Manage Account memebership for SAML Users

2024-11-08 22:50:26 +00:00 · 2018-06-25 11:15:35 +00:00 · 2018-06-25 11:15:35 +00:00 · 480989e86a
commit 480989e86a
parent 765351c5e9
3 changed files with 57 additions and 3 deletions
--- a/app/models.py
+++ b/app/models.py
@ -602,6 +602,32 @@ class Account(db.Model):
            users.append(User(id=uid).get_user_info_by_id().username)
        self.grant_privileges(users)
    def add_user(self, user):
        """
        Add a single user to Account by User
        """
        try:
            au = AccountUser(self.id, user.id)
            db.session.add(au)
            db.session.commit()
            return True
        except:
            db.session.rollback()
            logging.error('Cannot add user privielges on account {0}'.format(self.name))
            return False
    def remove_user(self, user):
        """
        Remove a single user from Account by User
        """
        try:
            AccountUser.query.filter(AccountUser.user_id == user.id).filter(AccountUser.account_id == self.id).delete()
            db.session.commit()
            return True
        except:
            db.session.rollback()
            logging.error('Cannot revoke user privielges on account {0}'.format(self.name))
            return False
 class Role(db.Model):
--- a/app/views.py
+++ b/app/views.py
@ -239,10 +239,10 @@ def saml_authorized():
                        email=session['samlNameId'])
            user.create_local_user()
        session['user_id'] = user.id
        logging.debug("Attributes are: {0}".format(repr(session['samlUserdata'])))
        email_attribute_name = app.config.get('SAML_ATTRIBUTE_EMAIL', 'email')
        givenname_attribute_name = app.config.get('SAML_ATTRIBUTE_GIVENNAME', 'givenname')
        surname_attribute_name = app.config.get('SAML_ATTRIBUTE_SURNAME', 'surname')
        account_attribute_name = app.config.get('SAML_ATTRIBUTE_ACCOUNT', None)
        admin_attribute_name = app.config.get('SAML_ATTRIBUTE_ADMIN', None)
        if email_attribute_name in session['samlUserdata']:
            user.email = session['samlUserdata'][email_attribute_name][0].lower()
@ -250,16 +250,37 @@ def saml_authorized():
            user.firstname = session['samlUserdata'][givenname_attribute_name][0]
        if surname_attribute_name in session['samlUserdata']:
            user.lastname = session['samlUserdata'][surname_attribute_name][0]
        if admin_attribute_name:
            user_accounts = set(user.get_account())
            saml_accounts = []
            for account_name in session['samlUserdata'].get(account_attribute_name, []):
                clean_name = ''.join(c for c in account_name.lower() if c in "abcdefghijklmnopqrstuvwxyz0123456789")
                if len(clean_name) > Account.name.type.length:
                    logging.error("Account name {0} too long. Truncated.".format(clean_name))
                account = Account.query.filter_by(name=clean_name).first()
                if not account:
                    account = Account(name=clean_name.lower(), description='', contact='', mail='')
                    account.create_account()
                    history = History(msg='Account {0} created'.format(account.name), created_by='SAML Assertion')
                    history.add()
                saml_accounts.append(account)
            saml_accounts = set(saml_accounts)
            for account in saml_accounts - user_accounts:
                account.add_user(user)
                history = History(msg='Adding {0} to account {1}'.format(user.username, account.name), created_by='SAML Assertion')
                history.add()
            for account in user_accounts - saml_accounts:
                account.remove_user(user)
                history = History(msg='Removing {0} from account {1}'.format(user.username, account.name), created_by='SAML Assertion')
                history.add()
        if admin_attribute_name:
          if 'true' in session['samlUserdata'].get(admin_attribute_name, []):
            logging.debug("User is an admin")
            admin_role = Role.query.filter_by(name='Administrator').first().id
            if user.role_id != admin_role:
                user.role_id = admin_role
                history = History(msg='Promoting {0} to administrator'.format(user.username), created_by='SAML Assertion')
                history.add()
          else:
            logging.debug("User is NOT an admin")
            user_role = Role.query.filter_by(name='User').first().id
            if user.role_id != user_role:
                user.role_id = user_role
--- a/config_template.py
+++ b/config_template.py
@ -137,6 +137,13 @@ SAML_METADATA_CACHE_LIFETIME = 1
 ###  the user is set as a non-administrator user.
 #SAML_ATTRIBUTE_ADMIN = 'https://example.edu/pdns-admin'
 ## Attribute to get account names from
 ### Default: Don't control accounts with SAML attribute
 ### If set, the user will be added and removed from accounts to match
 ###  what's in the login assertion. Accounts that don't exist will
 ###  be created and the user added to them.
 SAML_ATTRIBUTE_ACCOUNT = 'https://example.edu/pdns-account'
 SAML_SP_ENTITY_ID = 'http://<SAML SP Entity ID>'
 SAML_SP_CONTACT_NAME = '<contact name>'
 SAML_SP_CONTACT_MAIL = '<contact mail>'