def clean_users(app, force=False):
with app.app_context():
users = User.find_by_expiry_date(datetime.now()) if not force else User.find_all()
coll = current_app.mongo.db.users
for user in users:
model = {name: user[name] for name in preserved_attribute_names if name in user}
coll.replace_one({"_id": user["_id"]}, model)
def test_update(self):
user = User.find_by_eduperson_principal_name(
john_eduperson_principal_name)
user["name"] = "changed"
User.save_or_update(user)
user = User.find_by_eduperson_principal_name(
john_eduperson_principal_name)
self.assertEqual("changed", user["name"])
self.assertTrue("_id" in user)
def test_init_scheduling(self):
init_scheduling(AbstractTest.app, True, every_seconds=1, sleep_time=1)
time.sleep(2)
user = User.find_by_eduperson_principal_name(
admin_eduperson_principal_name)
self.assertTrue("given_name" not in user)
def connect():
conext = session["conext"]
guest = session["guest"]
required_attributes = current_app.app_config.profile[session["profile"]].required_attributes
missing_attributes = [k for k in required_attributes if k not in conext]
if len(missing_attributes) > 0:
return redirect(f"{session['redirect_uri']}?error=required_attribues_missing_{'_'.join(missing_attributes)}")
user = User.find_by_eduperson_principal_name(guest["eduperson_principal_name"])
if not user:
return redirect(f"{session['redirect_uri']}?error=user_{guest['eduperson_principal_name']}_"
f"not_provisioned_in_guest_idp")
sub_hash = hashlib.sha256(bytes(conext["sub"], "utf-8")).hexdigest()
pre_existing_user = User.find_by_sub_hash(sub_hash)
if pre_existing_user and pre_existing_user["_id"] != user["_id"]:
return redirect(f"{session['redirect_uri']}?error=sub_{conext['sub']}_already_linked_"
f"to_{conext['schac_home_organization']}")
user["eduperson_entitlement"] = "urn:mace:eduid.nl:entitlement:verified-by-institution"
expiry_seconds = current_app.app_config.cron.expiry_duration_seconds
user["expiry_date"] = datetime.now() + timedelta(seconds=expiry_seconds)
user["sub_hash"] = sub_hash
# Copy all attributes from conext to the user - ARP values will filter upstream
for k, v in conext.items():
if k not in protected_properties:
user[k] = v
logger = logging.getLogger("main")
logger.info(f"Marking User {guest['eduperson_principal_name']} as verified-by-institution")
User.save_or_update(user)
uri = session["redirect_uri"]
state = session.get("state")
uri = f"{uri}?state={urllib.parse.quote(state)}" if state else uri
return redirect(uri)
def test_entire_flow_happy_flow(self):
self._login(use_state=True)
user = User.find_by_eduperson_principal_name(
mary_eduperson_principal_name)
self.assertEqual(
"urn:mace:eduid.nl:entitlement:verified-by-institution",
user["eduperson_entitlement"])
self.assertEqual("Doe", user["family_name"])
self.assertEqual("Mary", user["given_name"])
self.assertListEqual(["group1", "group2"],
user["edumember_is_member_of"])
self.assertTrue(datetime.now() < user["expiry_date"])
def test_clean_users(self):
clean_users(AbstractTest.app)
for eppn in [
admin_eduperson_principal_name,
manager_eduperson_principal_name
]:
user = User.find_by_eduperson_principal_name(eppn)
self.assertTrue("given_name" not in user)
self.assertTrue("family_name" not in user)
for name in preserved_attribute_names:
self.assertTrue(name in user)
def attribute_aggregation():
_basic_auth()
# Fail fast if required attributes are missing
eduperson_principal_name = urllib.parse.unquote(
current_request.args["eduperson_principal_name"])
sp_entity_id = urllib.parse.unquote(current_request.args["sp_entity_id"])
service_provider = ServiceProvider.find_or_insert_by_entity_id(
sp_entity_id)
saml_mapping = _saml_mapping()
logger = logging.getLogger("main")
user = User.find_by_eduperson_principal_name(eduperson_principal_name)
if not user:
User.save_or_update({
"eduperson_principal_name": eduperson_principal_name,
"eduperson_unique_id_per_sp": {
service_provider["_id"]: str(uuid4())
}
})
logger.info(f"Provisioning new User {eduperson_principal_name}")
user = User.find_by_eduperson_principal_name(eduperson_principal_name)
else:
eduperson_unique_id_per_sp = user["eduperson_unique_id_per_sp"]
if service_provider["_id"] not in eduperson_unique_id_per_sp:
eduperson_unique_id_per_sp[service_provider["_id"]] = str(uuid4())
logger.info(f"Updating existing User {eduperson_principal_name}")
User.save_or_update(user)
res = []
for k, v in user.items():
if k == "eduperson_unique_id_per_sp":
eduid_for_sp = v[service_provider["_id"]]
res.append({
"name": saml_mapping["eduid"]["saml"],
"values": [eduid_for_sp]
})
logger.info(
f"Returning eduid {eduid_for_sp} for User {eduperson_principal_name} and SP {sp_entity_id}"
)
elif k in saml_mapping:
res.append({
"name": saml_mapping[k]["saml"],
"values": v if isinstance(v, list) else [v]
})
return res, 200
def seed(mongo: PyMongo):
db = mongo.db
for name in ["users", "service_providers"]:
db[name].drop()
# will insert a new record
service_provider = ServiceProvider.find_or_insert_by_entity_id(
sp_entity_id)
User.save_or_update({
"eduperson_principal_name":
john_eduperson_principal_name,
"name":
"John Doe",
"eduperson_entitlement":
"urn:mace:eduid.nl:entitlement:verified-by-institution",
"eduperson_unique_id_per_sp": {
service_provider["_id"]: john_edu_unique_id
},
"email":
"*****@*****.**",
"edumember_is_member_of": [
"urn:collab:org:surf.nl",
"urn:collab:group:test.surfteams.nl:nl:surfnet:diensten:"
],
"expiry_date":
datetime.now() + timedelta(days=5)
})
User.save_or_update({
"eduperson_principal_name": mary_eduperson_principal_name,
"eduperson_unique_id_per_sp": {
service_provider["_id"]: mary_edu_unique_id
}
})
User.save_or_update({
"eduperson_principal_name": admin_eduperson_principal_name,
"eduperson_entitlement":
"urn:mace:eduid.nl:entitlement:verified-by-institution",
"sub_hash": str(uuid4()),
"given_name": "Peter",
"family_name": "Doe",
"eduperson_unique_id_per_sp": {
service_provider["_id"]: str(uuid4())
},
"expiry_date": datetime.now() - timedelta(minutes=60)
})
User.save_or_update({
"eduperson_principal_name":
manager_eduperson_principal_name,
"eduperson_entitlement":
"urn:mace:eduid.nl:entitlement:verified-by-institution",
"given_name":
"Steven",
"sub_hash":
hashlib.sha256(bytes(manager_sub, "utf-8")).hexdigest(),
"family_name":
"Doe",
"eduperson_unique_id_per_sp": {
service_provider["_id"]: str(uuid4())
},
"expiry_date":
datetime.now() - timedelta(minutes=60)
})
def test_find_by_expiry_date(self):
users = User.find_by_expiry_date(datetime.now())
names = [u["eduperson_principal_name"] for u in users]
names.sort()
self.assertListEqual(["example.com:admin", "example.com:manager"],
names)