributes__name='is_superuser').children()
|
||||
if has_role_attributes:
|
||||
roles_with_attributes = (
|
||||
get_role_model().objects.filter(attributes__name='is_superuser').children()
|
||||
)
|
||||
else:
|
||||
roles_with_attributes = get_role_model().objects.filter(is_superuser=True).children()
|
||||
# first those without and admin attribute
|
||||
normal_users = qs.exclude(roles__in=roles_with_attributes)
|
||||
|
||||
|
|
|
@ -7,7 +7,6 @@ import urllib.parse
|
|||
from itertools import chain, islice
|
||||
|
||||
import requests
|
||||
from authentic2.a2_rbac.models import RoleAttribute
|
||||
from authentic2.models import AttributeValue
|
||||
from authentic2.saml.models import LibertyProvider
|
||||
from django.conf import settings
|
||||
|
@ -20,6 +19,14 @@ from django_rbac.utils import get_ou_model, get_role_model, get_role_parenting_m
|
|||
from hobo.agent.common import notify_agents
|
||||
from hobo.signature import sign_url
|
||||
|
||||
try:
|
||||
from authentic2.a2_rbac.models import RoleAttribute
|
||||
except ImportError:
|
||||
|
||||
class RoleAttribute:
|
||||
dummy = True
|
||||
|
||||
|
||||
User = get_user_model()
|
||||
Role = get_role_model()
|
||||
OU = get_ou_model()
|
||||
|
@ -185,23 +192,36 @@ class Provisionning(threading.local):
|
|||
for role in user_roles.get(user.id, []):
|
||||
if role.service_id != service.pk:
|
||||
continue
|
||||
for attribute in role.attributes.all():
|
||||
if attribute.name == 'is_superuser' and attribute.value == 'true':
|
||||
role_is_superuser = True
|
||||
if hasattr(RoleAttribute, 'dummy'):
|
||||
role_is_superuser = role.is_superuser
|
||||
else:
|
||||
for attribute in role.attributes.all():
|
||||
if attribute.name == 'is_superuser' and attribute.value == 'true':
|
||||
role_is_superuser = True
|
||||
data['is_superuser'] = user.is_superuser or role_is_superuser
|
||||
return data
|
||||
|
||||
# Find roles giving a superuser attribute
|
||||
# If there is any role of this kind, we do one provisionning message for each user and
|
||||
# each service.
|
||||
roles_with_attributes = (
|
||||
Role.objects.filter(members__in=users)
|
||||
.parents(include_self=True)
|
||||
.filter(attributes__name='is_superuser')
|
||||
.exists()
|
||||
)
|
||||
if hasattr(RoleAttribute, 'dummy'):
|
||||
roles_with_attributes = (
|
||||
Role.objects.filter(members__in=users)
|
||||
.parents(include_self=True)
|
||||
.filter(is_superuser=True)
|
||||
.exists()
|
||||
)
|
||||
else:
|
||||
roles_with_attributes = (
|
||||
Role.objects.filter(members__in=users)
|
||||
.parents(include_self=True)
|
||||
.filter(attributes__name='is_superuser')
|
||||
.exists()
|
||||
)
|
||||
|
||||
all_roles = Role.objects.all().prefetch_related('attributes')
|
||||
all_roles = Role.objects.all()
|
||||
if not hasattr(RoleAttribute, 'dummy'):
|
||||
all_roles = all_roles.prefetch_related('attributes')
|
||||
roles = {r.id: r for r in all_roles}
|
||||
user_roles = {}
|
||||
parents = {}
|
||||
|
|
Loading…
Reference in New Issue