entrouvert
/
hobo
16
0
Fork 0
Code Issues Pull Requests 16 Releases Activity
hobo/hobo/provisionning/utils.py

211 lines
8.7 KiB
Python
Raw Blame History

# hobo - portal to configure and deploy applications
# Copyright (C) 2015-2020 Entr'ouvert
#
# This program is free software: you can redistribute it and/or modify it
# under the terms of the GNU Affero General Public License as published
# by the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import hashlib
import logging
import random
from django.contrib.auth.models import Group
from django.db import IntegrityError
from django.db.models.query import Q
from django.db.transaction import atomic
from hobo.agent.common.models import Role
from hobo.multitenant.utils import provision_user_groups
class TryAgain(Exception):
pass
class NotificationProcessing:
@classmethod
def check_valid_notification(cls, notification):
return (
isinstance(notification, dict)
and '@type' in notification
and notification['@type'] in ['provision', 'deprovision']
and 'objects' in notification
and 'audience' in notification
and isinstance(notification['audience'], list)
and isinstance(notification['objects'], dict)
)
@classmethod
def check_valid_role(cls, o):
return 'uuid' in o and 'name' in o and 'description' in o
@classmethod
def check_valid_user(cls, o):
return (
'uuid' in o
and 'is_superuser' in o
and 'email' in o
and 'first_name' in o
and 'last_name' in o
and 'roles' in o
)
@classmethod
def provision_user(cls, issuer, action, data, full=False):
from django.contrib.auth import get_user_model
from mellon.models import Issuer, UserSAMLIdentifier
User = get_user_model()
assert not full # provisionning all users is dangerous, we prefer deprovision
uuids = set()
for o in data:
try:
with atomic():
if action == 'provision':
assert cls.check_valid_user(o)
try:
mellon_user = UserSAMLIdentifier.objects.get(
issuer__entity_id=issuer, name_id=o['uuid']
)
user = mellon_user.user
except UserSAMLIdentifier.DoesNotExist:
try:
user = User.objects.get(
Q(username=o['uuid'][:30]) | Q(username=o['uuid'][:150])
)
except User.DoesNotExist:
# temp user object
random_uid = str(random.randint(1, 10000000000000))
user = User.objects.create(username=random_uid)
saml_issuer, created = Issuer.objects.get_or_create(entity_id=issuer)
mellon_user = UserSAMLIdentifier.objects.create(
user=user, issuer=saml_issuer, name_id=o['uuid']
)
user.first_name = o['first_name'][:30]
user.last_name = o['last_name'][:150]
user.email = o['email'][:254]
user.username = o['uuid'][:150]
user.is_superuser = o['is_superuser']
user.is_staff = o['is_superuser']
user.is_active = o.get('is_active', True)
user.save()
role_uuids = [role['uuid'] for role in o.get('roles', [])]
provision_user_groups(user, role_uuids)
elif action == 'deprovision':
assert 'uuid' in o
uuids.add(o['uuid'])
except IntegrityError:
raise TryAgain
if full and action == 'provision':
for usi in UserSAMLIdentifier.objects.exclude(name_id__in=uuids):
usi.user.delete()
elif action == 'deprovision':
for user in User.objects.filter(saml_identifiers__name_id__in=uuids):
user.delete()
group_name_max_length = Group._meta.get_field('name').max_length
@classmethod
def truncate_role_name(cls, name):
"""Truncate name to 150 characters by adding a 4-chars partial-MD5 hex
digest for disambiguation."""
if len(name) <= cls.group_name_max_length: # Group.name has max_length=150 since Django 2.2
return name
else:
return (
name[: cls.group_name_max_length - 7] + ' (%4s)' % hashlib.md5(name.encode()).hexdigest()[:4]
)
@classmethod
def provision_role(cls, issuer, action, data, full=False):
logger = logging.getLogger(__name__)
uuids = set()
roles_by_uuid = dict()
if action == 'provision':
# first pass to gather existing roles by uuid
target_uuids = set()
for o in data:
assert 'uuid' in o
target_uuids.add(o['uuid'])
for role in Role.objects.filter(uuid__in=target_uuids):
roles_by_uuid[role.uuid] = role
for o in data:
assert 'uuid' in o
uuids.add(o['uuid'])
if action == 'provision':
assert cls.check_valid_role(o)
role_name = cls.truncate_role_name(o['name'])
try:
role = roles_by_uuid[o['uuid']]
created = False
except KeyError:
try:
with atomic():
role, created = Role.objects.get_or_create(
name=role_name,
defaults={
'uuid': o['uuid'],
'description': o['description'],
'details': o.get('details', u''),
'emails': o.get('emails', []),
'emails_to_members': o.get('emails_to_members', True),
},
)
except IntegrityError:
# Can happen if uuid and name already exist
logger.error(u'cannot provision role "%s" (%s)', o['name'], o['uuid'])
continue
if not created:
save = False
if role.name != role_name:
role.name = role_name
save = True
if role.uuid != o['uuid']:
role.uuid = o['uuid']
save = True
if role.description != o['description']:
role.description = o['description']
save = True
if role.details != o.get('details', u''):
role.details = o.get('details', u'')
save = True
if role.emails != o.get('emails', []):
role.emails = o.get('emails', [])
save = True
if role.emails_to_members != o.get('emails_to_members', True):
role.emails_to_members = o.get('emails_to_members', True)
save = True
if save:
try:
with atomic():
role.save()
except IntegrityError:
# Can happen if uuid and name already exist
logger.error(u'cannot provision role "%s" (%s)', o['name'], o['uuid'])
continue
if full and action == 'provision':
Role.objects.exclude(uuid__in=uuids).delete()
elif action == 'deprovision':
Role.objects.filter(uuid__in=uuids).delete()
@classmethod
def provision(cls, object_type, issuer, action, data, full):
for i in range(20):
try:
getattr(cls, 'provision_' + object_type)(issuer=issuer, action=action, data=data, full=full)
except TryAgain:
continue
break
View Git Blame Copy Permalink