Manage Account memebership for SAML Users

2024-11-08 14:40:27 +00:00 · 2018-06-25 11:15:35 +00:00 · 2018-06-25 11:15:35 +00:00 · 480989e86a
commit 480989e86a
parent 765351c5e9
3 changed files with 57 additions and 3 deletions
--- a/app/models.py
+++ b/app/models.py
@ -602,6 +602,32 @@ class Account(db.Model):
            users.append(User(id=uid).get_user_info_by_id().username)

        self.grant_privileges(users)
+    def add_user(self, user):
+        """
+        Add a single user to Account by User
+        """
+        try:
+            au = AccountUser(self.id, user.id)
+            db.session.add(au)
+            db.session.commit()
+            return True
+        except:
+            db.session.rollback()
+            logging.error('Cannot add user privielges on account {0}'.format(self.name))
+            return False
+
+    def remove_user(self, user):
+        """
+        Remove a single user from Account by User
+        """
+        try:
+            AccountUser.query.filter(AccountUser.user_id == user.id).filter(AccountUser.account_id == self.id).delete()
+            db.session.commit()
+            return True
+        except:
+            db.session.rollback()
+            logging.error('Cannot revoke user privielges on account {0}'.format(self.name))
+            return False


 class Role(db.Model):
--- a/app/views.py
+++ b/app/views.py
@ -239,10 +239,10 @@ def saml_authorized():
                        email=session['samlNameId'])
            user.create_local_user()
        session['user_id'] = user.id
-        logging.debug("Attributes are: {0}".format(repr(session['samlUserdata'])))
        email_attribute_name = app.config.get('SAML_ATTRIBUTE_EMAIL', 'email')
        givenname_attribute_name = app.config.get('SAML_ATTRIBUTE_GIVENNAME', 'givenname')
        surname_attribute_name = app.config.get('SAML_ATTRIBUTE_SURNAME', 'surname')
+        account_attribute_name = app.config.get('SAML_ATTRIBUTE_ACCOUNT', None)
        admin_attribute_name = app.config.get('SAML_ATTRIBUTE_ADMIN', None)
        if email_attribute_name in session['samlUserdata']:
            user.email = session['samlUserdata'][email_attribute_name][0].lower()
@ -250,16 +250,37 @@ def saml_authorized():
            user.firstname = session['samlUserdata'][givenname_attribute_name][0]
        if surname_attribute_name in session['samlUserdata']:
            user.lastname = session['samlUserdata'][surname_attribute_name][0]
+        if admin_attribute_name:
+            user_accounts = set(user.get_account())
+            saml_accounts = []
+            for account_name in session['samlUserdata'].get(account_attribute_name, []):
+                clean_name = ''.join(c for c in account_name.lower() if c in "abcdefghijklmnopqrstuvwxyz0123456789")
+                if len(clean_name) > Account.name.type.length:
+                    logging.error("Account name {0} too long. Truncated.".format(clean_name))
+                account = Account.query.filter_by(name=clean_name).first()
+                if not account:
+                    account = Account(name=clean_name.lower(), description='', contact='', mail='')
+                    account.create_account()
+                    history = History(msg='Account {0} created'.format(account.name), created_by='SAML Assertion')
+                    history.add()
+                saml_accounts.append(account)
+            saml_accounts = set(saml_accounts)
+            for account in saml_accounts - user_accounts:
+                account.add_user(user)
+                history = History(msg='Adding {0} to account {1}'.format(user.username, account.name), created_by='SAML Assertion')
+                history.add()
+            for account in user_accounts - saml_accounts:
+                account.remove_user(user)
+                history = History(msg='Removing {0} from account {1}'.format(user.username, account.name), created_by='SAML Assertion')
+                history.add()
        if admin_attribute_name:
          if 'true' in session['samlUserdata'].get(admin_attribute_name, []):
-            logging.debug("User is an admin")
            admin_role = Role.query.filter_by(name='Administrator').first().id
            if user.role_id != admin_role:
                user.role_id = admin_role
                history = History(msg='Promoting {0} to administrator'.format(user.username), created_by='SAML Assertion')
                history.add()
          else:
-            logging.debug("User is NOT an admin")
            user_role = Role.query.filter_by(name='User').first().id
            if user.role_id != user_role:
                user.role_id = user_role
--- a/config_template.py
+++ b/config_template.py
@ -137,6 +137,13 @@ SAML_METADATA_CACHE_LIFETIME = 1
 ###  the user is set as a non-administrator user.
 #SAML_ATTRIBUTE_ADMIN = 'https://example.edu/pdns-admin'

+## Attribute to get account names from
+### Default: Don't control accounts with SAML attribute
+### If set, the user will be added and removed from accounts to match
+###  what's in the login assertion. Accounts that don't exist will
+###  be created and the user added to them.
+SAML_ATTRIBUTE_ACCOUNT = 'https://example.edu/pdns-account'
+
 SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>'
 SAML_SP_CONTACT_NAME = '<contact name>'
 SAML_SP_CONTACT_MAIL = '<contact mail>'