172 lines
7.3 KiB
Python
172 lines
7.3 KiB
Python
# hobo - portal to configure and deploy applications
|
|
# Copyright (C) 2015-2020 Entr'ouvert
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify it
|
|
# under the terms of the GNU Affero General Public License as published
|
|
# by the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
import random
|
|
import logging
|
|
|
|
from django.db.transaction import atomic
|
|
from django.db import IntegrityError
|
|
|
|
from hobo.multitenant.utils import provision_user_groups
|
|
from hobo.agent.common.models import Role
|
|
|
|
|
|
class TryAgain(Exception):
|
|
pass
|
|
|
|
|
|
class NotificationProcessing:
|
|
|
|
@classmethod
|
|
def check_valid_notification(cls, notification):
|
|
return isinstance(notification, dict) \
|
|
and '@type' in notification \
|
|
and notification['@type'] in ['provision', 'deprovision'] \
|
|
and 'objects' in notification \
|
|
and 'audience' in notification \
|
|
and isinstance(notification['audience'], list) \
|
|
and isinstance(notification['objects'], dict)
|
|
|
|
@classmethod
|
|
def check_valid_role(cls, o):
|
|
return 'uuid' in o \
|
|
and 'name' in o \
|
|
and 'description' in o
|
|
|
|
@classmethod
|
|
def check_valid_user(cls, o):
|
|
return 'uuid' in o \
|
|
and 'is_superuser' in o \
|
|
and 'email' in o \
|
|
and 'first_name' in o \
|
|
and 'last_name' in o \
|
|
and 'roles' in o
|
|
|
|
@classmethod
|
|
def provision_user(cls, issuer, action, data, full=False):
|
|
from django.contrib.auth import get_user_model
|
|
from mellon.models import UserSAMLIdentifier
|
|
User = get_user_model()
|
|
|
|
assert not full # provisionning all users is dangerous, we prefer deprovision
|
|
uuids = set()
|
|
for o in data:
|
|
try:
|
|
with atomic():
|
|
if action == 'provision':
|
|
assert cls.check_valid_user(o)
|
|
try:
|
|
mellon_user = UserSAMLIdentifier.objects.get(
|
|
issuer=issuer, name_id=o['uuid'])
|
|
user = mellon_user.user
|
|
except UserSAMLIdentifier.DoesNotExist:
|
|
try:
|
|
user = User.objects.get(username=o['uuid'][:30])
|
|
except User.DoesNotExist:
|
|
# temp user object
|
|
random_uid = str(random.randint(1, 10000000000000))
|
|
user = User.objects.create(
|
|
username=random_uid)
|
|
mellon_user = UserSAMLIdentifier.objects.create(
|
|
user=user, issuer=issuer, name_id=o['uuid'])
|
|
user.first_name = o['first_name'][:30]
|
|
user.last_name = o['last_name'][:30]
|
|
user.email = o['email'][:75]
|
|
user.username = o['uuid'][:30]
|
|
user.is_superuser = o['is_superuser']
|
|
user.is_staff = o['is_superuser']
|
|
user.save()
|
|
role_uuids = [role['uuid'] for role in o.get('roles', [])]
|
|
provision_user_groups(user, role_uuids)
|
|
elif action == 'deprovision':
|
|
assert 'uuid' in o
|
|
uuids.add(o['uuid'])
|
|
except IntegrityError:
|
|
raise TryAgain
|
|
if full and action == 'provision':
|
|
for usi in UserSAMLIdentifier.objects.exclude(name_id__in=uuids):
|
|
usi.user.delete()
|
|
elif action == 'deprovision':
|
|
for user in User.objects.filter(saml_identifiers__name_id__in=uuids):
|
|
user.delete()
|
|
|
|
@classmethod
|
|
def provision_role(cls, issuer, action, data, full=False):
|
|
logger = logging.getLogger(__name__)
|
|
uuids = set()
|
|
for o in data:
|
|
assert 'uuid' in o
|
|
uuids.add(o['uuid'])
|
|
if action == 'provision':
|
|
assert cls.check_valid_role(o)
|
|
role_name = o['name']
|
|
if len(role_name) > 70:
|
|
role_name = role_name[:70] + '(...)'
|
|
try:
|
|
role = Role.objects.get(uuid=o['uuid'])
|
|
created = False
|
|
except Role.DoesNotExist:
|
|
try:
|
|
with atomic():
|
|
role, created = Role.objects.get_or_create(
|
|
name=role_name,
|
|
defaults={
|
|
'uuid': o['uuid'],
|
|
'description': o['description'],
|
|
'details': o.get('details', u''),
|
|
'emails': o.get('emails', []),
|
|
'emails_to_members': o.get('emails_to_members', True),
|
|
}
|
|
)
|
|
except IntegrityError:
|
|
# Can happen if uuid and name already exist
|
|
logger.error(u'cannot provision role "%s" (%s)', o['name'], o['uuid'])
|
|
continue
|
|
if not created:
|
|
save = False
|
|
if role.name != role_name:
|
|
role.name = role_name
|
|
save = True
|
|
if role.uuid != o['uuid']:
|
|
role.uuid = o['uuid']
|
|
save = True
|
|
if role.description != o['description']:
|
|
role.description = o['description']
|
|
save = True
|
|
if role.details != o.get('details', u''):
|
|
role.details = o.get('details', u'')
|
|
save = True
|
|
if role.emails != o.get('emails', []):
|
|
role.emails = o.get('emails', [])
|
|
save = True
|
|
if role.emails_to_members != o.get('emails_to_members', True):
|
|
role.emails_to_members = o.get('emails_to_members', True)
|
|
save = True
|
|
if save:
|
|
try:
|
|
with atomic():
|
|
role.save()
|
|
except IntegrityError:
|
|
# Can happen if uuid and name already exist
|
|
logger.error(u'cannot provision role "%s" (%s)', o['name'], o['uuid'])
|
|
continue
|
|
if full and action == 'provision':
|
|
for role in Role.objects.exclude(uuid__in=uuids):
|
|
role.delete()
|
|
elif action == 'deprovision':
|
|
for role in Role.objects.filter(uuid__in=uuids):
|
|
role.delete()
|