Merge pull request #709 from EsupPortail/develop

[DONE] Develop #3.0.5
EsupPortail · Jan 3, 2023 · 372eed7 · 372eed7
2 parents 26b1073 + 230056d
commit 372eed7
Show file tree

Hide file tree

Showing 34 changed files with 2,753 additions and 675 deletions.
diff --git a/pod/authentication/backends.py b/pod/authentication/backends.py
@@ -4,14 +4,17 @@
 from django.conf import settings
 from django.contrib.auth import get_user_model
 from django.contrib.auth.models import Group
+from django.core.exceptions import ObjectDoesNotExist
+
+from pod.authentication.models import AccessGroup, DEFAULT_AFFILIATION, AFFILIATION_STAFF
 
 User = get_user_model()
 
 CREATE_GROUP_FROM_AFFILIATION = getattr(settings, "CREATE_GROUP_FROM_AFFILIATION", False)
 
-AFFILIATION_STAFF = getattr(
-    settings, "AFFILIATION_STAFF", ("faculty", "employee", "staff")
-)
+
+def is_staff_affiliation(affiliation):
+    return affiliation in AFFILIATION_STAFF
 
 
 class ShibbBackend(ShibbolethRemoteUserBackend):
@@ -46,7 +49,7 @@ def update_owner_params(user, params):
         user.owner.save()
         # affiliation
         user.owner.affiliation = params["affiliation"]
-        if params["affiliation"] in AFFILIATION_STAFF:
+        if is_staff_affiliation(affiliation=params["affiliation"]):
             user.is_staff = True
         if CREATE_GROUP_FROM_AFFILIATION:
             group, group_created = Group.objects.get_or_create(name=params["affiliation"])
@@ -68,6 +71,18 @@ def create_user(self, claims):
 
         user.first_name = claims.get(OIDC_CLAIM_GIVEN_NAME, "")
         user.last_name = claims.get(OIDC_CLAIM_FAMILY_NAME, "")
+        user.owner.affiliation = getattr(
+            settings, "OIDC_DEFAULT_AFFILIATION", DEFAULT_AFFILIATION
+        )
+        for code_name in getattr(settings, "OIDC_DEFAULT_ACCESS_GROUP_CODE_NAMES", []):
+            try:
+                user.owner.accessgroup_set.add(
+                    AccessGroup.objects.get(code_name=code_name)
+                )
+            except ObjectDoesNotExist:
+                pass
+        user.is_staff = is_staff_affiliation(affiliation=user.owner.affiliation)
+        user.owner.save()
         user.save()
 
         return user

diff --git a/pod/authentication/models.py b/pod/authentication/models.py
@@ -48,6 +48,10 @@
         ("registered-reader", _("registered-reader")),
     ),
 )
+DEFAULT_AFFILIATION = AFFILIATION[0][0]
+AFFILIATION_STAFF = getattr(
+    settings, "AFFILIATION_STAFF", ("faculty", "employee", "staff")
+)
 ESTABLISHMENTS = getattr(
     settings,
     "ESTABLISHMENTS",
@@ -75,7 +79,7 @@ class Owner(models.Model):
         max_length=20, choices=AUTH_TYPE, default=AUTH_TYPE[0][0]
     )
     affiliation = models.CharField(
-        max_length=50, choices=AFFILIATION, default=AFFILIATION[0][0]
+        max_length=50, choices=AFFILIATION, default=DEFAULT_AFFILIATION
     )
     commentaire = models.TextField(_("Comment"), blank=True, default="")
     hashkey = models.CharField(max_length=64, unique=True, blank=True, default="")
@@ -182,6 +186,11 @@ class AccessGroup(models.Model):
     display_name = models.CharField(max_length=128, blank=True, default="")
     code_name = models.CharField(max_length=250, unique=True)
     sites = models.ManyToManyField(Site)
+    auto_sync = models.BooleanField(
+        _("Auto synchronize"),
+        default=False,
+        help_text=_("Check if the access_group must be synchronized on user connexion."),
+    )
     users = models.ManyToManyField(
         Owner,
         blank=True,

diff --git a/pod/authentication/populatedCASbackend.py b/pod/authentication/populatedCASbackend.py
@@ -2,7 +2,7 @@
 from django.contrib.auth.models import User
 from django.contrib.sites.models import Site
 from pod.authentication.models import Owner
-from pod.authentication.models import AFFILIATION
+from pod.authentication.models import DEFAULT_AFFILIATION, AFFILIATION_STAFF
 from ldap3 import Server
 from ldap3 import ALL
 from ldap3 import Connection
@@ -39,11 +39,7 @@
 
