212 lines
8.7 KiB
Python
212 lines
8.7 KiB
Python
# hobo - portal to configure and deploy applications
|
|
# Copyright (C) 2015-2020 Entr'ouvert
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify it
|
|
# under the terms of the GNU Affero General Public License as published
|
|
# by the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import hashlib
|
|
import logging
|
|
import random
|
|
|
|
from django.contrib.auth.models import Group
|
|
from django.db import IntegrityError
|
|
from django.db.models.query import Q
|
|
from django.db.transaction import atomic
|
|
|
|
from hobo.agent.common.models import Role
|
|
from hobo.multitenant.utils import provision_user_groups
|
|
|
|
|
|
class TryAgain(Exception):
|
|
pass
|
|
|
|
|
|
class NotificationProcessing:
|
|
@classmethod
|
|
def check_valid_notification(cls, notification):
|
|
return (
|
|
isinstance(notification, dict)
|
|
and '@type' in notification
|
|
and notification['@type'] in ['provision', 'deprovision']
|
|
and 'objects' in notification
|
|
and 'audience' in notification
|
|
and isinstance(notification['audience'], list)
|
|
and isinstance(notification['objects'], dict)
|
|
)
|
|
|
|
@classmethod
|
|
def check_valid_role(cls, o):
|
|
return 'uuid' in o and 'name' in o and 'description' in o
|
|
|
|
@classmethod
|
|
def check_valid_user(cls, o):
|
|
return (
|
|
'uuid' in o
|
|
and 'is_superuser' in o
|
|
and 'email' in o
|
|
and 'first_name' in o
|
|
and 'last_name' in o
|
|
and 'roles' in o
|
|
)
|
|
|
|
@classmethod
|
|
def provision_user(cls, issuer, action, data, full=False):
|
|
from django.contrib.auth import get_user_model
|
|
from mellon.models import Issuer, UserSAMLIdentifier
|
|
|
|
User = get_user_model()
|
|
|
|
assert not full # provisionning all users is dangerous, we prefer deprovision
|
|
uuids = set()
|
|
for o in data:
|
|
try:
|
|
with atomic():
|
|
if action == 'provision':
|
|
assert cls.check_valid_user(o)
|
|
try:
|
|
mellon_user = UserSAMLIdentifier.objects.get(
|
|
issuer__entity_id=issuer, name_id=o['uuid']
|
|
)
|
|
user = mellon_user.user
|
|
except UserSAMLIdentifier.DoesNotExist:
|
|
try:
|
|
user = User.objects.get(
|
|
Q(username=o['uuid'][:30]) | Q(username=o['uuid'][:150])
|
|
)
|
|
except User.DoesNotExist:
|
|
# temp user object
|
|
random_uid = str(random.randint(1, 10000000000000))
|
|
user = User.objects.create(username=random_uid)
|
|
saml_issuer, created = Issuer.objects.get_or_create(entity_id=issuer)
|
|
mellon_user = UserSAMLIdentifier.objects.create(
|
|
user=user, issuer=saml_issuer, name_id=o['uuid']
|
|
)
|
|
user.first_name = o['first_name'][:30]
|
|
user.last_name = o['last_name'][:150]
|
|
user.email = o['email'][:254]
|
|
user.username = o['uuid'][:150]
|
|
user.is_superuser = o['is_superuser']
|
|
user.is_staff = o['is_superuser']
|
|
user.is_active = o.get('is_active', True)
|
|
user.save()
|
|
role_uuids = [role['uuid'] for role in o.get('roles', [])]
|
|
provision_user_groups(user, role_uuids)
|
|
elif action == 'deprovision':
|
|
assert 'uuid' in o
|
|
uuids.add(o['uuid'])
|
|
except IntegrityError:
|
|
raise TryAgain
|
|
if full and action == 'provision':
|
|
for usi in UserSAMLIdentifier.objects.exclude(name_id__in=uuids):
|
|
usi.user.delete()
|
|
elif action == 'deprovision':
|
|
for user in User.objects.filter(saml_identifiers__name_id__in=uuids):
|
|
user.delete()
|
|
|
|
group_name_max_length = Group._meta.get_field('name').max_length
|
|
|
|
@classmethod
|
|
def truncate_role_name(cls, name):
|
|
"""Truncate name to 150 characters by adding a 4-chars partial-MD5 hex
|
|
digest for disambiguation."""