 CREATE_GROUP_FROM_GROUPS = getattr(settings, "CREATE_GROUP_FROM_GROUPS", False)
 
-AFFILIATION_STAFF = getattr(
-    settings, "AFFILIATION_STAFF", ("faculty", "employee", "staff")
-)
-
-GROUP_STAFF = getattr(settings, "AFFILIATION_STAFF", ("faculty", "employee", "staff"))
+GROUP_STAFF = AFFILIATION_STAFF
 
 LDAP_SERVER = getattr(settings, "LDAP_SERVER", {"url": "", "port": 389, "use_ssl": False})
 AUTH_LDAP_BIND_DN = getattr(settings, "AUTH_LDAP_BIND_DN", "")
@@ -86,6 +82,9 @@ def populateUser(tree):
     user, user_created = User.objects.get_or_create(username=username)
     owner, owner_created = Owner.objects.get_or_create(user=user)
     owner.auth_type = "CAS"
+
+    delete_synchronized_access_group(owner)
+
     owner.save()
 
     if POPULATE_USER == "CAS":
@@ -101,6 +100,12 @@ def populateUser(tree):
                 populate_user_from_entry(user, owner, entry)
 
 
+def delete_synchronized_access_group(owner):
+    groups_to_sync = AccessGroup.objects.filter(auto_sync=True)
+    for group_to_sync in groups_to_sync:
+        owner.accessgroup_set.remove(group_to_sync)
+
+
 def get_server():
     if isinstance(LDAP_SERVER["url"], str):
         server = Server(
@@ -167,6 +172,7 @@ def assign_accessgroups(groups_element, user):
             )
             if group_created:
                 accessgroup.display_name = group
+                accessgroup.auto_sync = True
             accessgroup.sites.add(Site.objects.get_current())
             accessgroup.save()
             user.owner.accessgroup_set.add(accessgroup)
@@ -236,7 +242,7 @@ def populate_user_from_entry(user, owner, entry):
             USER_LDAP_MAPPING_ATTRIBUTES.get("primaryAffiliation")
             and entry[USER_LDAP_MAPPING_ATTRIBUTES["primaryAffiliation"]]
         )
-        else AFFILIATION[0][0]
+        else DEFAULT_AFFILIATION
     )
     owner.establishment = (
         entry[USER_LDAP_MAPPING_ATTRIBUTES["establishment"]].value
@@ -264,6 +270,7 @@ def populate_user_from_entry(user, owner, entry):
             )
             if group_created:
                 accessgroup.display_name = affiliation
+                accessgroup.auto_sync = True
             accessgroup.sites.add(Site.objects.get_current())
             accessgroup.save()
             # group.groupsite.sites.add(Site.objects.get_current())
@@ -300,7 +307,7 @@ def populate_user_from_tree(user, owner, tree):
     owner.affiliation = (
         primary_affiliation_element.text
         if (primary_affiliation_element is not None)
-        else AFFILIATION[0][0]
+        else DEFAULT_AFFILIATION
     )
     # affiliation
     affiliation_element = tree.findall(
@@ -315,6 +322,7 @@ def populate_user_from_tree(user, owner, tree):
             )
             if group_created:
                 accessgroup.display_name = affiliation.text
+                accessgroup.auto_sync = True
             accessgroup.sites.add(Site.objects.get_current())
             accessgroup.save()
             user.owner.accessgroup_set.add(accessgroup)

diff --git a/pod/authentication/shibmiddleware.py b/pod/authentication/shibmiddleware.py
@@ -1,5 +1,6 @@
 from shibboleth.middleware import ShibbolethRemoteUserMiddleware
 from django.conf import settings
+from pod.authentication.models import AFFILIATION_STAFF
 
 REMOTE_USER_HEADER = getattr(settings, "REMOTE_USER_HEADER", "REMOTE_USER")
 
@@ -40,10 +41,6 @@
     ),
 )
 
-AFFILIATION_STAFF = getattr(
-    settings, "AFFILIATION_STAFF", ("employee", "faculty", "staff")
-)
-
 
 class ShibbMiddleware(ShibbolethRemoteUserMiddleware):
     header = REMOTE_USER_HEADER