|
|
if len(name) <= cls.group_name_max_length: # Group.name has max_length=150 since Django 2.2
|
|
return name
|
|
else:
|
|
return (
|
|
name[: cls.group_name_max_length - 7] + ' (%4s)' % hashlib.md5(name.encode()).hexdigest()[:4]
|
|
)
|
|
|
|
@classmethod
|
|
def provision_role(cls, issuer, action, data, full=False):
|
|
logger = logging.getLogger(__name__)
|
|
uuids = set()
|
|
roles_by_uuid = dict()
|
|
|
|
if action == 'provision':
|
|
# first pass to gather existing roles by uuid
|
|
target_uuids = set()
|
|
for o in data:
|
|
assert 'uuid' in o
|
|
target_uuids.add(o['uuid'])
|
|
for role in Role.objects.filter(uuid__in=target_uuids):
|
|
roles_by_uuid[role.uuid] = role
|
|
|
|
for o in data:
|
|
assert 'uuid' in o
|
|
uuids.add(o['uuid'])
|
|
if action == 'provision':
|
|
assert cls.check_valid_role(o)
|
|
role_name = cls.truncate_role_name(o['name'])
|
|
try:
|
|
role = roles_by_uuid[o['uuid']]
|
|
created = False
|
|
except KeyError:
|
|
try:
|
|
with atomic():
|
|
role, created = Role.objects.get_or_create(
|
|
name=role_name,
|
|
defaults={
|
|
'uuid': o['uuid'],
|
|
'description': o['description'],
|
|
'details': o.get('details', u''),
|
|
'emails': o.get('emails', []),
|
|
'emails_to_members': o.get('emails_to_members', True),
|
|
},
|
|
)
|
|
except IntegrityError:
|
|
# Can happen if uuid and name already exist
|
|
logger.error(u'cannot provision role "%s" (%s)', o['name'], o['uuid'])
|
|
continue
|
|
if not created:
|
|
save = False
|
|
if role.name != role_name:
|
|
role.name = role_name
|
|
save = True
|
|
if role.uuid != o['uuid']:
|
|
role.uuid = o['uuid']
|
|
save = True
|
|
if role.description != o['description']:
|
|
role.description = o['description']
|
|
save = True
|
|
if role.details != o.get('details', u''):
|
|
role.details = o.get('details', u'')
|
|
save = True
|
|
if role.emails != o.get('emails', []):
|
|
role.emails = o.get('emails', [])
|
|
save = True
|
|
if role.emails_to_members != o.get('emails_to_members', True):
|
|
role.emails_to_members = o.get('emails_to_members', True)
|
|
save = True
|
|
if save:
|
|
try:
|
|
with atomic():
|
|
role.save()
|
|
except IntegrityError:
|
|
# Can happen if uuid and name already exist
|
|
logger.error(u'cannot provision role "%s" (%s)', o['name'], o['uuid'])
|
|
continue
|
|
if full and action == 'provision':
|
|
Role.objects.exclude(uuid__in=uuids).delete()
|
|
elif action == 'deprovision':
|
|
for role in Role.objects.filter(uuid__in=uuids):
|
|
role.delete()
|
|
|
|
@classmethod
|
|
def provision(cls, object_type, issuer, action, data, full):
|
|
for i in range(20):
|
|
try:
|
|
getattr(cls, 'provision_' + object_type)(issuer=issuer, action=action, data=data, full=full)
|
|
except TryAgain:
|
|
continue
|
|
break
|